Help my macbook has been hacked

Discussion in 'macOS Sierra (10.12)' started by macbookhelp80, Jul 18, 2017.

  1. macbookhelp80 macrumors newbie

    Jul 18, 2017
    So I was so stupid to install som third part software, and my mac is now hacked. Tried reinstalling the OS but this has no effect. The hacker still has full control of my macbook.

    For example, after several reinstalls I found a command to search for hidden user in terminal. Suddenly someone typed in alot of commands while I was in terminal. Or when I try to alter a setting somewhere and save it. I can go back in and they are altered completely. Or my browser suddenly starts downloading stuff from webpages.

    Etc etc etc etc.... :(

    So reinstalling does not help. All software is updated. And done some virus scans. No effect.

    Did a etracheck - hope someone can help me....

    EtreCheck version: 3.4 (420)

    Report generated 2017-07-15 23:28:45

    Download EtreCheck from

    Runtime: 1:42

    Performance: Excellent

    Click the [Lookup] links for more information from Apple Support Communities.

    Click the [Details] links for more information about that line.

    Problem: No problem - just checking

    Hardware Information:

    MacBook Pro (Retina, 13-inch, Early 2015)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook Pro - model: MacBookPro12,1

    1 2,7 GHz Intel Core i5 (i5-5257U) CPU: 2-core

    8 GB RAM Not upgradeable

    BANK 0/DIMM0

    4 GB DDR3 1867 MHz ok

    BANK 1/DIMM0

    4 GB DDR3 1867 MHz ok

    Bluetooth: Good - Handoff/Airdrop2 supported

    Wireless: en0: 802.11 a/b/g/n/ac

    Battery: Health = Normal - Cycle count = 88

    Video Information:

    Intel Iris Graphics 6100 - VRAM: 1536 MB

    Color LCD 2560 x 1600

    Disk Information:

    APPLE SSD SM0128G disk0: (121,33 GB) (Solid State - TRIM: Yes)

    [Show SMART report]

    EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

    (disk0s2) <not mounted> [CoreStorage Container]: 120.47 GB

    Recovery HD (disk0s3 - Journaled HFS+) <not mounted> [Recovery]: 650 MB

    USB Information:


    Broadcom Corp. Bluetooth USB Host Controller

    Logitech USB Receiver

    Thunderbolt Information:

    Apple Inc. thunderbolt_bus

    Virtual disks:

    1 (disk1 - Case-sensitive Journaled HFS+) / [Startup]: 120.12 GB (83.03 GB free)

    Physical disk: disk0s2 120.47 GB Online

    OmniWeb (disk2 - HFS+) /Volumes/OmniWeb : 105 MB (31 MB free)

    Physical disk: Disk Image 105 MB (31 MB free)

    System Software:

    macOS Sierra 10.12.5 (16F73) - Time since boot: less than an hour


    Mac App Store and identified developers

    Kernel Extensions:


    [loaded] com.logitech.manager.kernel.driver (6.60.1 - SDK 10.11) [Lookup]


    [loaded] com.Logitech.Control Center.HID Driver (3.9.4 - SDK 10.8) [Lookup]

    [loaded] com.Logitech.Unifying.HID Driver (1.3.5 - SDK 10.8) [Lookup]

    System Launch Agents:

    [not loaded] 6 Apple tasks

    [loaded] 185 Apple tasks

    [running] 91 Apple tasks

    System Launch Daemons:

    [not loaded] 42 Apple tasks

    [loaded] 169 Apple tasks

    [running] 105 Apple tasks

    Launch Agents:

    [running] com.Logitech.Control Center.Daemon.plist (Logitech Inc. - installed 2017-07-15) [Lookup]

    [running] com.logitech.manager.daemon.plist (Logitech Inc. - installed 2017-07-15) [Lookup]

    Launch Daemons:

    [loaded] com.adobe.fpsaud.plist (? 2afb3af7 18a4fa69 - installed 2017-06-23) [Lookup]

    User Launch Agents:

    [loaded] (Google, Inc. - installed 2017-06-01) [Lookup]

    User Login Items:

    iTunesHelper Application (Apple, Inc. - installed 2017-05-29)


    Internet Plug-ins:

    FlashPlayer-10.6: (installed 2017-07-11) [Lookup]

    QuickTime Plugin: 7.7.3 (installed 2017-04-29)

    Flash Player: (installed 2017-07-11) Cannot contact Adobe

    Safari Extensions:

    [enabled] AdBlock - BetaFish, Inc. - (installed 2017-06-07)

    3rd Party Preference Panes:

    Flash Player (installed 2017-06-23) [Lookup]

    Logitech Control Center (installed 2017-07-15) [Lookup]

    Logi Options Launcher (installed 2017-07-15) [Lookup]

    Time Machine:

    Time Machine not configured!

    Top Processes by CPU:

    13% WindowServer

    4% VTDecoderXPCService


    3% kernel_task

    1% launchd

    Top Processes by Memory:

    662 MB kernel_task

    554 MB Safari

    366 MB

    308 MB

    108 MB WindowServer

    Top Processes by Network Use:

    Input Output Process name

    14 KB 12 KB mDNSResponder

    9 KB 3 KB Unknown

    1 KB 994 B launchd

    0 B 128 B SystemUIServer

    Top Processes by Energy Use:

    18.04 WindowServer


    3.84 VTDecoderXPCService

    0.18 SystemUIServer

    Virtual Memory Information:

    3.88 GB Available RAM

    1.37 GB Free RAM

    4.12 GB Used RAM

    2.51 GB Cached files

    0 B Swap Used

    Software installs:

    Adobe Flash Player: (installed 2017-06-16)

    DanskeSpilPoker: (installed 2017-06-25)

    ExpressVPN: (installed 2017-06-28)

    Adobe Flash Player: (installed 2017-07-11)

    Logitech Control Center: (installed 2017-07-15)

    Logitech Options: (installed 2017-07-15)

    Install information may not be complete.

