MBA5

Q: new and unknown user account - being hacked?

I have a MacBook Pro, on which I recently installed OS X El Capitan. A few minutes ago I had to force a shut down as my MacBook did not respond to anything anymore. When I restarted it, I saw a new user account I have never created. Has my macbook been hacked? How can I remove such unknown account? I am worried as at some stage, I was asked to put in my password for iCloud and other Apple ID - which I didn't. Help would very much be appreciated!!!!! Thanks in advance

MacBook Pro, OS X El Capitan (10.11.5)

Posted on May 31, 2016 12:04 PM

Close

Q: new and unknown user account - being hacked?

  • All replies
  • Helpful answers

first Previous Page 4 of 4
  • by appreciate,

    appreciate appreciate Jun 2, 2016 12:23 PM in response to MBA5
    Level 4 (1,276 points)
    Mac OS X
    Jun 2, 2016 12:23 PM in response to MBA5

    You might have duplicate fonts . to verify it

    1. Open font book via spotlight > go to top menu bar then choose edit > look for enabled duplicates .

    2. How to delete duplicate fonts

        ( a) Open font book

        (b) Select all fonts by using key board short cut  command + A

        ( c) Go to top menu bar > file > click on validate fonts

         ( d) It will take some to validate all fonts .

               If fonts are passed : green icon

               If yellow icon -  it is a warning > to resolve check the box and remove them very carefully .

                If red icon : failed .

     

    Now go to font book preferences ( you can use key board short cut command + comma )

    Default install location must be - users

    Check the box resolve duplicates by moving to the trash and also check the box : automatic font activation .

  • by etresoft,

    etresoft etresoft Jun 2, 2016 1:12 PM in response to stevejobsfan0123
    Level 7 (29,380 points)
    Mac OS X
    Jun 2, 2016 1:12 PM in response to stevejobsfan0123

    I Think wondershare is bait-ware. There is an awful lot of new Mac software whose only real purpose is delivery of an adware/malware payload.

  • by etresoft,

    etresoft etresoft Jun 2, 2016 1:18 PM in response to dialabrain
    Level 7 (29,380 points)
    Mac OS X
    Jun 2, 2016 1:18 PM in response to dialabrain

    Hhello dialabrain,

    Most new adware these days uses some form of randomly-generated file names. The latest trick is to use really obscure words, but something that would still be valid when checked against a dictionary. This "TillodontialUpd.plist" file is still relatively old-school and polite. They are still using the "Upd" suffix that makes it easily recognizable. EtreCheck finds it based on this pattern. Just in the past week, all **** has broken loose on the Mac malware front. I'm not even calling this software adware anymore because it actively fights uninstallacttion attempts.

  • by dialabrain,

    dialabrain dialabrain Jun 2, 2016 1:40 PM in response to etresoft
    Level 5 (6,697 points)
    Mac App Store
    Jun 2, 2016 1:40 PM in response to etresoft

    I was just surprised "TillodontialUpd.plist" didn't show up in a search. Of course it doesn't show up in a Google site search of ASC so maybe I shouldn't be. After all, I can see it in this thread.

  • by babowa,

    babowa babowa Jun 2, 2016 2:40 PM in response to etresoft
    Level 7 (32,259 points)
    iPad
    Jun 2, 2016 2:40 PM in response to etresoft

    Taking this OT for a moment: can your latest Etrecheck run on a Snow Leopard install? (my friend wants to run it, but is still running SL) - thanks.

  • by macjack,

    macjack macjack Jun 2, 2016 2:47 PM in response to babowa
    Level 9 (55,709 points)
    Mac OS X
    Jun 2, 2016 2:47 PM in response to babowa


    babowa wrote:

     

    Taking this OT for a moment: can your latest Etrecheck run on a Snow Leopard install? (my friend wants to run it, but is still running SL) - thanks.

    https://etrecheck.com/#about

    Yes

  • by babowa,

    babowa babowa Jun 2, 2016 2:52 PM in response to macjack
    Level 7 (32,259 points)
    iPad
    Jun 2, 2016 2:52 PM in response to macjack

    Thanks!

  • by thomas_r.,

    thomas_r. thomas_r. Jun 3, 2016 5:12 AM in response to MBA5
    Level 7 (30,944 points)
    Mac OS X
    Jun 3, 2016 5:12 AM in response to MBA5

    MBA5 wrote:

     

    I downloaded the anti-malware and run it. The latest EtreCheck still shows TillodontiaUpd.plist as loaded. Don't know if I need to do something.

     

    That is part of the malware (VSearch) that is installed. Malwarebytes Anti-Malware for Mac should delete that at this point. You may have to run it twice, with a restart of your computer between scans, to get rid of it entirely. Alternately, you can try deleting it manually. However, some variants of VSearch will re-create that launch daemon file if it is deleted. In order to ensure it stays gone, you will also need to find a TillodontiaUpd folder in the Library folder (the one at the root of your hard drive, in the same place as the Applications and System folders) and delete that. Then restart. If the TillodontiaUpd.plist file comes back after the restart, delete it again. It shouldn't come back after that, because you trashed the executable that was replacing the file.

     

    In addition, this particular malware may create one or more hidden users on your computer. Run the following command in the Terminal:

     

    dscl . -list /Users UniqueID | grep 401

     

    (Note that you should be cautious about pasting commands into the Terminal. If someone were to figure out a way to hack this site, they could cause a malicious command to replace the command that you thought you copied, and you'd end up with a malicious command auto-executing in the Terminal. What I recommend is to copy that command, then choose Show Clipboard from the Edit menu in the Finder to review what was copied. If it looks the same, it's okay to paste.)

     

    The output of that command should be something like this:

     

    dynast                  401

     

    This shows the username and the user ID. There may be multiple hidden usernames mapped to ID 401. All of them were probably created by VSearch.

     

    To delete these hidden users, enter the following command in the Terminal, making sure to replace "dynast" with a name that you found using the previous command:

     

    sudo dscl . -delete /Users/dynast

     

    Repeat this process for each user having an ID of 401.

     

    In addition, there will be a user folder of the same name in a hidden folder. In the Finder, choose Go to Folder from the Go menu. In the window that opens, paste the following path:

     

    /private/var/

     

    Then click the Go button. Any folder having the same name as one of the users you just deleted can be moved to the trash.

  • by MBA5,Solvedanswer

    MBA5 MBA5 Jun 3, 2016 7:10 AM in response to Linc Davis
    Level 1 (8 points)
    Notebooks
    Jun 3, 2016 7:10 AM in response to Linc Davis

    Thanks for the tip! In the meantime, I could remove the extra users.

first Previous Page 4 of 4