MAC Experts HELP ME (MALWARE/LOST root access?)

Discussion in 'Mac Basics and Help' started by mikeandersson, Feb 11, 2018.

  1. mikeandersson macrumors newbie

    Joined:
    Feb 11, 2018
    #1
    Ladies and gentlemens, I need YOUR help and
    expertise.

    It started with me downloading MACDEFENDER/MACKEEPER .

    And before i knew it, and realized it. I had been giving a stranger/hacker
    access (root) to my laptop (Masterkey and control over my entire laptop). - Control in terms of hickjacking traffic (can't go to sites with HTTPS and possible access to webcam, keyboard (keylogger) etc.

    I have tried to read as much as possible on the first 20 pages on Google.
    Watching numerous videos on Youtube etc. And tried SOFTWARE to find and remove virus/malware etc.
    - Kaspersky, Avast, Bitdefender, AVG, Malwarebytes etc. but nothing have worked yet.

    The "hacker" have full root access because I "sort of" gave him/her permission written my password numerous times. <- I didn't realize it before it was to late.

    Things that i been trying:
    - Software / ANTIVIRUS - but can't detect any.
    - Reinstall/reset/deleting Sierra to ( it is a MBA/Mountain Lion)

    I have been making some screenshots which may can help? Just say if you need more details.
    I apologize in advance for my grammar, I'm not a native English speaker, but I hope you can understand it anyways guys.

    Skærmbillede 2018-02-11 kl. 20.42.57.png Skærmbillede 2018-02-11 kl. 20.42.57.png Skærmbillede 2018-02-11 kl. 20.43.23.png Skærmbillede 2018-02-11 kl. 20.48.04.png Skærmbillede 2018-02-11 kl. 20.48.12.png Skærmbillede 2018-02-11 kl. 20.48.40.png Skærmbillede 2018-02-11 kl. 20.49.06.png Skærmbillede 2018-02-11 kl. 20.51.39.png
    --- Post Merged, Feb 11, 2018 ---
    Even tho that i have only firefox open. My cpu is running between 30-50 %
     
  2. chscag macrumors 68020

    chscag

    Joined:
    Feb 17, 2008
    Location:
    Fort Worth, Texas
    #2
  3. mikeandersson thread starter macrumors newbie

    Joined:
    Feb 11, 2018
    #3
    Hello chscag, Thank u for your comment. But
    I already have been doing this.

    I tried to run CCleaner.
    Won't even allow me to remove miscellaneous caches
    --- Post Merged, Feb 11, 2018 ---
    Skærmbillede 2018-02-11 kl. 21.18.56.png
     
  4. mikeandersson thread starter macrumors newbie

    Joined:
    Feb 11, 2018
    #5
    MWB couldn't find anything.

    Buy my main issue I guess is to remove that root access the hacker have right now.?
     
  5. mikzn macrumors 6502a

    mikzn

    Joined:
    Sep 2, 2013
    Location:
    North West
    #6
    Not sure you have been "really hacked" - more likely just a buch of intrusive software trying to install itself and needs your password to install.

    But just in case - First thing I would do is turn off wifi and then go and change the admin password.

    Then you can worry about removing the MacKeeper apps as above
     
  6. mikeandersson thread starter macrumors newbie

    Joined:
    Feb 11, 2018
    #7
    My mac have been erased/made a clean install. Nothing software on it.

    Right now I'm using my phone as a hotspot.

    I can't Even use safari with https or download chrome because I can't make a safe connection to Google's servers (https).

    Only http. If I try to make a https connection, the sites can't be reach.



    MacKeeper/MacDefender is gone.
    No malware apparently.
    --- Post Merged, Feb 11, 2018 ---
    I can only surf and watch sites with http.
     
  7. chscag macrumors 68020

    chscag

    Joined:
    Feb 17, 2008
    Location:
    Fort Worth, Texas
    #8
    More junk! CCleaner works well for Windows but not for a Mac. You're on a Mac not a Windows machine. Quit downloading and installing all that junk and malware. And what makes you think a hacker has root access to your machine?
     
  8. organicCPU macrumors 6502

    organicCPU

    Joined:
    Aug 8, 2016
    #9
    Might HolaVPN be the reason for your https connection problem?
     
  9. mikeandersson thread starter macrumors newbie

    Joined:
    Feb 11, 2018
    #10
    I had the problems before I installed Holavpn
    --- Post Merged, Feb 12, 2018 ---
    Do you think it's normal for your Mac to run almost 30/50 %. Of its cpu when your only have 1 browser open?
     
  10. Fishrrman macrumors G5

    Fishrrman

    Joined:
    Feb 20, 2009
    #11
    OP wrote:
    "It started with me downloading MACDEFENDER/MACKEEPER ."

    That was your first mistake -- and it was A BIG ONE.
    But there's not much you can do about it now, except go forward.

