Hit by dylib hijack virus...

[NothinToIt]

Update: I just flashed macOS to a USB thumb drive. The red box around the Apple logo still appeared. That rules out SSD issues.

This is largely to keep others on their toes and provide information, but I do have questions. These are at the end. I am also attaching two EtreCheck reports, one from right after a flash of the hard drive with a new macOS install. The other from today with multiple partitions, while running or after running multiple processor-consuming processes simultaneously, like HD recovery processes, etc., to stress the system.



Warning about Malwarebytes for Mac



First of all, I want to say something about AV in macOS. I've always gotten angry when people said, "macOS doesn't need AV" and/or made rude criticisms of people who installed it. Since this occurred, I've joined the other side--but not for the reasons others criticize. Once I realized I was on the front of a battle for my hard drive and that it was likely due to a virus infection, I installed Malwarebytes for Mac, which I already had a license for because I used it to secure my Bootcamp partition. However, installing it and entering the license info bricked the software from running. It said that all the devices registered maxed out the license, e.g. "You have already registered two devices. Please purchase an additional license." I only have it on one device, but every time you format the Bootcamp partition and reinstall and register Malwarebytes, it treats that registration as a new device. Moreover, it does not allow you to remove "devices" once registered--or it didn't allow me. Lastly, because I tried to register it, the software was bricked. The free version wouldn't run.



So yea, at its hour of most critical need, Malwarebytes didn't do jack **** except ask me for money.



Avoid Malwarebytes and the others. Let macOS do its job.



Video



I did take a video that was contemporaneous to the primary attack and posted it to Reddit. Somehow it was deleted from the macOS subreddit. There was no notification of violating a policy, that would cause it to be deleted by mods. It's as if I deleted it. I did, however, take these the other day. They document some of the ongoing issues I'm confronted with. The most telling sign of some kind of ongoing infection in the second video ("...2/2") at about 13 minutes and 20 seconds.

To set the stage, in the first video, I'm upset because I'm doing a flash of macOS on the system from a thumb drive. I created a linux partition to sandbox the primary macOS partition and used gibmacOS and OpenCorePkg to create a macOS recovery USB. I didn't understand, after wiping the entire drive from that medium, how it was connecting to my WIFI. I never gave it the passphrase to connect to my WiFi, and it shouldn't have known the passphrase from prior connections because I wiped the entire drive. The most telling sign of ongoing issues is, like I said, in the second video at 13:20-ish.



Setup



I have a 2019 13" Macbook Pro /wo Touch Bar. It runs an up-to-date copy of macOS Monterey. It is on a WLAN connected to the internet by a 1Gigps Fiber Optics connection. The wifi router sits on bridge mode behind a $500 Firewalla Gold firewall device (a brilliant machine, btw), which by default blocks all incoming internet traffic.



Fact re: Infection



I believe I found the vector of infection, and if true, someone was spoofing https://handbrake.fr. I downloaded Handbrake, a GNU (free and open source) video editing suite, that is usually fantastic. A google search after the primary attack was over revealed that a common vector for dylib virus attacks included Handbrake, and the noticeable signs appeared immediately after downloading and running it.



See https://www.pcworld.com/article/406...c-users-of-handbrake-video-converter-app.html



https://macpaw.com/how-to/remove-handbrake-virus



https://arstechnica.com/civis/viewtopic.php?f=2&t=1383485&start=160



The strangest thing is that I downloaded Patrick Wardle's dylib virus scanner, and other FOSS programs, immediately after downloading Handbrake. And not because I knew of any connection between Handbrake and the dylib virus. It was just a weird feeling telling me to do it. Accordingly, I ran it and it found 104 "weak vulnerabilities." As noted below, in the midst of the battle over my HD, the number increased to around 383 "weak vulnerabilities" within a period of about an hour. As a benchmark, with admitted ongoing issues remnant from the primary attack, and with a horribly messy HD that has some 8 partitions on it, I just did a scan and it found 118 "weak vulnerabilities." I spoke with Patrick and he said to take those "weak vulnerabilities" seriously, even if it doesn't identify programs that are hijacked.



In any case, about 10 minutes after running Handbrake and then running the Dylib Hijack Scanner from Wardle, there were symptoms that were similar to your computer running entirely out of RAM. And that's what I thought had occurred initially, until about 30 minutes into it, I realized that the only thing that wasn't responding was my MacBook trackpad. If I used the keyboard and, for instance, force closed applications using the return key and tabbing through buttons, they responded just fine. Or even if I used regular close commands. There was no system freeze at all.



