MBA5

Q: new and unknown user account - being hacked?

I have a MacBook Pro, on which I recently installed OS X El Capitan. A few minutes ago I had to force a shut down as my MacBook did not respond to anything anymore. When I restarted it, I saw a new user account I have never created. Has my macbook been hacked? How can I remove such unknown account? I am worried as at some stage, I was asked to put in my password for iCloud and other Apple ID - which I didn't. Help would very much be appreciated!!!!! Thanks in advance

MacBook Pro, OS X El Capitan (10.11.5)

Posted on May 31, 2016 12:04 PM

Close

Q: new and unknown user account - being hacked?

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next
  • by etresoft,

    etresoft etresoft Jun 1, 2016 8:41 AM in response to thomas_r.
    Level 7 (29,380 points)
    Mac OS X
    Jun 1, 2016 8:41 AM in response to thomas_r.

    I'm not so sure. I know that MalwareBytes easily gets confused if you do anything to its helper script. I haven't tried removing the entire folder, of course. But given how easy it is to make MBAM non-functional, even when I don't want that, this new crop of ad/mal-ware may just be turning MBAM off at its leisure.

  • by thomas_r.,

    thomas_r. thomas_r. Jun 1, 2016 9:16 AM in response to etresoft
    Level 7 (30,944 points)
    Mac OS X
    Jun 1, 2016 9:16 AM in response to etresoft

    Malwarebytes Anti-Malware for Mac cannot remove anything that requires administrative permissions without its helper tool. Other than that, the absence of the helper tool really doesn't make any difference. Further, the LaunchAgents folder's absence would have no effect whatsoever on the helper tool.

     

    I've seen and tested variants of this malware - it is not actually a zero-day, as has been claimed, it's just a slightly-varied naming strategy - and there is no sign whatsoever that it is "turning MBAM off at its leisure."

  • by etresoft,

    etresoft etresoft Jun 1, 2016 10:32 AM in response to thomas_r.
    Level 7 (29,380 points)
    Mac OS X
    Jun 1, 2016 10:32 AM in response to thomas_r.

    But my point is that it is trivially easy to confuse MBAM to the point that it can't delete anything, even if the helper tool is correctly installed. Once that happens, MBAM cannot even be reinstalled. If I can do it, then some malware with root privileges can do it too.

     

    I don't know what happens to the system when an expected directory like that is gone. It seems to print error messages at least. But there is no way to tell what other system software is going to be impacted or how that would 3rd party software that depends on proper operation of said system software.

     

    I think it would be s good idea to stop worrying about whatever it might or might not be doing at the present time and start to think about what it is going to do. I always knew EtreCheck was pretty limited regarding its approach to adware. It depends in large part on adware vendors being somewhat honest. Until now, they have been. They seem to be learning OS X and adopting malware behaviour faster than I anticipated. I just don't have the time to handle issues like this. This is Apple's job. They have many full-time engineers who are supposed to handle these issues, but aren't. The same is true for 3rd party anti-malware software. EtreCheck clearly shows malware installed right next to anti-malware. When that happens, especially if the malware isn't zero-day, then the snti-malware isn't working. I plan to update EtreCheck to do a better job of removing this new aggressive adware, but it will take me a few weeks just to get the time to look at it. Until then, Mac users appear to be defenceless.

  • by MBA5,

    MBA5 MBA5 Jun 1, 2016 10:31 PM in response to Linc Davis
    Level 1 (8 points)
    Notebooks
    Jun 1, 2016 10:31 PM in response to Linc Davis

    Hi, I finally could do the steps above. I am currently traveling and had to buy an external storage disk for the backup (which took hours). I still could not remove the cucoline user, but the other one has disappeared. It also seems that I have to reinstall office for mac and I am still not able to access photos (iPhoto) has disappeared. Is this due to the new El Capitan Version? I will also download the anti-malware to prevent future problems. Thank you very much for your continuous help!

  • by MBA5,

    MBA5 MBA5 Jun 1, 2016 10:53 PM in response to etresoft
    Level 1 (8 points)
    Notebooks
    Jun 1, 2016 10:53 PM in response to etresoft

    I downloaded the anti-malware and run it. The latest EtreCheck still shows TillodontiaUpd.plist as loaded. Don't know if I need to do something.

  • by Barney-15E,

    Barney-15E Barney-15E Jun 2, 2016 4:31 AM in response to MBA5
    Level 9 (50,774 points)
    Mac OS X
    Jun 2, 2016 4:31 AM in response to MBA5

    Is this due to the new El Capitan Version?

    iPhoto is no longer part of the OS as of 10.10.3. It doesn't remove iPhoto, but it also doesn't install it. If it is in your Purchases list in the App Store, you can install it, again.

