Advice needed! Hacker took control of my macbook pro
Hello and thanks in advance for any help or advice you can offer.
I should start off by telling you that the hack / hijack I'm about to describe freaked me out a bit - but after talking to apple tech support for 45 minutes (nice but not really helpful) and some overnight deliberation, which included downloading bitdefender and running a deep virus scan for hours which didn't seem to yield anything significant (entirely spam folder emails that had never been touched, including ones in old email archive folders), as seeking help of a local reputable NYC computer service (they said didn't think it was worth spending the $200 an hour to get forensics done and that they're advice was to do what I was thinking.... I decided to make a clone of my hard drive (I also have a clone from the night before the incident) to preserve any forensic evidence as I knew I probably couldn't leave it alone and then re-formatted the drive and have rebuilt the system from scratch with a fully clean install, no time machine, so far no copying of data from the clones (eventually I need to grab my itunes catalog, as long as its not a likely place for a bug to hide). A huge headache all in all and a big time loss but at least I feel better about using my machine.
What I'm hoping someone can offer is a clue as to how I could identify whatever the executable was that allowed this outside person to access and hijack my system. Why? Because I'd like to find out if any of my other machines at home or work have the same executable on them (I have 5 macs total for a small business). Do these things tend to jump from machine to machine? The local computer shop said almost certainly not.
So here's the story:
2 Days ago, I was away from my desk for about an hour and a half and upon return immediately tried to get to my mail app (had an urgent matter that I was focused on dealing with) and realized I was having trouble with the mouse - I looked to see if I'd left my pen on my tablet and that wasn't the problem - then quickly noticed that there were far more windows open that there should have been, including my personal financial app - that's what grabbed my attention that something more was wrong - I then noticed that the green light was on next to the camera and quickly realized that the mouse movement wasn't erratic, that someone was opening / closing items. I then quickly covered the camera, attempted manual shut down, was unable to make that happen and then immediately forced a shutdown.
I turned the machine back on a short while later, with internet off (my machine is set up to re-open all open windows when shut down) and slowly took frame grabs as I peeled back and noted everything that was open - including things that hadn't been open when I left such as facetime which had been buried under a few layers of windows and my personal finance software along with an email that had been opened from the investment co where i keep my retirement accounts.
I spoke with apple but the tech support person spent a fair amount of time trying to convince me that I simply had a glitchy mouse and that she'd never heard of a mac being remotely hijacked, after some research I can clearly see that's not the case. She did eventually relent when I reviewed the evidence but I decided it was best to strike out on my own at that point.
Here's the specs on my macbook pro:
Retina, Mid 2012
2.3 GHz Intel Cor i7
16gb 1600 Mhz DDR3
NVIDIA GeForce GT 650M 1024 MB
OS X 10.9.5 (I'm not sure of the build - I'd have to boot one of the clones)
Screen Sharing was not on
Ok, that's my story - if anyone has any suggestions or reccomendations as to what I can do to discover the culprit embedded in the system that allowed this to happen, I'd appreciate it. THANKS!
Mac Pro (Mid 2012), OS X Mavericks (10.9.5)