duffy1987

Q: MacBook Pro has been hacked. What next?

Hi there,

 

I am very supsicious my MacBook Pro has been hacked.  What next?

 

Symptoms (in chronological order, all within a two-hour period):

 

1. Would not enter sleep mode upon commanded (screen went black, then came back on just as quickly).

2. Then discovered that the letter 'p' did not work on my keyboard. The only way top enter this letter in text was by COMMAND + COPY and then pasting it.

3. Once I did this, the letter 'p' would appear any time I typed the letter 'o'.  It is now doing it with other letters, too.  In real time, it looks sompething likpe this.

4. Decided to restart.  Upon doing so, my saved password changed on the screen right before my very eyes (it is saved on the startup page).  I could not backspace, or use COMMAND + X to delete.  Finally got a blank field (don't remember how), and (stupidly?) entered my usual password.

5. Once back in, the same problems continued (or got worse).

6. I then shut down the machine.  Same issues upon restart.

 

Actions:

 

1. Ran avast scan.  No infections found.

2. Downloaded ClamXav.  As cautioned, I performed a full backup before running a scan.  When I connected my external hard drive, it too behaved in an odd way, but I finally managed a full backup.

3. Then ran ClamXav scan.  No infections found.

 

Questions:

 

1. Given that I have taken what I think are the appropriate steps, what now?  The password change that I did not initiate concerns me most, but why my keyboard is acting so strangely remains very puzzling.

 

Any and all help is greatly appreciated.

 

Thank you.

MacBook Pro, OS X Mavericks (10.9.2)

Posted on May 3, 2014 12:38 PM

Close

Q: MacBook Pro has been hacked. What next?

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next
  • by MadMacs0,

    MadMacs0 MadMacs0 May 4, 2014 7:55 PM in response to duffy1987
    Level 5 (4,801 points)
    May 4, 2014 7:55 PM in response to duffy1987

    duffy1987 wrote:

     

    • the sleep disorder issue has returned this evening.  commanded to sleep, the screen goes black -- only to turn back on again (on its own, that is) about two minutes later.  when it first happened yesterday, the screen would go black for less than a second before 'waking up'.

    I think I mentioned Avast! issues before. Here's a link to mostly 2013 MBP owners reporting similar problems that went away once Avast! was completely uninstalled IAW the developer instructions. https://discussions.apple.com/thread/5520135.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 4, 2014 10:31 PM in response to duffy1987
    Level 5 (4,801 points)
    May 4, 2014 10:31 PM in response to duffy1987

    Additionally, a colleague of mine blogged this article Determine the reason why your Mac wakes up that might help.

     

    And this article today How to put your Mac to sleep and keep it there, with troubleshooting half way down the page.

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 5:57 AM in response to MadMacs0
    Level 1 (0 points)
    May 5, 2014 5:57 AM in response to MadMacs0

    given that i'm no longer convinced i need it, i have uninstalled avast! entirely.

     

    thanks for the terrific resource.  i ran the console program re. the sleep disorder, and these seem to be the pertinent entries when i attemted shutdown last night:

     

    May  5 00:15:19 Johns-MacBook-Pro kernel[0]: process plugin-container[1089] caught causing excessive wakeups. Observed wakeups rate (per sec): 329; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 1492410

    May  5 00:15:19 Johns-MacBook-Pro.local ReportCrash[1550]: Invoking spindump for pid=1089 wakeups_rate=329 duration=137 because of excessive wakeups

    May  5 00:15:20 Johns-MacBook-Pro.local spindump[1551]: Saved wakeups_resource.spin report for plugin-container version ??? (1.0) to /Library/Logs/DiagnosticReports/plugin-container_2014-05-05-001520_Johns-MacBoo k-Pro.wakeups_resource.spin