Shortly thereafter, I did an LSOF and noticed that hundreds and hundreds and hundreds of dylib files were open on network connections. I did a manual search of the Volumes folder (or /dev/, can't remember which) and found a remote disk mounted as "untitled." Once I ejected that remote disk and changed my password while not connected to WiFi, things went back to what seemed like normal relatively quickly.



I noticed, however, while formatting my entire HD and reinstalling macOS the following day that things were not back to normal. As in the second video above, I would have a red box flash around the Apple logo. Unlike in the video above, where it happened, and continues to happen, once during a reinstall, it would occur 7-10 times then. Also, at some point during the reinstall, my screen would flicker and when it came back with any stability, the resolution was off. It felt like I was being connected to a remote server and having the screen projected back to me from the server. It's hard to explain.



macOS no longer installs a Base System partition. As you can see in the four attached photos, it looks like a normal macOS HD. The macOS Base System is there and installed. However, if I mount it, something I don't believe you can do with a real base system partition, and enter my passcode, an eject button appears. I don't believe you can eject a real base system partition. When I ejected the base system partition, without so much as a peep from the OS, it ejected successfully. What it thought was the base system was actually the USB I used to reinstall macOS. OpenCore names the USB installer "macOS Base System" because that is the file you're installing to it from the original installer program. But it isn't, or wasn't, a genuine macOS base system at all, and I have reinstalled macOS three times using just the App Store installer and without any mountable external devices. No macOS base system partition.


Also, some hours after reinstalling macOS, my MacBook Pro will start to attempt to logout of my account. Not restart. Log out. Calls to the 'history' command in terminal produces no evidence that calls to launchctl or pkill, necessary to force a logout, were ever made.


I'm now connected to my Firewalla firewall-router device by ethernet cable. Because when connected via WiFi, I found that my passwords--either for my macOS user accounts, iCloud account, WiFi, etc.--were changing shortly after entering them. (I have about 120 feet of ethernet cables running through my apartment to various devices that need internet, at present.) Additionally, while I knnow this is not optimal, I do keep Time Machine backing up to a time machine partition on my internal HD. Somehow, and only since Sunday, when this all went down, it keeps getting deleted. At the immediate present, I am being spammed by notifications of new external storage units being mounted as "New Volume". No new storage devices have been connected.


Questions



While the primary attack is over--that is, there is no aggressive attempt to hijack my HD--I am wondering whether its possible the virus is embedded so deeply into the hardware-level firmware that the only way to remediate it completely is have the internal HD replaced. Does this seem right to you, or should there be a way to clean the HD so that its salvable as is but no longer exhibits signs or symptoms of an attack?



The red box around the Apple logo that flashes. How do I stop that? Could that be indicative of hardware issues, secondary to the attack? Per the below, EtreCheck, which is paid-for and registered, finds no evidence of hardware issues.



Is there anything else I should do or know?

 

[KaliYoni]

Is this the same ("$3,000") MacBook with the broken screen, faulty SSD, and a Linux installation mentioned in your post history?

 

[NothinToIt]

Is this the same ("$3,000") MacBook with the broken screen, faulty SSD, and a Linux installation mentioned in your post history?

The one the TSA broke during a random bag check? No, it’s not. The screen finally went out completely and I couldn’t get it to it to work consistently in clamshell mode. It’s in my closet. This is a refurbished device I bought through backmarket.com. I got an insurance settlement for that one for $2,899.

Also, no faulty SSD. To the contrary, both Disk Drill (using S.M.A.R.T.) and EtreCheck say the SSD is fine and has 99% of its life remaining. I appended the reports. You can see from the video(s) that the screen isn’t broken.

 

[NothinToIt]

This is largely to keep others on their toes and provide information, but I do have questions. These are at the end. I am also attaching two EtreCheck reports, one from right after a flash of the hard drive with a new macOS install. The other from today with multiple partitions, while running or after running multiple processor-consuming processes simultaneously, like HD recovery processes, etc., to stress the system.



Warning about Malwarebytes for Mac



First of all, I want to say something about AV in macOS. I've always gotten angry when people said, "macOS doesn't need AV" and/or made rude criticisms of people who installed it. Since this occurred, I've joined the other side--but not for the reasons others criticize. Once I realized I was on the front of a battle for my hard drive and that it was likely due to a virus infection, I installed Malwarebytes for Mac, which I already had a license for because I used it to secure my Bootcamp partition. However, installing it and entering the license info bricked the software from running. It said that all the devices registered maxed out the license, e.g. "You have already registered two devices. Please purchase an additional license." I only have it on one device, but every time you format the Bootcamp partition and reinstall and register Malwarebytes, it treats that registration as a new device. Moreover, it does not allow you to remove "devices" once registered--or it didn't allow me. Lastly, because I tried to register it, the software was bricked. The free version wouldn't run.



