You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How do I know if my MacBook Air was compromised prior to Monterey 12.5.1 software update

My MacBook Air was playing odd music and doing other strange things last night including desktop picture changed which is another question I posted earlier. OS was Monterey 12.5. When I checked for updates it said none were available but 12.5.1 was out there. I reinstalled OS over night and this AM Monterey 12.5.1 is what the OS is but my computer is still doing odd things like if I restart it messages and safari windows are both coming up even though they are not selected to open on start up in options. Avast says no issues found but I'm not thrilled with Avast. How can I tell if I'm really affected and how would I fix it?

MacBook Air

Posted on Aug 21, 2022 6:48 AM

Reply

Similar questions

33 replies

Aug 21, 2022 11:38 AM in response to jeffreythefrog

Thanks, I will try and sort it out. I find that the Apple instructions are never quite clear enough.


IThe article you referenced makes it looks like I have to manually choose what I want to save as opposed to doing from a Time Machine backup as this article implies I can.:

  • Time Machine System Restore: Restore your data from a Time Machine backup. In the Recovery app, select Restore From Time Machine, then click Continue. To return to the Recovery app, choose Time Machine System Restore > Quit Time Machine System Restore. See Use Time Machine to restore your system.




Aug 21, 2022 7:09 AM in response to BillMort4198

I 100% agree with Barney-15E. first, uninstall avast.


if after that, you are still having the same issue, i'm thinking you should download and run the free version of EtreCheck so we can see if you have some software installed that is causing your issue. make sure you give "full disk access" to etrecheck. read how to use it by reading Using EtreCheck. if you need help interpreting the report, you can see how to post the report here by reading How to use the Add Text Feature When Posting Large Amounts of Text, i.e. an Etrecheck Report. and it automatically obscures sensitive things (like serial numbers) so you don't have to worry about sharing the report here.

Aug 22, 2022 2:23 AM in response to BillMort4198

From the Etrecheck Report there is some very weird Drive Structure with appears to be some Aborted is Failed upDates and bears some serious attention to put right


Have seen this before in another question here and the Drive Structure looks some similar


M1Pro MacBook Pro upgraded to Monterey 12… - Apple Community


Drives:

disk0 - APPLE SSD AP0512Q 500.28 GB (Solid State - TRIM: Yes)

Internal Apple Fabric NVM Express

disk0s1 [APFS Container] 524 MB

disk1 [APFS Virtual drive] 524 MB (Shared by 4 volumes)

disk1s1 - iSCPreboot (APFS) [APFS Preboot] (8 MB used)

disk1s2 - xART (APFS) (6 MB used)

disk1s3 - Hardware (APFS) (651 KB used)

disk1s4 - Recovery (APFS) [Recovery] (20 KB used)

disk0s2 [APFS Container] 494.38 GB

disk3 [APFS Virtual drive] 494.38 GB (Shared by 6 volumes)

disk3s1 (APFS) [APFS Container] (15.42 GB used)

disk3s1s1 - Macintosh HD (APFS) [APFS Snapshot] (15.42 GB used)

disk3s2 - Preboot (APFS) [APFS Preboot] (994 MB used)

disk3s3 - Recovery (APFS) [Recovery] (820 MB used)

disk3s4 - Update (APFS) (23 MB used)

disk3s5 - Data (APFS) [APFS Virtual drive] (371.59 GB used)

disk3s6 - VM (APFS) [APFS VM] (25 KB used)

disk0s3 [APFS Container] 5.37 GB

disk2 [APFS Virtual drive] 5.37 GB (Shared by 2 volumes)

disk2s1 - Recovery (APFS) [Recovery] (1.70 GB used)

disk2s2 - Update (APFS) (651 KB used)


Aug 21, 2022 11:28 AM in response to BillMort4198

The Finder, i.e. Spotlight, is limited as to where it can search. See the Note below.


Download and run the shareware app Find Any File to search for any files with the application's or the developer's name in the file name.  For CleanMyMac software you'd do the following search(es): 


1 - Name contains cleanmymac

2 - None contains macpaw


Any files that are found can be dragged from the search results window to the Desktop or Trash bin in the Dock for deletion.


NOTE: FAF can search areas that Spotlight can't like invisible folders, system folders and packages.  


Aug 21, 2022 10:27 AM in response to BillMort4198

I hate giving bad news, but here goes:


the thing that jumped off the page for me was CleanMyMac. most experienced users equate it to malware. it is absolutely known to cause serious issues with macOS while providing zero benefits. you should uninstall it with the developer's instruction's.


and it is not in your "software installs (past 60 days)" so there's a high chance that it has damaged your macOS to the point where a total erase of your system, followed by re-installing macOS may be necessary.


and given all of the things in your "minor issues" section, erasing the Mac and starting over might not be a bad decision in any case.

Aug 21, 2022 10:58 AM in response to BillMort4198

BillMort4198 wrote:

for what it's worth Clean My Mac is something I never installed. I have seen it pop up here and there, though.

well it is installed, so you likely installed it by clicking on something that CMM was included in. usually with malware, the user has no idea that they unknowingly installed something. I mean, if you saw a banner that said "install malware by clicking here" no-one would click on it.

By erase my system do you mean reformat the hard drive? Backing up photos, documents etc won't cause clean my mac to tag along, right?

yes, that's exactly what I mean. and please be careful with what you reinstall. your documents, pictures, etc are likely fine. but as far as apps go, I would not migrate anything. if you still use some apps, then reinstall them. but make sure to get them from the App Store, or directly from the developer's website.

Aug 21, 2022 11:02 AM in response to BillMort4198

BillMort4198 wrote:

any idea where I can find cleanmymac? I search in my finder for it and the only thing that shows is the ere report. I looked in the apps folder and it's not there either. I'm guessing this means I have to go nuclear on it but I thought I would check.

I could give you all the locations where you could find the files that cmm is installed in, but...


it would be much quicker and easier for you to "go nuclear". and as well, finding the damage that cmm does to macOS would be very hard to next to impossible to find and correct.

Aug 21, 2022 11:14 AM in response to jeffreythefrog

Thanks, I'll feel better starting over. The only apps I have installed that didn't come from Apple are Microsoft Office 365, GoPro Quick and the game MYST that was on my old MacBook air for years.


Thanks you so much for your help!! Am I correct in thinking that I can back up the files I want to save and restart the machine to the startup options screen and reinstall everything from there?

Aug 21, 2022 1:18 PM in response to BillMort4198

BillMort4198 wrote:

That found the files for me but I don't have permission to delete them. Going to do an erase and restore.

You don't need to do an erase and restore. Most likely, that will not change anything.


You haven't been hacked. All of that is normal.


Clean My Mac has been installed on your system since 2019 at least. If you don't want it, you can uninstall it. If you've had it for that long, it is likely that it may have been partially uninstalled.


I normally don't recommend "app cleaners" or "app zappers", but it might be useful in this case.

Aug 21, 2022 4:05 PM in response to etresoft

I found the folders in a folder labeled "Private", I got the info and clicked the lock at the bottom. There are 3 names, "system" that can read and write. wheel and I have no idea what this is and everyone. The latter two have read only permission and when I try and change that permission I get The operation can’t be completed because you don’t have the necessary permission.

I have administrator permission with my log on. How do I resolve this short of a complete erase?

How do I know if my MacBook Air was compromised prior to Monterey 12.5.1 software update

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.