    May  5 00:15:20 Johns-MacBook-Pro.local spindump[1551]: Removing excessive log: file:///Library/Logs/DiagnosticReports/plugin-container_2014-04-27-210708_Johns -MacBook-Pro.wakeups_resource.spin

     

    upon powering up this morning, these are the pertinent entries:

     

    May  5 08:18:08 Johns-MacBook-Pro kernel[0]: process firefox[505] caught causing excessive wakeups. Observed wakeups rate (per sec): 207; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45013

    May  5 08:18:08 Johns-MacBook-Pro.local ReportCrash[627]: Invoking spindump for pid=505 wakeups_rate=207 duration=218 because of excessive wakeups

    May  5 08:18:10 Johns-MacBook-Pro.local spindump[629]: Saved wakeups_resource.spin report for firefox version 28.0 (2814.3.14) to /Library/Logs/DiagnosticReports/firefox_2014-05-05-081810_Johns-MacBook-Pro.wak eups_resource.spin

    May  5 08:18:10 Johns-MacBook-Pro.local spindump[629]: Removing excessive log: file:///Library/Logs/DiagnosticReports/firefox_2014-04-25-182144_Johns-MacBook- Pro.wakeups_resource.spin

     

    so, 'process plugin-container[1089]' and 'process firefox[505]' are identified as having been 'caught causing excessive wakeups'.  of course, i have no idea what to make of any of this.

     

    i will endeavour to read the second resource at some point today.

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 6:02 AM in response to Linc Davis
    Level 1 (0 points)
    May 5, 2014 6:02 AM in response to Linc Davis

    i connected an external keyboard this morning and was able to type freely and easily -- the letter 'p' included -- with no replication of the problem whatsoever. 

  • by Linc Davis,

    Linc Davis Linc Davis May 5, 2014 6:33 AM in response to duffy1987
    Level 10 (208,037 points)
    Applications
    May 5, 2014 6:33 AM in response to duffy1987

    Have you stopped getting characters in the password field at login?

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 10:42 AM in response to Linc Davis
    Level 1 (0 points)
    May 5, 2014 10:42 AM in response to Linc Davis

    sadly, no.  in fact, it's getting worse.

     

    the field is now being populated in every window requiring a password (e.g. wifi login at work, apple ID to enter this forum).  when i delete what is there, it stubbornly starts 'typing' letters in again.  then the woodpecker noise starts again, as if the character total has been exceeded but letters are still being entered (hope that makes sense).

     

    upon restart, i also received an error message from ClamXav for the first time.

     

  • by Linc Davis,

    Linc Davis Linc Davis May 5, 2014 11:15 AM in response to duffy1987
    Level 10 (208,037 points)
    Applications
    May 5, 2014 11:15 AM in response to duffy1987

    Back up all data to at least two different storage devices, if you haven't already done so. One backup is not enough to be safe. The backups can be made with Time Machine or with Disk Utility. Preferably both.

       

    Erase and install OS X. This operation will destroy all data on the startup volume, so you had be better be sure of the backups. If you upgraded from an older version of OS X, you'll need the Apple ID and password that you used, so make a note of those before you begin.

    When you restart, you'll be prompted to go through the initial setup process in Setup Assistant. That’s when you transfer the data from a backup.

    Select only users and Computer & Network Settings in the Setup Assistant dialog—not Applications or Other files and folders. Don't transfer the Guest account, if it was enabled.

    After that, run Software Update.

    If the problem is resolved after the clean installation, reinstall third-party software selectively. I can only suggest general guidelines. Self-contained applications that install into the Applications folder by drag-and-drop or download from the App Store are usually safe. Anything that comes packaged as an installer or that prompts for an administrator password is suspect, and you must test thoroughly after reinstalling each such item to make sure you haven't restored the problem.

    I strongly recommend that you never reinstall commercial "anti-virus" products or "utilities," nor any software that changes the user interface or modifies the functions of built-in applications. If you do that, the problem is likely to recur.