So yea, at its hour of most critical need, Malwarebytes didn't do jack **** except ask me for money.



Avoid Malwarebytes and the others. Let macOS do its job.



Video



I did take a video that was contemporaneous to the primary attack and posted it to Reddit. Somehow it was deleted from the macOS subreddit. There was no notification of violating a policy, that would cause it to be deleted by mods. It's as if I deleted it. I did, however, take these the other day. They document some of the ongoing issues I'm confronted with. The most telling sign of some kind of ongoing infection in the second video ("...2/2") at about 13 minutes and 20 seconds.

To set the stage, in the first video, I'm upset because I'm doing a flash of macOS on the system from a thumb drive. I created a linux partition to sandbox the primary macOS partition and used gibmacOS and OpenCorePkg to create a macOS recovery USB. I didn't understand, after wiping the entire drive from that medium, how it was connecting to my WIFI. I never gave it the passphrase to connect to my WiFi, and it shouldn't have known the passphrase from prior connections because I wiped the entire drive. The most telling sign of ongoing issues is, like I said, in the second video at 13:20-ish.



Setup



I have a 2019 13" Macbook Pro /wo Touch Bar. It runs an up-to-date copy of macOS Monterey. It is on a WLAN connected to the internet by a 1Gigps Fiber Optics connection. The wifi router sits on bridge mode behind a $500 Firewalla Gold firewall device (a brilliant machine, btw), which by default blocks all incoming internet traffic.



Fact re: Infection



I believe I found the vector of infection, and if true, someone was spoofing https://handbrake.fr. I downloaded Handbrake, a GNU (free and open source) video editing suite, that is usually fantastic. A google search after the primary attack was over revealed that a common vector for dylib virus attacks included Handbrake, and the noticeable signs appeared immediately after downloading and running it.



See https://www.pcworld.com/article/406...c-users-of-handbrake-video-converter-app.html



https://macpaw.com/how-to/remove-handbrake-virus



https://arstechnica.com/civis/viewtopic.php?f=2&t=1383485&start=160



The strangest thing is that I downloaded Patrick Wardle's dylib virus scanner, and other FOSS programs, immediately after downloading Handbrake. And not because I knew of any connection between Handbrake and the dylib virus. It was just a weird feeling telling me to do it. Accordingly, I ran it and it found 104 "weak vulnerabilities." As noted below, in the midst of the battle over my HD, the number increased to around 383 "weak vulnerabilities" within a period of about an hour. As a benchmark, with admitted ongoing issues remnant from the primary attack, and with a horribly messy HD that has some 8 partitions on it, I just did a scan and it found 118 "weak vulnerabilities." I spoke with Patrick and he said to take those "weak vulnerabilities" seriously, even if it doesn't identify programs that are hijacked.



In any case, about 10 minutes after running Handbrake and then running the Dylib Hijack Scanner from Wardle, there were symptoms that were similar to your computer running entirely out of RAM. And that's what I thought had occurred initially, until about 30 minutes into it, I realized that the only thing that wasn't responding was my MacBook trackpad. If I used the keyboard and, for instance, force closed applications using the return key and tabbing through buttons, they responded just fine. Or even if I used regular close commands. There was no system freeze at all.



Shortly thereafter, I did an LSOF and noticed that hundreds and hundreds and hundreds of dylib files were open on network connections. I did a manual search of the Volumes folder (or /dev/, can't remember which) and found a remote disk mounted as "untitled." Once I ejected that remote disk and changed my password while not connected to WiFi, things went back to what seemed like normal relatively quickly.



I noticed, however, while formatting my entire HD and reinstalling macOS the following day that things were not back to normal. As in the second video above, I would have a red box flash around the Apple logo. Unlike in the video above, where it happened, and continues to happen, once during a reinstall, it would occur 7-10 times then. Also, at some point during the reinstall, my screen would flicker and when it came back with any stability, the resolution was off. It felt like I was being connected to a remote server and having the screen projected back to me from the server. It's hard to explain.



macOS no longer installs a Base System partition. As you can see in the four attached photos, it looks like a normal macOS HD. The macOS Base System is there and installed. However, if I mount it, something I don't believe you can do with a real base system partition, and enter my passcode, an eject button appears. I don't believe you can eject a real base system partition. When I ejected the base system partition, without so much as a peep from the OS, it ejected successfully. What it thought was the base system was actually the USB I used to reinstall macOS. OpenCore names the USB installer "macOS Base System" because that is the file you're installing to it from the original installer program. But it isn't, or wasn't, a genuine macOS base system at all, and I have reinstalled macOS three times using just the App Store installer and without any mountable external devices. No macOS base system partition.