  • by dialabrain,

    dialabrain dialabrain Jun 2, 2016 4:38 AM in response to MBA5
    Level 5 (6,697 points)
    Mac App Store
    Jun 2, 2016 4:38 AM in response to MBA5

    MBA5 wrote:

     

    I downloaded the anti-malware and run it. The latest EtreCheck still shows TillodontiaUpd.plist as loaded. Don't know if I need to do something.

    Are you sure about the file name "TillodontiaUpd.plist" a Google search search comes up with zero results.

  • by Esquared,

    Esquared Esquared Jun 2, 2016 4:48 AM in response to dialabrain
    Level 6 (8,518 points)
    Mac OS X
    Jun 2, 2016 4:48 AM in response to dialabrain

    dialabrain wrote:

    Are you sure about the file name "TillodontiaUpd.plist" a Google search search comes up with zero results.

     

    The Etrecheck report has been posted earlier in this topic, so you can check for yourself.

  • by dialabrain,

    dialabrain dialabrain Jun 2, 2016 4:49 AM in response to Esquared
    Level 5 (6,697 points)
    Mac App Store
    Jun 2, 2016 4:49 AM in response to Esquared

    Yes, I saw it. I meant why is it there?

  • by dialabrain,

    dialabrain dialabrain Jun 2, 2016 5:13 AM in response to Esquared
    Level 5 (6,697 points)
    Mac App Store
    Jun 2, 2016 5:13 AM in response to Esquared

    Esquared wrote:

     

    The Etrecheck report has been posted earlier in this topic, so you can check for yourself.

    Just to add, I also checked Bing and DuckDuckGo with no results. With and without the .plist extension. I just found it odd nothing can find it.

  • by Linc Davis,

    Linc Davis Linc Davis Jun 2, 2016 7:16 AM in response to MBA5
    Level 10 (208,037 points)
    Applications
    Jun 2, 2016 7:16 AM in response to MBA5

    Please enter the command below as before and post the output from the Clipboard:

    launchctl print system/TillodontiaUpd.plist | pbcopy

    Then start up in safe mode and try again to delete the extra user.

    I will also download the anti-malware to prevent future problems.

    Your comment is addressed to me. I didn't suggest that. I suggested the opposite. This whole episode is proof of the fact that "anti-malware" does not and cannot protect you or rescue you from malware attacks.

  • by appreciate,

    appreciate appreciate Jun 2, 2016 7:50 AM in response to MBA5
    Level 4 (1,276 points)
    Mac OS X
    Jun 2, 2016 7:50 AM in response to MBA5

    malware can be :

    1. /usr/lib/libgenkit.dylib

    2./usr/lib/libgenkitsa.dylib

    3./usr/lib/libimckit.dylib

    4./usr/lib/libimckitsa.dylib

     

    As gone through your test report # 370 /system/library/frameworks/Mislayer,framework/versions/A/libraries/libloader.dy lib

    and also 371 , 372 , 373  are doubtful .

    # 159 com.vsearch.helper  this is to be removed .

  • by babowa,

    babowa babowa Jun 2, 2016 9:43 AM in response to etresoft
    Level 7 (32,259 points)
    iPad
    Jun 2, 2016 9:43 AM in response to etresoft

    For any of the knowledgeable contributors:

     

    I noticed the OP has Wondershare installed - could that have something to do with suddenly showing a new user if OP has sharing enabled?

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Jun 2, 2016 9:49 AM in response to babowa
    Level 8 (43,997 points)
    iPhone
    Jun 2, 2016 9:49 AM in response to babowa

    Wondershare is the developer name, as opposed to a program. They make mobile device data recovery software, and video editor programs, it seems.

  • by babowa,

    babowa babowa Jun 2, 2016 9:57 AM in response to stevejobsfan0123
    Level 7 (32,259 points)
    iPad
    Jun 2, 2016 9:57 AM in response to stevejobsfan0123

    Thanks, I know - here is a partial list of what's listed in the report:

     

    Wondershare Helper Compact    Application  (~/Library/Application Support/Helper/Wondershare Helper Compact.app)

        CrossOver CD Helper    Application  (~/Applications/CrossOver-3.app/Contents/Resources/CrossOver CD Helper.app)

        Wunderlist    Application  (/Applications/Wunderlist.app)

     

    Other Apps: ⓘ

        [running]    QA2G25RMZ4.com.wunderkinder.wunderlist-helper

        [loaded]    TillodontiaUpd.plist

        [running]    com.codeweavers.CrossOverCDHelper.18592

        [running]    com.wondershare.helper_compact.17952

        [loaded]    com.wunderkinder.wunderlistdesktop.66272


    So there seems to be something running.

first Previous Page 3 of 4 last Next