Malicious hacker, using remotely via Custom URL Scheme Windshift APT has access to my newest MacBook Pro. The hack was quite sophisticated as I had on my Firewall, virus protection and VPN by F-Secure. Now I try to install the operational system again but the password allowing the access to the hard drive has been changed by the hacker.
What shall I do to be able to complete the reinstallation?
Janne J.
[Edited by Moderator]
DeeperDiver wrote:
With your machine turned-off, turn on your Mac while holding down Command-R.
FYI, Internet Recovery Mode (Command + Option + R) is the better choice since Recovery Mode will access the hidden local recovery partition on the boot drive which may already be compromised. Internet Recovery Mode will bypass the local recovery partition and boot directly from the Apple servers. Plus a PRAM Reset as suggested by @LatriciaP is a good idea to clear out any potentially unwanted NVRAM settings. Powering off the laptop for a minute and booting directly into Internet Recovery Mode is good.
Are you trying to save any data on the computer? If not then you could clear your NVRAM, boot into internet recovery mode, erase the entire hard drive, and then install a new operating system onto the computer.
Best practice is to have a Trusted Backup that is very recent. Time machine can help you keep such a backup, while working quietly in the background.
Then when "bad stuff happens", you can simply erase the drive, install a fresh unmodified MacOS, and restore your files from your Trusted Backup.
If you don't care about your data, or you have it backed up somewhere then be sure and just reformat your drive and re-install MacOS.
With your machine turned-off, turn on your Mac while holding down Command-R. When you get the main panel, select "disk utility". Select the top-level storage device (usually a technical-sounding name, not "Macintosh HD") and click "erase".
Get out of disk utilities and re-install MacOS from Internet Recovery.
Would be interesting to know what website you visited. Sounds like a very technical attack.
Good luck.
To add to @LatriciaP's advice in order to erase the whole physical drive you may need to click "View" within Disk Utility and select "Show All Devices" so that the physical drive appears on the left pane of Disk Utility. The physical drive will usually have the make & model number of the physical drive such as "Hitachi ....", or "Apple SSD ....", etc.
To access Internet Recovery Mode you need to boot using Command + Option + R which will bypass everything on the local drive.
https://support.apple.com/kb/HT204904
You do need to be careful restoring from backups since you want to make sure to restore from a time before you had these issues, otherwise the issue will be brought back from the backup and you will need to repeat the process again using an earlier backup.
Unable to install OS, EFI password