Also, some hours after reinstalling macOS, my MacBook Pro will start to attempt to logout of my account. Not restart. Log out. Calls to the 'history' command in terminal produces no evidence that calls to launchctl or pkill, necessary to force a logout, were ever made.


I'm now connected to my Firewalla firewall-router device by ethernet cable. Because when connected via WiFi, I found that my passwords--either for my macOS user accounts, iCloud account, WiFi, etc.--were changing shortly after entering them. (I have about 120 feet of ethernet cables running through my apartment to various devices that need internet, at present.) Additionally, while I knnow this is not optimal, I do keep Time Machine backing up to a time machine partition on my internal HD. Somehow, and only since Sunday, when this all went down, it keeps getting deleted. At the immediate present, I am being spammed by notifications of new external storage units being mounted as "New Volume". No new storage devices have been connected.


Questions



While the primary attack is over--that is, there is no aggressive attempt to hijack my HD--I am wondering whether its possible the virus is embedded so deeply into the hardware-level firmware that the only way to remediate it completely is have the internal HD replaced. Does this seem right to you, or should there be a way to clean the HD so that its salvable as is but no longer exhibits signs or symptoms of an attack?



The red box around the Apple logo that flashes. How do I stop that? Could that be indicative of hardware issues, secondary to the attack? Per the below, EtreCheck, which is paid-for and registered, finds no evidence of hardware issues.



Is there anything else I should do or know?

If someone with a Mac, preferably an Intel T2 MacBook Pro running the current macOS build, could run the Objective-See Dylib Hijack Scanner and post the report to me, I would appreciate that. It may help identify any issues.

 

[galad]

HandBrake downloads were compromised for a few days years ago. There is no malware in current HandBrake versions download from handbrake.fr.
Dylib Hijack Scanner simply reports apps that can load a dylib, and that means nothing.

 

[rpmurray]

You bought this MacBook used. Did you make sure the seller had turned off Find My Mac and signed out of iCloud?

 

[NothinToIt]

You bought this MacBook used. Did you make sure the seller had turned off Find My Mac and signed out of iCloud?

Yea. I mean, no one was visibly connected. I did consider whether someone could have attached a physical device to the inside of the machine, or whether it could have been confiscated during an arrest and sold to the Back Market seller at police auction, accidentally leaving a physical surveillance device in the machine. That would explain how and why the computer becomes reinfected every time I reload macOS. But I’m not opening it.

If someone was logged in with iCloud still, would I be able to log in? Am I missing a method for making that determination? That would be far more realistic. I did run disk drill on it to see what, if anything, from the prior install was recoverable. (I wanted to see how well they cleaned it.) Everything Disk Drill found we’re items owned by the operating system, e.g., icons, PDFs for macOS, etc. It did not find any recoverable partitions or anything like that.

I’ve literally sat there and watched as the mouse moved on it’s own, standing outside the view of the camera and far enough from the microphone that my breath could not register. The aim was to make them believe I had left. It was deleting things in my downloads folder. I kind of laughed inside because spring cleaning is not what I would do if I had an active iCloud registration on someone else’s MacBook.

 

[NothinToIt]

You bought this MacBook used. Did you make sure the seller had turned off Find My Mac and signed out of iCloud?

Okie doke. Then assuming there is no malware and everything I’ve experienced was the product of many years of suppression of childhood fear and angst, what is causing the red box around the Apple logo when installing macOS? You saw it yourself, EtreCheck said the SSD (and other hardware) is fine. Disk Drill says the SSD has 99% life remaining. macOS reports no issues with the RAM.

What’s causing it and how do I fix it?

Even Apple says that’s the product of malware (if not a hardware issue), though they minimize exposure by adding the qualifier “adware.” There’s no adware on the system. Even the seller, who refurbished it, is not denying that it’s malware. I made sure he knew he needed to have his recovery standards/keys inspected.

Update: I just installed macOS on a brand new (just opened) USB flash drive. The red box around the Apple logo still appeared. So, that rules out SSD issues.

 

[rpmurray]

Sounds like something has been installed persistently. Have you done an NVRAM reset (Option-Command-P-R)? When you've "flashed macOS to a USB thumb drive" did you do that from this Mac? Something may have come along on the ride. Can you install macOS on an external drive on another Mac and then boot that on this Mac?

 

[NothinToIt]

Sounds like something has been installed persistently. Have you done an NVRAM reset (Option-Command-P-R)? When you've "flashed macOS to a USB thumb drive" did you do that from this Mac? Something may have come along on the ride. Can you install macOS on an external drive on another Mac and then boot that on this Mac?

Didn’t consider that. I can try to do it on my 2017 MacBook Pro with the broken screen. Until I do, should I consider anything that has been placed into a USB slot on this computer potentially infectious?

