Help my macbook has been hacked

[macbookhelp80]

So I was so stupid to install som third part software, and my mac is now hacked. Tried reinstalling the OS but this has no effect. The hacker still has full control of my macbook.

For example, after several reinstalls I found a command to search for hidden user in terminal. Suddenly someone typed in alot of commands while I was in terminal. Or when I try to alter a setting somewhere and save it. I can go back in and they are altered completely. Or my browser suddenly starts downloading stuff from webpages.

Etc etc etc etc....

So reinstalling does not help. All software is updated. And done some virus scans. No effect.

Did a etracheck - hope someone can help me....


EtreCheck version: 3.4 (420)

Report generated 2017-07-15 23:28:45

Download EtreCheck from https://etrecheck.com

Runtime: 1:42

Performance: Excellent



Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.



Problem: No problem - just checking



Hardware Information: ⓘ

MacBook Pro (Retina, 13-inch, Early 2015)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro12,1

1 2,7 GHz Intel Core i5 (i5-5257U) CPU: 2-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1867 MHz ok

BANK 1/DIMM0

4 GB DDR3 1867 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 88


Video Information: ⓘ

Intel Iris Graphics 6100 - VRAM: 1536 MB

Color LCD 2560 x 1600


Disk Information: ⓘ

APPLE SSD SM0128G disk0: (121,33 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [CoreStorage Container]: 120.47 GB

Recovery HD (disk0s3 - Journaled HFS+) <not mounted> [Recovery]: 650 MB


USB Information: ⓘ

USB30Bus

Broadcom Corp. Bluetooth USB Host Controller

Logitech USB Receiver


Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus


Virtual disks: ⓘ

1 (disk1 - Case-sensitive Journaled HFS+) / [Startup]: 120.12 GB (83.03 GB free)

Physical disk: disk0s2 120.47 GB Online

OmniWeb (disk2 - HFS+) /Volumes/OmniWeb : 105 MB (31 MB free)

Physical disk: Disk Image 105 MB (31 MB free)



System Software: ⓘ

macOS Sierra 10.12.5 (16F73) - Time since boot: less than an hour


Gatekeeper: ⓘ

Mac App Store and identified developers


Kernel Extensions: ⓘ

/Library/Extensions

[loaded] com.logitech.manager.kernel.driver (6.60.1 - SDK 10.11) [Lookup]



~/Downloads/LCC Installer.app

[loaded] com.Logitech.Control Center.HID Driver (3.9.4 - SDK 10.8) [Lookup]

[loaded] com.Logitech.Unifying.HID Driver (1.3.5 - SDK 10.8) [Lookup]



System Launch Agents: ⓘ

[not loaded] 6 Apple tasks

[loaded] 185 Apple tasks

[running] 91 Apple tasks


System Launch Daemons: ⓘ

[not loaded] 42 Apple tasks

[loaded] 169 Apple tasks

[running] 105 Apple tasks


Launch Agents: ⓘ

[running] com.Logitech.Control Center.Daemon.plist (Logitech Inc. - installed 2017-07-15) [Lookup]

[running] com.logitech.manager.daemon.plist (Logitech Inc. - installed 2017-07-15) [Lookup]


Launch Daemons: ⓘ

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 18a4fa69 - installed 2017-06-23) [Lookup]


User Launch Agents: ⓘ

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-06-01) [Lookup]


User Login Items: ⓘ

iTunesHelper Application (Apple, Inc. - installed 2017-05-29)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)


Internet Plug-ins: ⓘ

FlashPlayer-10.6: 26.0.0.137 (installed 2017-07-11) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-04-29)

Flash Player: 26.0.0.137 (installed 2017-07-11) Cannot contact Adobe



Safari Extensions: ⓘ

[enabled] AdBlock - BetaFish, Inc. - https://getadblock.com (installed 2017-06-07)


3rd Party Preference Panes: ⓘ

Flash Player (installed 2017-06-23) [Lookup]

Logitech Control Center (installed 2017-07-15) [Lookup]

Logi Options Launcher (installed 2017-07-15) [Lookup]


Time Machine: ⓘ

Time Machine not configured!


Top Processes by CPU: ⓘ

13% WindowServer

4% VTDecoderXPCService

4% com.apple.WebKit.WebContent

3% kernel_task

1% launchd


Top Processes by Memory: ⓘ

662 MB kernel_task

554 MB Safari

366 MB com.apple.WebKit.WebContent

308 MB com.apple.WebKit.WebContent

108 MB WindowServer


Top Processes by Network Use: ⓘ

Input Output Process name

14 KB 12 KB mDNSResponder

9 KB 3 KB Unknown

1 KB 994 B launchd

0 B 128 B SystemUIServer


Top Processes by Energy Use: ⓘ

18.04 WindowServer

7.10 com.apple.WebKit.WebContent

3.84 VTDecoderXPCService

0.18 SystemUIServer


Virtual Memory Information: ⓘ

3.88 GB Available RAM

1.37 GB Free RAM

4.12 GB Used RAM

2.51 GB Cached files

0 B Swap Used


Software installs: ⓘ

Adobe Flash Player: (installed 2017-06-16)

DanskeSpilPoker: (installed 2017-06-25)

ExpressVPN: (installed 2017-06-28)

Adobe Flash Player: (installed 2017-07-11)

Logitech Control Center: (installed 2017-07-15)

Logitech Options: (installed 2017-07-15)



Install information may not be complete.


