So, I needed to reformat the HD in my mid 2011 Mac Mini (done) and plan to reinstall Mountain Lion on it. I created an SDXC install disk to do this. I'm curious to know if the disk2 partition with the Mac OS X Base System that appears in Disk Utility (as well as any other hidden partition) is the original boot partition from the previous installation of Mountain Lion carried over or is it all new from the install disk I created?
Here is why I ask…I had a nasty and reappearing hack, Trojan, Bot, or Malware of some sort that I want to make sure there are no remnants of when I do this install again. Over the course of almost three months, I have done this process twice, as have the folks at the Genius bar, and it keeps coming back. What ever it is, also appeared on my iMac (running Snow Leopard), but I did not have any luck after wiping and reinstalling the OS from the CD, twice as well. It also appeared on my Windows laptop (running Vista), which is currently sitting with the battery removed, and the iMac is unplugged, while I focus on my Mac Mini. One note of similarity with all of this is that there was a significant amount of network activity on all of these PC's, even without an Ethernet connection/cable attached, and with the connections disabled as well, including wifi and Bluetooth. My AEBS has also been factory reset many times. It was thought that my iPhone was somehow providing the internet connection, which has also been wiped twice, as well as my iPad. I do know that my network was hacked internally by my ex, who is my ex for this very reason.
The one difference with my attempt at the OS install this time is that the install disk that I am using has been reformatted and the copy of Mountain Lion I am using was created from a newly downloaded file, versus the previous disk I had made, that was accessible to my ex, and could have possibly been tampered with. I have considered reflashing the EFI too, as I have read here that it could also be a hiding place for whatever this is, but I thought I would try this first, as I would be able to tell fairly quickly if it reappears, based on the network activity that shows up.
I hope the predicament I'm in makes some sense to those that happen to read it, because the scouring of Google, and forum after forum for answers has grown tiresome, which is why I now turn to this highly knowledgeable and collaborative community for help. I do consider myself to be technically skilled, and have learned a lot more about this stuff than I ever wanted to know, but it is all worth it's weight in gold to me, including my new found love and appreciation using Terminal…who knew! 😉
Let me thank you all in advance for any and all help, tips, pointers, etc. that come my way…they are all very much appreciated. I hope that this, being my first post, is fomatted and worded in the way that is preferred by this community, and has provided enough detail, thought and questions to garner some initial input,
Merry Christmas,
Jimmy
Best Answer
This sort of infection is extremely rare in the OS X world. Getting reinfected over and over again is even less likely. Not saying it's impossible, but very unlikely.
I would start by installing Little Snitch and setting it to monitor outgoing connections. Also monitor your launchd folders using http://www.circl.lu/pub/tr-08/
The first step I would recommend is changing all of your passwords and using something like 1password so your ex can't get into something again.
Marking this as a wiki so others can add suggestions since this isn't an "answer" per se.
[2013-04-14: There's also Radio Silence which is an outbound filter like Little Snitch but supposedly simpler and less "chatty".]