Update: Yea, I did those things. I was initially curious whether resetting the NVRAM could have been contributing to the spread of whatever it

P.S., I remembered something else from the time immediately preceding the attack—or my realization that I was under attack. I received notification thru LuLu and Little Snitch that LSOF wanted network access. That could be a normal behavior, given what it does. But I found it weird because LSOF doesn’t need access to the network to determine what files on the Mac’s HD are open by processes with remote connections.

This may be absolutely normal too, just not something I’d noticed before, but the other thing is I started getting connection requests from processes associated with remote access… mount_nfs, for instance, repeatedly attempted to request network access. Well, mount_nfs is used by network clients to mount remote disks. Why would a network client process be active at all, more specifically why would it be trying to phone home?

Other processes included MDM, com.apple.xpservice.remoteviewed (or something similar), com.apple.xpservice.remotedesktopd, etc. I don’t allow my computer to remote connect to anything. As soon as I format, I not only turn off every option under ‘sharing’ preferences, I also delete the roles from ever text box for every category. I do that to be doubly sure someone can’t connect.

Lastly; I remembered I had just ordered a Netgear AP, which was giving me troubles. It kept arbitrarily claiming I had the wrong passphrase. I reported it to Netgear and the man had me download Team Viewer so he could connect remotely. Of course the AP worked swimmingly while he was observing and went right back to not working once we parted ways. I’m extremely cautious

 

[rpmurray]

Until I do, should I consider anything that has been placed into a USB slot on this computer potentially infectious?

Yes.

Also, when you do the NVRAM reset make sure you hold down the keys until you hear the Mac chime four times.

You don't want to hook up the external with the clean copy of macOS while this Mac in on. Shut it down, hook up the external, then boot with the option key held down so you get the boot manager and can choose the external to boot from.

 

[diego.caraballo]

While the primary attack is over--that is, there is no aggressive attempt to hijack my HD--I am wondering whether its possible the virus is embedded so deeply into the hardware-level firmware that the only way to remediate it completely is have the internal HD replaced. Does this seem right to you, or should there be a way to clean the HD so that its salvable as is but no longer exhibits signs or symptoms of an attack?



The red box around the Apple logo that flashes. How do I stop that? Could that be indicative of hardware issues, secondary to the attack? Per the below, EtreCheck, which is paid-for and registered, finds no evidence of hardware issues.

Hi there.
The red Apple logo is something that I have seen multiples times even when installing macOS into a new drive.
There are multiple discussions over internet, it's probably a graphics glitch of sorts.
(https://discussions.apple.com/thread/250723628)

The mentioned virus doesn't have any firmware infection capabilities, neither it can persist after a correct drive erasing.
After recovery over internet is loaded, open disk utility and click on View > Show all devices.
Then, click on the disk at the top of the left column (and under "Internal") and click "Erase".
If you get errors, you need to delete all volumes/partitions one by one (clicking the minus sign on the top bar).
After "Erase" completes correctly, check that your Mac has the correct date (Open Terminal, and type Date).
Then you can install Monterrey.

 

[Apple_Robert]

1) You didn't get infected by a virus. A virus replicates, which isn't happening here.
2) You installed some kind of Malware and that doesn't infect the hardware.
3) Wiping the drive would remove all instances of your problem.

 

[millerj123]

1) You didn't get infected by a virus. A virus replicates, which isn't happening here.
2) You installed some kind of Malware and that doesn't infect the hardware.
3) Wiping the drive would remove all instances of your problem.

I think you are supposed to help solve the issue, not say it isn't that. And then be told you are wrong.

Or, maybe I missed something.

 

[NothinToIt]

1) You didn't get infected by a virus. A virus replicates, which isn't happening here.
2) You installed some kind of Malware and that doesn't infect the hardware.
3) Wiping the drive would remove all instances of your problem.

You sure?

 

[NothinToIt]

Yes.

Also, when you do the NVRAM reset make sure you hold down the keys until you hear the Mac chime four times.

You don't want to hook up the external with the clean copy of macOS while this Mac in on. Shut it down, hook up the external, then boot with the option key held down so you get the boot manager and can choose the external to boot from.

I know how to do an NVRAM reset. I know how to do an SMC reset.

This is not an NVRAM issue.

 

[NothinToIt]

1) You didn't get infected by a virus. A virus replicates, which isn't happening here.
2) You installed some kind of Malware and that doesn't infect the hardware.
3) Wiping the drive would remove all instances of your problem.

I know how to erase the hard drive. The issue is that you’re wrong. Period.

 

[NothinToIt]

2) You installed some kind of Malware and that doesn't infect the hardware.
3) Wiping the drive would remove all instances of your problem.

