MAC Experts HELP ME (MALWARE/LOST root access?)

[mikeandersson]

Ladies and gentlemens, I need YOUR help and
expertise.

It started with me downloading MACDEFENDER/MACKEEPER .

And before i knew it, and realized it. I had been giving a stranger/hacker
access (root) to my laptop (Masterkey and control over my entire laptop). - Control in terms of hickjacking traffic (can't go to sites with HTTPS and possible access to webcam, keyboard (keylogger) etc.

I have tried to read as much as possible on the first 20 pages on Google.
Watching numerous videos on Youtube etc. And tried SOFTWARE to find and remove virus/malware etc.
- Kaspersky, Avast, Bitdefender, AVG, Malwarebytes etc. but nothing have worked yet.

The "hacker" have full root access because I "sort of" gave him/her permission written my password numerous times. <- I didn't realize it before it was to late.

Things that i been trying:
- Software / ANTIVIRUS - but can't detect any.
- Reinstall/reset/deleting Sierra to ( it is a MBA/Mountain Lion)

I have been making some screenshots which may can help? Just say if you need more details.
I apologize in advance for my grammar, I'm not a native English speaker, but I hope you can understand it anyways guys.

[doublepost=1518379627][/doublepost]Even tho that i have only firefox open. My cpu is running between 30-50 %

 

[chscag]

How to remove Mac Defender

How to uninstall Mackeeper from your Mac

You need to follow the above directions and remove that garbage from your Mac first before you do anything else. After those are removed, you may need to erase and restore from a good backup before you installed that junk.

 

[mikeandersson]

Hello chscag, Thank u for your comment. But
I already have been doing this.

I tried to run CCleaner.
Won't even allow me to remove miscellaneous caches
[doublepost=1518380453][/doublepost]

 

[keysofanxiety]

Run MWB for Mac: https://www.malwarebytes.com/mac-download/

 

[mikeandersson]

MWB couldn't find anything.

Buy my main issue I guess is to remove that root access the hacker have right now.?

 

[mikzn]

Not sure you have been "really hacked" - more likely just a buch of intrusive software trying to install itself and needs your password to install.

But just in case - First thing I would do is turn off wifi and then go and change the admin password.

Then you can worry about removing the MacKeeper apps as above

 

[mikeandersson]

Not sure you have been "really hacked" - more likely just a buch of intrusive software trying to install itself and needs your password to install.

But just in case - First thing I would do is turn off wifi and then go and change the admin password.

Then you can worry about removing the MacKeeper apps as above

My mac have been erased/made a clean install. Nothing software on it.

Right now I'm using my phone as a hotspot.

I can't Even use safari with https or download chrome because I can't make a safe connection to Google's servers (https).

Only http. If I try to make a https connection, the sites can't be reach.



MacKeeper/MacDefender is gone.
No malware apparently.
[doublepost=1518384734][/doublepost]I can only surf and watch sites with http.

 

[chscag]

I tried to run CCleaner.
Won't even allow me to remove miscellaneous caches

More junk! CCleaner works well for Windows but not for a Mac. You're on a Mac not a Windows machine. Quit downloading and installing all that junk and malware. And what makes you think a hacker has root access to your machine?

 

[organicCPU]

Might HolaVPN be the reason for your https connection problem?

 

[mikeandersson]

Might HolaVPN be the reason for your https connection problem?

I had the problems before I installed Holavpn
[doublepost=1518439322][/doublepost]

More junk! CCleaner works well for Windows but not for a Mac. You're on a Mac not a Windows machine. Quit downloading and installing all that junk and malware. And what makes you think a hacker has root access to your machine?

Do you think it's normal for your Mac to run almost 30/50 %. Of its cpu when your only have 1 browser open?

 

[Fishrrman]

OP wrote:
"It started with me downloading MACDEFENDER/MACKEEPER ."

That was your first mistake -- and it was A BIG ONE.
But there's not much you can do about it now, except go forward.

If you're really concerned about malware, and can't seem to get rid of it, you may have to do this:
1. Create a bootable USB flash drive with the Mac OS installer on it.
2. Boot from the flash drive and use Disk Utility to ERASE the entire internal drive
3. Reinstall the OS.
4. Rebuild your internal drive from your backups.

