Problems with system and network settings after factory reset
Hi there,
I have reason to think my MacBook Air 8,1 (or iPhone 12) may have been compromised by someone with physical access or knowledge of my AppleID, network password, or Google account.
All passwords have been changed several times, but many things concerned me, e.g.;
* Repeatedly adding a Thunderbolt connection (I have never used Thunderbolt)
* Unable to update MacOS with message telling me to check my internet connection when I was connected
* 2-factor authentication codes for Apple sent to the computer I requested them from
* Repeatedly disabled “Block all incoming connections” and added “Command Center” to the allowed applications list
* Repeatedly enabled “Bluetooth Setup Assistant” at start-up if no keyboard/mouse/trackpad detected (these are built-in; why would this even be needed?)
I did a Time Machine backup and restored it to factory settings one week ago. The only changes I made after were:
*Upgrading to Ventura 13.2
* Installing Chrome
* Installing EtreCheckPro power user package
EtreCheck did not find any major or minor issues, but all of the Apple files showed a last modified date several weeks before the reset, and my system settings for Wi-fi, Network, Bluetooth, and Extensions kept changing on their own (not even on restart but while the machine was being used).
I did another factory reset on the 13th, and have not installed anything since, other than updating to Ventura 13.2.1.
What continues to concern me:
1) System Settings > Network > Firewall
* Firewall settings change on their own
* Stealth mode is repeatedly disabled
* Automatic connections for built-in and downloaded software are repeatedly enabled
* When Stealth mode is enabled, Firewall Settings under System Information > Network > Firewall says: Stealth Mode: No
2) System Settings > Network > Other Services > … > Manage Virtual Interfaces
* Thunderbolt Bridge / bridge0 using Thunderbolt 2 is repeatedly added
* It isn’t listed under “Other Services” on the main Network screen
* I’ve never used Thunderbolt
* When I delete it, I get a warning that it is in use by a network service
3) System Settings > Network > Wi-fi
* Shows Security Type as WPA3 Personal but Wi-fi Diagnostics shows WPA2 Personal
* Repeatedly disables Low Data Mode
4) Wi-fi Diagnostics report says that wi-fi is not associated while wi-fi is active (configuration results attached)
5) Wi-fi Diagnostics report Ifconfig output (attached) shows interfaces I don’t think should be active (awdl0 with com.apple.wifip2pd, Skywalk). All sharing settings, Bluetooth, etc. are turned off.
6) System Information > Frameworks lists hundreds of Frameworks obtained from “Unknown” with a Last Modified date of February 9 (several days before the factory reset)
Am I right to be concerned? Is there something else I should be looking at in log files or Terminal?
Thanks in advance for any advice.
MacBook Air