HandBrake downloads were compromised for a few days years ago. There is no malware in current HandBrake versions download from handbrake.fr.
Dylib Hijack Scanner simply reports apps that can load a dylib, and that means nothing.

I know how to wipe the hard drive. The issue is what is on my computer is persistent. Also, it’s a virus.

All these photos were taken right after an erase of the hard drive. Or attempted erase, which failed due to these 21 hidden volumes in my recovery partition. These hidden volumes, which as you can see do not appear in the GUI, are kept alive (or “busy”) because of the thousands of dylib files keeping them that way.

The Macintosh HD partition, btw, not the “data” partition, has a hosts file in it that is write protected, because of where it is, and and forces a the current state to reload on reboot. It is intended to fool me into thinking I successfully erased the HD because everything in the GUI that is visible was erased. The hidden partitions kept alive by the dylib files keeps the current partition environment alive. The hosts file causes the current state to reload.
Absent suspicion, any normal person would have just eadsumed the wipe was successful. And it was for Desktop environment files and settings. Under the hood, the system is set to not erase and to reload once a reboot has occurred.

This may not be “malware.”

The only option you leave is to be equally obnoxious and condescending.

EDIT: I left it in but on second glance the hosts file appears to be okay. Write protected, but okay.

 

[NothinToIt]

I know how to wipe the hard drive. The issue is what is on my computer is persistent. Also, it’s a virus.

All these photos were taken right after an erase of the hard drive. Or attempted erase, which failed due to these 21 hidden volumes in my recovery partition. These hidden volumes, which as you can see do not appear in the GUI, are kept alive (or “busy”) because of the thousands of dylib files keeping them that way.

The Macintosh HD partition, btw, not the “data” partition, has a hosts file in it that is write protected, because of where it is, and and forces a the current state to reload on reboot. It is intended to fool me into thinking I successfully erased the HD because everything in the GUI that is visible was erased. The hidden partitions kept alive by the dylib files keeps the current partition environment alive. The hosts file causes the current state to reload.
Absent suspicion, any normal person would have just eadsumed the wipe was successful. And it was for Desktop environment files and settings. Under the hood, the system is set to not erase and to reload once a reboot has occurred.

This may not be “malware.”

The only option you leave is to be equally obnoxious and condescending.

EDIT: I left it in but on second glance the hosts file appears to be okay. Write protected, but okay.

What I think is actually most shocking is that you guys somehow are so sure of macOS’s freedom from malware, it eclipses Apple’s suredness.

https://discussions.apple.com/thread/251954072

Granted, they qualify it as “adware” and give the classic AOL “try rebooting your computer” response (reset PRAM), but they do use the phrase “… this may be due to some […] malware…” That’s certainly a step up from attacking the intelligence of anyone who dares use “malware” and “macOS” in the same paragraph.

 

[etresoft]

EtreCheck, which is paid-for and registered, finds no evidence of hardware issues.

Is there anything else I should do or know?

EtreCheck also finds no evidence of malware.

1) Everything you’ve described is normal, more or less.
2) You bought this computer used, not refurbished. Only Apple sells refurbished equipment. Anything else is used.
3) As someone else mentioned, there is a specific procedure that someone must follow to sell or give away an Apple device. If they don’t do that, then they can remotely lock the device at any time. It sounds like you may have gotten lucky on that part, at least for now.
4) Your computer has some kind of hardware graphics fault. I’ve seen other people report that red box Apple logo. This is why you should never, never, never buy a used Apple device. All you’ve done is purchased someone else’s headache.
5) Those tiny disk images are also common. Some software uses an auto-update mechanism that creates these. I think there is another bug in the operating system that causes them to persist in diskutil output even after they’ve been ejected.
6) Those log errors are also normal. The macOS operating system is perhaps the most complicated operating system ever made. It’s a mongrel of MacOS, BSD, Mach, iOS, and even a little bit of Windows thrown in for good measure.
7) There are only a handful of places where malware or adware will show up on a Mac. Your EtreCheck report shows none of that. Mac malware is not sneaky or hidden. It stands out like a sore thumb on an EtreCheck report.

Do yourself a favour and stop looking. Get rid of all that security software. You aren’t being hacked. You aren’t being spied on.

 

[rpmurray]

I know how to do an NVRAM reset. I know how to do an SMC reset.

This is not an NVRAM issue.

Good. Because you had not mentioned that in any of your posts. The only reason I brought it up was that NVRAM is persistent, so if someone had changed some settings there to help hide malware, then resetting it would rule that out.