 

[GGJstudios]

If you're looking for an app to uninstall Mac apps, be aware that in most cases, app removal software doesn't do a thorough job of finding and removing files/folders related to deleted apps. For more information, read this and this. If you just want to delete the app, drag the .app file to the trash. No other software needed. If you want to completely remove all associated files/folders, no removal apps will do the job.

The most effective method for complete app removal is manual deletion:

Best way to FULLY DELETE a program​

 

[MSastre]

If you have a backup of your drive BEFORE you installed all those "cleaner", "keeper" garbage apps, the best thing you can do is a complete wipe of your drive and clean install of your OS. Follow Fishrrman;s advice exactly.

 

[alphaod]

If you can't access secure sites after reinstalling your computer, perhaps the problem is with your networking equipment and not your computer.

 

[IHelpId10t5]

If you can't access secure sites after reinstalling your computer, perhaps the problem is with your networking equipment and not your computer.

alphaod makes a great point. If you really did a "clean" install of macOS then it's impossible for malware to still be affecting your connectivity. Therefore, either: 1) you did not really do a "clean" install (meaning that you used bootable media and formatted the drive using DiskUtility prior to installing macOS clean), or 2) your network has a problem. It may be that the criminal that you gave access to changed the firmware, DNS, proxy, or VPN settings on your router.

I would recommend reflashing your router using the latest router firmware from your manufacturer and resetting all settings. Then, if you have not already really done a "clean" install, make sure that you have multiple backups of your Mac (ideally prior to infection/intrusion), build a bootable USB drive, boot to it, reformat the drive using Disk Utility, and do a "clean" install of macOS.

 

[hobowankenobi]

This does not add up.

If you gave away admin access.....and someone remotely changed your admin and/or root PW, you can easily reset it, and take control back. While it is possible to encrypt your drive and firmware AND give away the PW or encryption key, that seems pretty unlikely.

BTW, how do you "sort of" give away admin or root PW? Either you did, or you did not....

If you already formatted your drive and reinstalled a fresh OS....there very VERY few intrusive things that can survive that.

Sounds like not nuked and paved, or no account PW reset. Both are pretty easy, especially if you don't have any irreplaceable data.

Please confirm you have done one or the other. Or both.

Do you have more than one admin account now? Do you have the PW to them? Or does someone else control any of those?

Is root enabled? Can you change the root PW? Can you disable root?

 

[organicCPU]

perhaps the problem is with your networking equipment and not your computer.

It may be that the criminal that you gave access to changed the firmware, DNS, proxy, or VPN settings on your router.
I would recommend reflashing your router using the latest router firmware from your manufacturer and resetting all settings.

Right now I'm using my phone as a hotspot.

Maybe a compromised phone that needs a clean reinstall? Maybe a misconfigured network setting in the phone or Mac and no intrusion at all?

Do you think it's normal for your Mac to run almost 30/50 %. Of its cpu when your only have 1 browser open?

Possible, depending on the sites open in your browser. Don't forget temporary Spotlight indexing after a clean install. In the screenshot there is 0,2% CPU for Firefox itself and high CPU for FirefoxCP Web Content. Combined with the problem of refused https connection it might be some additional crapware on your system like Anti-Virus tools. https://support.mozilla.org/en-US/questions/1196736

 

[chown33]

In the screenshot there is 0,2% CPU for Firefox itself and high CPU for FirefoxCP Web Content.

The latest scourge for web browsers is "drive-by crypto-currency miners".
https://arstechnica.com/information...ncy-mining-scourge-shows-no-signs-of-abating/

These typically aren't persistent. They go away when the compromised site's web page is closed. Unfortunately, some people keep a tab or window open, instead of bookmarking a page, so the miners can remain active for long periods of time.

 

[mikeandersson]

OP wrote:
"It started with me downloading MACDEFENDER/MACKEEPER ."

That was your first mistake -- and it was A BIG ONE.
But there's not much you can do about it now, except go forward.

If you're really concerned about malware, and can't seem to get rid of it, you may have to do this:
1. Create a bootable USB flash drive with the Mac OS installer on it.
2. Boot from the flash drive and use Disk Utility to ERASE the entire internal drive
3. Reinstall the OS.
4. Rebuild your internal drive from your backups.

^^^

Already tried it. Nothing seems to work.
[doublepost=1519337075][/doublepost]