How do I remove a hacker

" Scorched Earth Method "

This method will WIPE ALL Data and there is No Recovery - Period.

>> Only works on Intel Based Apple Computer <<

To perform this action will require booting from a Bootable Installer. 

The Bootable Installer can Only be performed on an Apple Computer 

This will have to be performed from a Qualifying Computer to run the version of macOS to be made on the Bootable Installer. Example : Bootable Installer of Big Sur would have to be done on a computer that Qualifies to run Big Sur.

Notation: If the computer being used to perform this action is Too New or Too Old to qualify to run the version of macOS - this computer can not be used.

Alternative is, to gain access to a Qualifying Apple Computer from a family member, friend or associate.

Extra Special Notation regarding the Touch ID equipped Apple Computer.

About Startup Security Utility and Must Enable from Recovery Mode the ability to boot from External Drive Before Attempting 

1 - Shutdown computer and disconnect all external drive Except the newly created Bootable Installer.

2- Restart and immediately hold the OPTION key until the Startup Manager appears and choose the USB Drive. 

3 - It will present options >> Disk Utilities >> View >> View ALL attached Drives. 

4 - Choose the Upper Most Drive ( not the volumes indented and list below ).

5 - The drive normally is called Apple Media or Apple SSD - that is the drive to Erase and format as APFS with the GUID Partition Map. This applies to macOS 10.14 Mojave and above. 

5A - Formatting for macOS 10.13 High Sierra and below requires HFS Journaled with the GUID Partition Map

6 - Once that is done >> backup out of Disk Utilities and choose install macOS. 

7 - Follow the prompts and it may automatically reboot several time. 

8 - Upon a final reboot - Setup Assist will present with the newer version of macOS.

I don't follow everything you have posted about, but if you truly believe that someone else is intruding into your Mac, then assuming you have a good backup of your files (make one first, if you don't), you can do this:

Erase all content and settings on Mac - Apple Support

This starts from a clean Mac. Then restore user files only, nothing else, from your backup. Change your router password. Change your Apple ID password and disable all Sharing and remote access.

Nxx_nns wrote:

Thanks a lot for your reply.

I found samdump 2 in var folder which should not be there? Thunderbolt appeared, root console showing in terminal, Netbios/computer name changed also. Unknown devices in wifi and ports.

I panicked and deleted files and lost admin account or permissions possibly. Password no longer accepted at login. ‘Resetpassword’ via terminal in both recovery & single user mode, still not accepted at login screen. My admin name no longer had capital initial or a space. Tried both ways (old username & new layout) still didn’t work.

Advised in terminal to remove .AppleSetupDone file to allow me to create new user with admin permissions. It comes on as hello then to languages screen. Choose English, shows apple logo and bar loads up but then loops back. I have no back-up on Time Machine.

thanks again for any advice

No backup? Seriously consider where copies of your files might be had (on camera cards, iCloud, Dropbox, email attachments, emails you have sent to others with attachments or images, text messages, copies on iPhone etc.) because I would wipe/erase this computer and start over. Between someone apparently gaining physical access to your Mac (in which case all bets are off) to you deleting various critical files, apparently now preventing booting, you cannot access your files anyway.

P. Phillips had other good suggestions, have you followed them? Target Disk Mode, for instance, that might enable you to copy unbacked up files to another computer before you erase this one. If you don't have access to another computer, go to an Apple Authorized Service Provider and they can try this for you. They might even be able to remove your internal drive, and enable you to copy files from it in a separate enclosure. All this costs some money but otherwise you may lose all your files, they must have some value to you.

P. Phillips' "scorched Earth method" may be necessary to regain your computer. You should try first to extract your files as suggested above.

Followup - a Hacker would need Direct Physical Access to the computer and be able to circumvent the Admin Account Password in order to Plant their Hacking Software.

Additionally, and specific to Big Sur macOS 11 and Monterey macOS 12, the Operating System resides in a Sealed and Read Only Volume that can not be opened by the User and protects against from “ Bad Actor “ Software.

Refer to the OP Other posting from continuity

Stuck/can’t get passed set up language lo… - Apple Community