 

[galad]

HandBrake can load an external dylib only if it's in /usr/local/ and it's called libdvdcss.2.dylib or libaacs.dylib. These libs are loaded only when opening a file. HandBrake is sandboxed, so it can't access anything outside the sandbox.
So an exploit would need to get you to manually put a dylib in /usr/local/ (which requires going thru the permission prompt), opening HandBrake, selecting a file. And it requires a sandbox escape vulnerability, which are hard to come by. A lot of work when they can simply get you to download a malicious unsandboxed app and run it.

Anyway, nothing of this is going to persist after a clean system install. The only way to access the T2 is to put the Mac in dfu mode and upload a malicious firmware, which maybe they did, but you can always put it back in DFU mode and rewrite the original Apple firmware on it.

In the end, the question is, would someone go thru all this and spend millions $ just to hack you?

 

[cspence002]

I know how to wipe the hard drive. The issue is what is on my computer is persistent. Also, it’s a virus.

All these photos were taken right after an erase of the hard drive. Or attempted erase, which failed due to these 21 hidden volumes in my recovery partition. These hidden volumes, which as you can see do not appear in the GUI, are kept alive (or “busy”) because of the thousands of dylib files keeping them that way.

The Macintosh HD partition, btw, not the “data” partition, has a hosts file in it that is write protected, because of where it is, and and forces a the current state to reload on reboot. It is intended to fool me into thinking I successfully erased the HD because everything in the GUI that is visible was erased. The hidden partitions kept alive by the dylib files keeps the current partition environment alive. The hosts file causes the current state to reload.
Absent suspicion, any normal person would have just eadsumed the wipe was successful. And it was for Desktop environment files and settings. Under the hood, the system is set to not erase and to reload once a reboot has occurred.

This may not be “malware.” This may be intentional spying. You guys are so damn ideological, like holocaust deniers. It’s almost clinical. You’re either paid, or have some convenient naivety. You just belittle anyone who, even with competent evidence to prove it, dares assert that Macs do get viruses, and oh yea, I caught one.

The only option you leave is to be equally obnoxious and condescending.

EDIT: I left it in but on second glance the hosts file appears to be okay. Write protected, but okay.

I am having this exact same issue. Almost everything you’ve described and have followed the same steps (besides downloading dylib scanners). I’ve wiped my system multiple times. Have installed the High Sierra over Internet Recovery on my Intel based Mac without issue. When I upgraded to Monterey about 20 minutes later no issue until I had logged in and caught it probing for files/folders that did not exist in my system. Leftover was a “Recovered Files” folder that the system could not find a place for but had existed on my previous install. This was a mobiledeviceupdater.plist file that had existed under /System/Library/LaunchAgents (img3, img4) with muxed devices that had been attached. Note - I had not signed into iCloud nor enabled any internet accounts. What it seems to be doing is installing a boot driver and forwarding caches to the Recovery and Preboot Volumes. It seemed to have a difficult time translating after the Internet Recovery install into Sierra and upgrade to Monterrey as it looked for files that had no longer existed. The probing seems to come from what I’ve gathered is an internal node in /use/libexec forwarding by proxying Apple system processes (that look innocent) to cloud services to a remote client resolver. It looks to also take advantage of Siri in someway through what looks like remote dictation (Siri I leave disabled on fresh installs as well any remote/shared system processes as well as location services, Analytics, and Touch ID).

Edit: During erase (from Monterey) I choose the APFS case-sensitive, encrypted partition on GUID partition scheme to create the fresh drive (SSD). I then restart in Internet Recovery mode to pull the OS from Mac rather than the base drive or recovery volume. This installs the OS that came with your MacBook and is closer to a true Factory Reset. (For me, High Sierra) High Sierra does not have the same Volume/Partition set-up as Monterey so the SSD partitions will look different after install but will automatically reconfigure to the APFS partitions when upgrading to Monterey.

Before reinstall of High Sierra after system wipe, I also reset the NVRAM/PRAM. After install I immediately turn on firewall, stealth mode, Firevault (Firevault is usually turned on already from choosing the encrypted volume when recreating the fresh drive, a separate password is used when installing from HS (after erasing the drive) rather than a key that is given when enabling Firevault from Monterey, I would keep this separate from the User password and not enable the user to decrypt the disk with their password when prompted at set-up after the HS install) I disable download from 3rd parties (System Preferences> Security&Privacy), I allow apps downloaded from App Store only and require password immediately after screensaver and turn off allow handoff between this Mac and iCloud devices (System Preferences>General). Although I have all sharing services turned off I still change the shared cache from all content to Shared Content, this erases any shared content that may be in a cache. I disable IPv6 and awdl0 connections via terminal. I then run any updates for High Sierra in the App Store. When the system restarts after the update I disable ipv6 and awdl0 again as these reset after any restart. I then download Monterey from the App Store and start the install.