    If you're really concerned about malware, and can't seem to get rid of it, you may have to do this:
    1. Create a bootable USB flash drive with the Mac OS installer on it.
    2. Boot from the flash drive and use Disk Utility to ERASE the entire internal drive
    3. Reinstall the OS.
    4. Rebuild your internal drive from your backups.
     
  11. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    If you're looking for an app to uninstall Mac apps, be aware that in most cases, app removal software doesn't do a thorough job of finding and removing files/folders related to deleted apps. For more information, read this and this. If you just want to delete the app, drag the .app file to the trash. No other software needed. If you want to completely remove all associated files/folders, no removal apps will do the job.

    The most effective method for complete app removal is manual deletion:

     
  12. MSastre macrumors 6502

    MSastre

    Joined:
    Aug 18, 2014
    #13
    If you have a backup of your drive BEFORE you installed all those "cleaner", "keeper" garbage apps, the best thing you can do is a complete wipe of your drive and clean install of your OS. Follow Fishrrman;s advice exactly.
     
  13. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #14
    If you can't access secure sites after reinstalling your computer, perhaps the problem is with your networking equipment and not your computer.
     
  14. IHelpId10t5 macrumors 6502

    Joined:
    Nov 28, 2014
    #15
    alphaod makes a great point. If you really did a "clean" install of macOS then it's impossible for malware to still be affecting your connectivity. Therefore, either: 1) you did not really do a "clean" install (meaning that you used bootable media and formatted the drive using DiskUtility prior to installing macOS clean), or 2) your network has a problem. It may be that the criminal that you gave access to changed the firmware, DNS, proxy, or VPN settings on your router.

    I would recommend reflashing your router using the latest router firmware from your manufacturer and resetting all settings. Then, if you have not already really done a "clean" install, make sure that you have multiple backups of your Mac (ideally prior to infection/intrusion), build a bootable USB drive, boot to it, reformat the drive using Disk Utility, and do a "clean" install of macOS.
     
  15. hobowankenobi, Feb 12, 2018
    Last edited: Feb 12, 2018

    hobowankenobi macrumors 6502

    Joined:
    Aug 27, 2015
    Location:
    on the land line mr. smith.
    #16
    This does not add up.

    If you gave away admin access.....and someone remotely changed your admin and/or root PW, you can easily reset it, and take control back. While it is possible to encrypt your drive and firmware AND give away the PW or encryption key, that seems pretty unlikely.

    BTW, how do you "sort of" give away admin or root PW? Either you did, or you did not....

    If you already formatted your drive and reinstalled a fresh OS....there very VERY few intrusive things that can survive that.

    Sounds like not nuked and paved, or no account PW reset. Both are pretty easy, especially if you don't have any irreplaceable data.

    Please confirm you have done one or the other. Or both.

    Do you have more than one admin account now? Do you have the PW to them? Or does someone else control any of those?

    Is root enabled? Can you change the root PW? Can you disable root?
     
  16. organicCPU macrumors 6502

    organicCPU

    Joined:
    Aug 8, 2016
    #17
    Maybe a compromised phone that needs a clean reinstall? Maybe a misconfigured network setting in the phone or Mac and no intrusion at all?

    Possible, depending on the sites open in your browser. Don't forget temporary Spotlight indexing after a clean install. In the screenshot there is 0,2% CPU for Firefox itself and high CPU for FirefoxCP Web Content. Combined with the problem of refused https connection it might be some additional crapware on your system like Anti-Virus tools. https://support.mozilla.org/en-US/questions/1196736
     
  17. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #18
    The latest scourge for web browsers is "drive-by crypto-currency miners".
    https://arstechnica.com/information...ncy-mining-scourge-shows-no-signs-of-abating/

    These typically aren't persistent. They go away when the compromised site's web page is closed. Unfortunately, some people keep a tab or window open, instead of bookmarking a page, so the miners can remain active for long periods of time.
     
  18. mikeandersson thread starter macrumors newbie

    Joined:
    Feb 11, 2018
    #19

    ^^^

    Already tried it. Nothing seems to work.
    --- Post Merged, Feb 22, 2018 ---
    Skærmbillede 2018-02-11 kl. 21.18.56.png Skærmbillede 2018-02-11 kl. 21.18.56.png Skærmbillede 2018-02-11 kl. 21.18.56.png Skærmbillede 2018-02-22 kl. 22.42.09.png Skærmbillede 2018-02-22 kl. 22.42.34.png Skærmbillede 2018-02-22 kl. 22.42.09.png Skærmbillede 2018-02-22 kl. 22.42.34.png Skærmbillede 2018-02-11 kl. 21.18.56.png Skærmbillede 2018-02-22 kl. 22.42.09.png Skærmbillede 2018-02-22 kl. 22.42.34.png Skærmbillede 2018-02-22 kl. 22.42.54.png Skærmbillede 2018-02-11 kl. 21.18.56.png Skærmbillede 2018-02-22 kl. 22.42.09.png Skærmbillede 2018-02-22 kl. 22.42.34.png Skærmbillede 2018-02-22 kl. 22.42.54.png
     

Share This Page