    Diagnostics Information:

    2017-07-14 18:33:05 High CPU use [Open] [Details]
  2. MacGizmo macrumors 65816


    Apr 27, 2003
    Take it to an a Apple Store if you're near one.
  3. macbookhelp80 thread starter macrumors newbie

    Jul 18, 2017
    unfortunately there are no apple stores in my country...

    must be something sinister with this process I reckon (unknown):

    Top Processes by Network Use:

    Input Output Process name

    14 KB 12 KB mDNSResponder

    9 KB 3 KB Unknown

    1 KB 994 B launchd

    0 B 128 B SystemUIServer

    When I use little snitch - ALL processes says under internet connection: Not connected.

    Thinking I can't be the only one in the world with this hack - so if anyone heard of anything or links to other forums - would be awesome :)
  4. BrianBaughn macrumors 603


    Feb 13, 2011
    Baltimore, Maryland
    When you say "reinstalling the OS" do you mean starting from the recovery partition, reformatting the drive and starting fresh?
  5. treekram macrumors 68000

    Nov 9, 2015
    Honolulu HI
    If you have access to another Mac and have an external HDD/SSD you can use, I would download macOS from the App Store and install it on the external disk. Take that disk and boot your MBP from it. If it can boot and your computer can work normally, then there's something on the internal SSD that's causing the issue in which case you should probably clean install using the same OS installer download from the App Store.

    Make sure the newly installed OS works and then add the software, one-by-one using only installer software from the manufacture itself.

    If you're having the same issues even after booting from the external disk, you have major issues that may need to be looked at by Apple - you would need to probably call them.
  6. Andy2k macrumors member

    Jul 18, 2015
  7. macbookhelp80 thread starter macrumors newbie

    Jul 18, 2017
    Yes fresh install from recovery mode....

    Did that (several times) but the hack is still there.

    Thinking either its some kinda hidden partion giving access to the backdoor or a firmware hack.

    Had the exact same thing done to my windows machines.
    When I made a complete wipe of the harddisk and fresh install the backdoor was still open.

    The funny thing was, that the install was made with an evaluation copy downloaded from MS homepage. And after each install it says windows is activated.
  8. Andy2k macrumors member

    Jul 18, 2015
    I think your best bet at this point is to burn it down and start over. Download your preferred version of OS X, make a USB installer (that is really easy to do from terminal). Then boot from USB, do a full format and erase. Then re install Mac OS X. Your time machine backup probably contains the infected partition. It might be your only option now. Make sure you save and backup all your important pictures, files and documents. Let us know if you get it working.

  9. dianeoforegon macrumors 6502a


    Apr 26, 2011
    How sure are you that you are actually on a legit MS web page?
  10. treekram macrumors 68000

    Nov 9, 2015
    Honolulu HI
    At this point, you need to have:

    Erased the partition, reformatted and re-installed as mentioned in post #8 by Andy2k. Also, as mentioned by Andy2k, you can't do a full restore from your backups.

    If you did this and still have issues, it's possible that there is something in your EFI partition or the Recovery partition. If the Recovery partition is infected, your only choice is to install from a clean valid version of an installer that is external to your computer.

    You can check what is in your EFI partition by opening the Terminal app and typing the following (press return after each command):

    diskutil mount /dev/disk0s1
    cd /Volumes/EFI
    sudo ls -Ra

    You may need to supply the admin password for the last command. If you're running from the Recovery partition Terminal app, you don't need the "sudo" (just type in ls -Ra). If you see something like APPLE, CACHES, EXTENSIONS, FIRMWARE, in the EFI partition listing, that is normal. It may have a Firmware.scap file and an associate *LOCKED.scap file, but I would have thought that these files would be deleted as part of a install. If there are any other files, that could be suspicious - post their names.

    It's possible that your firmware was hacked, but that would be difficult to do and if done, if I were a hacker, I would not make my presence known by doing the things that are happening to your computer. If you have done everything else as suggested by the posters here, and there is still a problem, that's when I would call Apple and let them take a look at it (they can do it remotely). I would think they have tools that would be able to determine if your firmware is valid or not.

    In your Etrecheck report, you also have an external disk or flash drive connected. You should make sure the external disk is disconnected when doing your re-installs.
  11. BrianBaughn macrumors 603


    Feb 13, 2011
    Baltimore, Maryland
    I'd make the USB installer on a different Mac. If your hacker is that sophisticated an installer you make on that machine could be infected.

    Could such a USB installer be made "read only" after it is set up and be used successfully to reinstall?
  12. treekram macrumors 68000

    Nov 9, 2015
    Honolulu HI
    You can make a computer not auto-mount a specific drive and then mount it read-only but I think in order to boot it will need to write to the drive. I think you'd have less chance of an infected system if you boot from a drive prepared on a good machine and install from it.
  13. Fancuku macrumors 65816


    Oct 8, 2015
    PA, USA
    If it has happened before on Windows machines too then it means you need to change your computing habits. An OS is as safe as the nut behind the keyboard.

    Do what BrianBaughn said.
  14. macbookhelp80 thread starter macrumors newbie

    Jul 18, 2017
    Yes, ofc I allowed them into the system.

    I'll get hold of a different mac -> download the OS to a usb -> boot the mac from it -> wipe the HD and install


    Thx for the advice all - very helpful :)

Share This Page