Do I have spyware?

bash-3.2# dscl . list /Users | grep -v '^_'

...

hiddenuser

...

is hiddenuser in fact hidden in System Preferences > Users & Groups? Names themselves don't mean anything, but if hiddenuser does not appear in Users & Groups it's more than suspicious.

daemon

nobody

root

... are present by default. Nothing other than those and authorized User Accounts should appear. I am assuming you substituted myusername for your actual user name, whatever that is. Don't reveal it here.

I can't reveal personal details, but there is a fair chance someone has done a thoroughly job to access my data.

If that's the case then your data are in the wind and there's no undoing that fact. There is no point in continuing to use that Mac, including using it to find out who's accessing it. Turn it off, unplug it, etc. Do not use it. Place it in the hands of an expert.

Having said that, whatever means someone used to access it (and in all likelihood, everything else you use) is another story altogether. Unless and until that breach is determined and rectified the problem is likely to occur again, even if you were to completely erase and reconfigure that Mac.

MrHoffman wrote:

Change all passwords, change the passwords in the password-recovery paths, social media passwords, check your trusted telephone numbers, revoke any unrecognized app approvals, enable two-factor authentication, etc.

Check the other devices and the other connected hardware on your desk and on your local network for compromises, particularly your router and your network-connected printers, and upgrade all of that to current firmware, and seriously consider resetting and reconfiguring the router.

👍

And don't use that Mac to do that.

You are using the Mac App Store version of EtreCheck. If you want to enable Full Drive Access, you must do it from inside EtreCheck itself. Go to the "EtreCheck" menu and choose "Preferences". Then go to the "Privacy" tab and click on "Allow access to the startup drive". Apple is very sensitive about Full Drive Access so I can't tell anyone how to use it in the Mac App Store or give them any help there. Such is life in the Mac App Store.

However, EtreCheck's Full Drive Access is more useful when debugging things like crashing apps or other performance performs. I don't need it to see that you machine doesn't have any spyware.

You do have some performance problems. Again, the Mac App Store version of EtreCheck can't directly see processes owned by root. You can review your CPU usage in Activity Monitor. I suspect it is related to running Console. Console alone will bring your machine to its knees.

My official suggestion is to take another look at Grant Bennet-Alder's response and provide more detail about what it means to "act weird". As far as I can tell, the only problems on your machine are a direct result of your diagnostic efforts.

Those terminal commands you are running are wrong and obsolete.

I wrote a little diagnostic program to help show what software is running on your machine. Download EtreCheck from https://www.etrecheck.com and run it. Create a new reply and use the "Notes" tool below to add your EtreCheck report. Using the link above, you can download EtreCheck from the Mac App Store or download EtreCheckPro directly.

Most of what you describe sounds normal, or at least just ordinary problems. Modern machines have a hardware lock on the camera. It won't turn on without the light.

Disclaimer: EtreCheck is my own app. EtreCheck is free to use but has in-app purchases available. Downloading EtreCheck or using it could give me some form of compensation, financial or otherwise.

Posting this data is interesting and all, and figuring out what actually happened takes a substantial investment of time and effort in digging around and with direct and fast access to the system, but all that digging doesn’t change the remediation for a breach. I’ve spent days digging into a breach to try to find backdoors left in a system that had no backups, and that involved direct access, and a whole lot of rummaging. And the results were without complete certainty. Though I did find the means of entrance there. Seeing snapshots of various logs and data and details is akin strobes firing in a discotheque. Not easy to follow any threads around. Not directed. Here? Nuke. Pave. Passwords. Two-factor. Updates/upgrades. Etc. Maybe pay for somebody to dig through the carcass for you, as a parallel project.

Please enable full drive access for (troubleshooting), and please post the EtreCheck report, and not whatever the console happens to be showing. The console log will be less helpful in finding whatever might be installed here (if anything) than would be even a partial report.

If your primary focus is to stop somebody filming you, put a post-it note over your webcam. Done.

Unless you have allowed a hostile third-party to have physical access to your computer, or you are a world-class activist, you are extremely unlikely to have spyware.

You seem to be having issues with mystery devices appearing on your Network.

You seem to be having problems with dark wake.

Something about M.A.C. numbers.

Some sort of trouble with Wi-Fi.

Word documents that give you error messages.

photo Booth problems.

None of those suggests to me that you have spyware or other Malware.

If you would like to address some of your concerns, Readers here (none of whom work for Apple) would be happy to help you, but you must break your problem statement into readable pieces.

I have limited vision, so your your single-paragraph rant above is unreadable as written. No white space means I lose track of my reading position, and can not make it all the way through. This forum medium lends itself to deep dives on specific issues rather than wide broadsides at many things at once.

Only thing that might be odd is the remote desktop host app, maybe wireshark, and you may well have installed those. Wireshark is a little unusual for most folks. Handy for some tasks, yes.

If there’s any dreck here, it’s either well dug in, or the problems getting full drive access are hiding it. Or it’s external.

What indicators exist here that cause you to suspect dreck?

If you do suspect a compromise, wipe, m8grate docs and settings and not apps, change all passwords, enable two-factor, and check for any evidence (tool marks, odd cables, etc) of physical compromise, etc.

Post only text or link only to text, please.

PDF has code-execution capabilities and has had the occasional exploit, and I’m not presently inclined to use a network-isolated guest or a text-extraction tool to read what should be text.

If there’s sketchy stuff here, wipe and re-install.

Documents and preferences are usually safe to copy over into the new environment, with apps re-downloaded from known-good sources.

Change all passwords, change the passwords in the password-recovery paths, social media passwords, check your trusted telephone numbers, revoke any unrecognized app approvals, enable two-factor authentication, etc.

Check the other devices and the other connected hardware on your desk and on your local network for compromises, particularly your router and your network-connected printers, and upgrade all of that to current firmware, and seriously consider resetting and reconfiguring the router.

Get extra backups going, preferably with a rotating subset of these disconnected except during use. I’d also be seriously tempted to do a 64-bit app review and upgrade to Catalina, as Apple has further hardened that.

No one wants to reverse-Engineer whatever you think you are doing in Terminal.

What are your GROSS symptoms. why do you think you might have spyware?

It is dangerous to follow "terminal commands" unless you know exactly what the commands are doing.

It appears you have decided on a fix (following terminal commands) without determining what the problem is.

Writing an effective Apple Support Commun… - Apple Community