 

[cspence002]

HandBrake can load an external dylib only if it's in /usr/local/ and it's called libdvdcss.2.dylib or libaacs.dylib. These libs are loaded only when opening a file. HandBrake is sandboxed, so it can't access anything outside the sandbox.
So an exploit would need to get you to manually put a dylib in /usr/local/ (which requires going thru the permission prompt), opening HandBrake, selecting a file. And it requires a sandbox escape vulnerability, which are hard to come by. A lot of work when they can simply get you to download a malicious unsandboxed app and run it.

Anyway, nothing of this is going to persist after a clean system install. The only way to access the T2 is to put the Mac in dfu mode and upload a malicious firmware, which maybe they did, but you can always put it back in DFU mode and rewrite the original Apple firmware on it.

In the end, the question is, would someone go thru all this and spend millions $ just to hack you?

No one said it costs $millions to hack someone. once you figure out the process and information necessary it could easily be free.

 

[angeledsa]

I am having this exact same issue. Almost everything you’ve described and have followed the same steps (besides downloading dylib scanners). I’ve wiped my system multiple times. Have installed the High Sierra over Internet Recovery on my Intel based Mac without issue. When I upgraded to Monterey about 20 minutes later no issue until I had logged in and caught it probing for files/folders that did not exist in my system. Leftover was a “Recovered Files” folder that the system could not find a place for but had existed on my previous install. This was a mobiledeviceupdater.plist file that had existed under /System/Library/LaunchAgents (img3, img4) with muxed devices that had been attached. Note - I had not signed into iCloud nor enabled any internet accounts. What it seems to be doing is installing a boot driver and forwarding caches to the Recovery and Preboot Volumes. It seemed to have a difficult time translating after the Internet Recovery install into Sierra and upgrade to Monterrey as it looked for files that had no longer existed. The probing seems to come from what I’ve gathered is an internal node in /use/libexec forwarding by proxying Apple system processes (that look innocent) to cloud services to a remote client resolver. It looks to also take advantage of Siri in someway through what looks like remote dictation (Siri I leave disabled on fresh installs as well any remote/shared system processes as well as location services, Analytics, and Touch ID).

Edit: During erase (from Monterey) I choose the APFS case-sensitive, encrypted partition on GUID partition scheme to create the fresh drive (SSD). I then restart in Internet Recovery mode to pull the OS from Mac rather than the base drive or recovery volume. This installs the OS that came with your MacBook and is closer to a true Factory Reset. (For me, High Sierra) High Sierra does not have the same Volume/Partition set-up as Monterey so the SSD partitions will look different after install but will automatically reconfigure to the APFS partitions when upgrading to Monterey.

Before reinstall of High Sierra after system wipe, I also reset the NVRAM/PRAM. After install I immediately turn on firewall, stealth mode, Firevault (Firevault is usually turned on already from choosing the encrypted volume when recreating the fresh drive, a separate password is used when installing from HS (after erasing the drive) rather than a key that is given when enabling Firevault from Monterey, I would keep this separate from the User password and not enable the user to decrypt the disk with their password when prompted at set-up after the HS install) I disable download from 3rd parties (System Preferences> Security&Privacy), I allow apps downloaded from App Store only and require password immediately after screensaver and turn off allow handoff between this Mac and iCloud devices (System Preferences>General). Although I have all sharing services turned off I still change the shared cache from all content to Shared Content, this erases any shared content that may be in a cache. I disable IPv6 and awdl0 connections via terminal. I then run any updates for High Sierra in the App Store. When the system restarts after the update I disable ipv6 and awdl0 again as these reset after any restart. I then download Monterey from the App Store and start the install.

I'm having the EXACT same issue as you and OP, over multiple devices for the past 2 years. No malware detector finds any issue. I'm not certain of the attack vector, but there have been times when the attacker realizes I'm aware of the malware and in the midst of my attempt to stop the attack (disable rights and enabling firewall, etc), the attacker modifies my trackpad and keyboard settings. My recovery disk application has been modified as OP described. The tell-tale sign that I'm hit with this exploit is my machine will reboot with a very loud original Apple boot sound. Once that happens, it's game over and my machine and user belong to someone else.

I've had modified images of my HD and files that I don't recognize uploaded to my machine with no paper trail (other than weird create dates). I've had the same occur to my cloud accounts and like OP said, it looks as if I was doing it - assuming because the attacker has full control of my devices and is using my machine/user as a proxy.

I've been trying everything to rid my devices of this - if throwing the machine away and buying a fresh one isn't working, what's up? Surely Apple has seen this and can perform a proper debug to find how such flagrant malware is occurring persistently?

The ridiculous thing is this is such an advanced attack and both persistent and active - I am not someone with anything that would give a hacker much payoff to spend so much time/effort.