    Before installing any software, ask yourself the question: "Am I sure I know how to uninstall this without having to wipe the volume again?" If the answer is "no," stop.

    Never install any third-party software unless you know how to uninstall it.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 5, 2014 11:27 AM in response to duffy1987
    Level 5 (4,801 points)
    May 5, 2014 11:27 AM in response to duffy1987

    duffy1987 wrote:

     

    upon restart, i also received an error message from ClamXav for the first time.

     

    Best to work this on the ClamXav Forum.

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 11:29 AM in response to Linc Davis
    Level 1 (0 points)
    May 5, 2014 11:29 AM in response to Linc Davis

    yikes -- i was afraid that it might come to this.  i will erase and install OS X later this afternoon when home from work, and then report back.

     

    i will assuredly heed your advice regarding third-party applications, but have two questions (even if they are a moot point at this stage):

     

    1. do you believe that it is just such a third-party application that has caused the password issue?  if so, why now?

     

    2. might this also be responsible for the other issues i've described in this thread (i.e. the sleep disorder, the keyboard problem, inexlicable crashes such as Finder)?

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 11:30 AM in response to MadMacs0
    Level 1 (0 points)
    May 5, 2014 11:30 AM in response to MadMacs0

    yes, of course -- sorry.  it just seems that i'm being hit with something new each time i turn the bloody thing on.

  • by Linc Davis,

    Linc Davis Linc Davis May 5, 2014 11:40 AM in response to duffy1987
    Level 10 (208,037 points)
    Applications
    May 5, 2014 11:40 AM in response to duffy1987

    I don't know. There's one way to find out.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 5, 2014 11:57 AM in response to duffy1987
    Level 5 (4,801 points)
    May 5, 2014 11:57 AM in response to duffy1987

    duffy1987 wrote:

     

    sadly, no.  in fact, it's getting worse.

     

    the field is now being populated in every window requiring a password (e.g. wifi login at work, apple ID to enter this forum).  when i delete what is there, it stubbornly starts 'typing' letters in again.  then the woodpecker noise starts again, as if the character total has been exceeded but letters are still being entered (hope that makes sense).

    Might that still be caused by the apparently faulty built-in keyboard? I'm not familiar with that particular keyboard, but in the past it was fairly easy to remove and unplug the ones I had.

  • by duffy1987,

    duffy1987 duffy1987 May 5, 2014 7:05 PM in response to MadMacs0
    Level 1 (0 points)
    May 5, 2014 7:05 PM in response to MadMacs0

    MadMacs0 wrote:


    Might that still be caused by the apparently faulty built-in keyboard? I'm not familiar with that particular keyboard, but in the past it was fairly easy to remove and unplug the ones I had.

    i used a rather old dell keyboard, but it is like new. 

     

    the issue with the letter 'p' might suggest a malfunctioning built-in keyboard, i would think.  just the same, how odd that the same cursed letter now appears out of nowhere whilst typing any given sentence.  this all started the second after i first cut and paste it; it was the only way i could type it, but nopw all i'm left with is thisp. opr, now all i'm lpeft wipth is this.  there is no discernable pattern.

  • by MadMacs0,

    MadMacs0 MadMacs0 May 5, 2014 7:24 PM in response to duffy1987
    Level 5 (4,801 points)
    May 5, 2014 7:24 PM in response to duffy1987

    duffy1987 wrote:


    i used a rather old dell keyboard, but it is like new.

    Sorry, I wasn't clear. What I meant was that your MBP keyboard could still be causing issues. Since it's still plugged into the logic board, it could still be responsible for the autotyping of passwords, though I've never actually heard of that happending.

  • by duffy1987,

    duffy1987 duffy1987 May 6, 2014 9:11 AM in response to MadMacs0
    Level 1 (0 points)
    May 6, 2014 9:11 AM in response to MadMacs0

    yes, agreed.  makes sense.

first Previous Page 3 of 4 last Next