Diagnostics Information: ⓘ

2017-07-14 18:33:05 com.apple.WebKit.WebContent High CPU use [Open] [Details]

 

[MacGizmo]

Take it to an a Apple Store if you're near one.

 

[macbookhelp80]

Take it to an a Apple Store if you're near one.

unfortunately there are no apple stores in my country...

must be something sinister with this process I reckon (unknown):

Top Processes by Network Use: ⓘ

Input Output Process name

14 KB 12 KB mDNSResponder

9 KB 3 KB Unknown

1 KB 994 B launchd

0 B 128 B SystemUIServer

When I use little snitch - ALL processes says under internet connection: Not connected.

Thinking I can't be the only one in the world with this hack - so if anyone heard of anything or links to other forums - would be awesome

 

[BrianBaughn]

When you say "reinstalling the OS" do you mean starting from the recovery partition, reformatting the drive and starting fresh?

 

[treekram]

If you have access to another Mac and have an external HDD/SSD you can use, I would download macOS from the App Store and install it on the external disk. Take that disk and boot your MBP from it. If it can boot and your computer can work normally, then there's something on the internal SSD that's causing the issue in which case you should probably clean install using the same OS installer download from the App Store.

Make sure the newly installed OS works and then add the software, one-by-one using only installer software from the manufacture itself.

If you're having the same issues even after booting from the external disk, you have major issues that may need to be looked at by Apple - you would need to probably call them.

 

[Andy2k]

Try Malwarebytes for Mac. I've heard really good things about it. It's free (and safe).

https://www.malwarebytes.com/mac/

 

[macbookhelp80]

Yes fresh install from recovery mode....

Did that (several times) but the hack is still there.

Thinking either its some kinda hidden partion giving access to the backdoor or a firmware hack.

Had the exact same thing done to my windows machines.
When I made a complete wipe of the harddisk and fresh install the backdoor was still open.

The funny thing was, that the install was made with an evaluation copy downloaded from MS homepage. And after each install it says windows is activated.

 

[Andy2k]

I think your best bet at this point is to burn it down and start over. Download your preferred version of OS X, make a USB installer (that is really easy to do from terminal). Then boot from USB, do a full format and erase. Then re install Mac OS X. Your time machine backup probably contains the infected partition. It might be your only option now. Make sure you save and backup all your important pictures, files and documents. Let us know if you get it working.

Yes fresh install from recovery mode....

Did that (several times) but the hack is still there.

Thinking either its some kinda hidden partion giving access to the backdoor or a firmware hack.

Had the exact same thing done to my windows machines.
When I made a complete wipe of the harddisk and fresh install the backdoor was still open.

The funny thing was, that the install was made with an evaluation copy downloaded from MS homepage. And after each install it says windows is activated.

 

[dianeoforegon]

The funny thing was, that the install was made with an evaluation copy downloaded from MS homepage. And after each install it says windows is activated.

How sure are you that you are actually on a legit MS web page?

 

[treekram]

At this point, you need to have:

Erased the partition, reformatted and re-installed as mentioned in post #8 by Andy2k. Also, as mentioned by Andy2k, you can't do a full restore from your backups.

If you did this and still have issues, it's possible that there is something in your EFI partition or the Recovery partition. If the Recovery partition is infected, your only choice is to install from a clean valid version of an installer that is external to your computer.

You can check what is in your EFI partition by opening the Terminal app and typing the following (press return after each command):

diskutil mount /dev/disk0s1
cd /Volumes/EFI
sudo ls -Ra

You may need to supply the admin password for the last command. If you're running from the Recovery partition Terminal app, you don't need the "sudo" (just type in ls -Ra). If you see something like APPLE, CACHES, EXTENSIONS, FIRMWARE, in the EFI partition listing, that is normal. It may have a Firmware.scap file and an associate *LOCKED.scap file, but I would have thought that these files would be deleted as part of a install. If there are any other files, that could be suspicious - post their names.

It's possible that your firmware was hacked, but that would be difficult to do and if done, if I were a hacker, I would not make my presence known by doing the things that are happening to your computer. If you have done everything else as suggested by the posters here, and there is still a problem, that's when I would call Apple and let them take a look at it (they can do it remotely). I would think they have tools that would be able to determine if your firmware is valid or not.

In your Etrecheck report, you also have an external disk or flash drive connected. You should make sure the external disk is disconnected when doing your re-installs.

 

[BrianBaughn]

I'd make the USB installer on a different Mac. If your hacker is that sophisticated an installer you make on that machine could be infected.

Could such a USB installer be made "read only" after it is set up and be used successfully to reinstall?

 

[treekram]

I'd make the USB installer on a different Mac. If your hacker is that sophisticated an installer you make on that machine could be infected.

Could such a USB installer be made "read only" after it is set up and be used successfully to reinstall?

You can make a computer not auto-mount a specific drive and then mount it read-only but I think in order to boot it will need to write to the drive. I think you'd have less chance of an infected system if you boot from a drive prepared on a good machine and install from it.

 

[Fancuku]

If it has happened before on Windows machines too then it means you need to change your computing habits. An OS is as safe as the nut behind the keyboard.

Do what BrianBaughn said.

 

[macbookhelp80]

If it has happened before on Windows machines too then it means you need to change your computing habits. An OS is as safe as the nut behind the keyboard.

Do what BrianBaughn said.

Yes, ofc I allowed them into the system.

I'll get hold of a different mac -> download the OS to a usb -> boot the mac from it -> wipe the HD and install

-

Thx for the advice all - very helpful