MBA5
Level 1 (8 points)
Notebooks

Q: new and unknown user account - being hacked?

I have a MacBook Pro, on which I recently installed OS X El Capitan. A few minutes ago I had to force a shut down as my MacBook did not respond to anything anymore. When I restarted it, I saw a new user account I have never created. Has my macbook been hacked? How can I remove such unknown account? I am worried as at some stage, I was asked to put in my password for iCloud and other Apple ID - which I didn't. Help would very much be appreciated!!!!! Thanks in advance

MacBook Pro, OS X El Capitan (10.11.5)

Posted on May 31, 2016 12:04 PM

by MBA5,Solvedanswer
MBA5 MBA5
Level 1 (8 points)
Notebooks
A:

Thanks for the tip! In the meantime, I could remove the extra users.

Posted on Jun 3, 2016 7:10 AM

Close
MBA5

Q: new and unknown user account - being hacked?

  • All replies
  • Helpful answers

Page 1 of 4 last Next

  • by macjack,

    macjack macjack May 31, 2016 12:08 PM in response to MBA5
    Level 9 (55,709 points)
    Mac OS X
    May 31, 2016 12:08 PM in response to MBA5

    Unlikely it was hacked. Go to System Preferences > USers & Groups and delete the new account. Then please download and run EtreCheck, created by one of own helpers here in ASC. It is a diagnostic tool that's very useful to us in finding problems. Also it will give us further specs on your Mac. After it runs post the log file here. It will contain no personal information.

  • by pinkstones,

    pinkstones pinkstones May 31, 2016 12:23 PM in response to MBA5
    Level 5 (4,209 points)
    Safari
    May 31, 2016 12:23 PM in response to MBA5

    MBA5 wrote:

     

    I have a MacBook Pro, on which I recently installed OS X El Capitan. A few minutes ago I had to force a shut down as my MacBook did not respond to anything anymore. When I restarted it, I saw a new user account I have never created. Has my macbook been hacked? How can I remove such unknown account? I am worried as at some stage, I was asked to put in my password for iCloud and other Apple ID - which I didn't. Help would very much be appreciated!!!!! Thanks in advance

     

    Have you recently downloaded anything that allowed someone remote access to your computer?  If not, it's highly unlikely you were hacked. 

  • by Esquared,

    Esquared Esquared May 31, 2016 12:23 PM in response to MBA5
    Level 6 (8,501 points)
    Mac OS X
    May 31, 2016 12:23 PM in response to MBA5

    What name does the new account have? Just any name or Guest User?

  • by MBA5,

    MBA5 MBA5 May 31, 2016 1:14 PM in response to macjack
    Level 1 (8 points)
    Notebooks
    May 31, 2016 1:14 PM in response to macjack

    Thanks. Unfortunately, I cannot click on the account. Only the "current user" line is accessible. Any other way to do it?

  • by MBA5,

    MBA5 MBA5 May 31, 2016 1:16 PM in response to pinkstones
    Level 1 (8 points)
    Notebooks
    May 31, 2016 1:16 PM in response to pinkstones

    Don't remember having downloaded something like that. I try to be very careful.

  • by MBA5,

    MBA5 MBA5 May 31, 2016 1:19 PM in response to Esquared
    Level 1 (8 points)
    Notebooks
    May 31, 2016 1:19 PM in response to Esquared

    The name is strange "User cucoline". In the the list of users, I recognise two old ones and a guest one. Now there is even another user with a strange name (User prosoplegic) in the list "other users" under preferences. The latter one is not shown when starting up my MacBook Pro.

  • by MBA5,

    MBA5 MBA5 May 31, 2016 1:36 PM in response to macjack
    Level 1 (8 points)
    Notebooks
    May 31, 2016 1:36 PM in response to macjack

    Log file:

     

    EtreCheck version: 2.9.12 (265)

    Report generated 2016-05-31 22:28:19

    Download EtreCheck from https://etrecheck.com

    Runtime 1:25

    Performance: Excellent

     

    Click the [Support] links for help with non-Apple products.

    Click the [Details] links for more information about that line.

    Click the [Remove] links to remove adware.

     

    Problem: Other problem

     

    Hardware Information: ⓘ

        MacBook Pro (Retina, 15-inch, Late 2013)

        [Technical Specifications] - [User Guide] - [Warranty & Service]

        MacBook Pro - model: MacBookPro11,3

        1 2.3 GHz Intel Core i7 CPU: 4-core

        16 GB RAM Not upgradeable

            BANK 0/DIMM0

                8 GB DDR3 1600 MHz ok

            BANK 1/DIMM0

                8 GB DDR3 1600 MHz ok

        Bluetooth: Good - Handoff/Airdrop2 supported

        Wireless:  en0: 802.11 a/b/g/n/ac

        Battery: Health = Normal - Cycle count = 87

     

    Video Information: ⓘ

        Intel Iris Pro

            Color LCD 2880 x 1800

        NVIDIA GeForce GT 750M - VRAM: 2048 MB

     

    System Software: ⓘ

        OS X El Capitan 10.11.5 (15F34) - Time since boot: less than an hour

     

    Disk Information: ⓘ

        APPLE SSD SM0512F disk0 : (500.28 GB) (Solid State - TRIM: Yes)

            EFI (disk0s1) <not mounted> : 210 MB

            Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

            Macintosh HD (disk1) / : 499.05 GB (31.71 GB free)

                Core Storage: disk0s2 499.42 GB Online

     

    USB Information: ⓘ

        Apple Inc. Apple Internal Keyboard / Trackpad

        Apple Inc. BRCM20702 Hub

            Apple Inc. Bluetooth USB Host Controller

     

    Thunderbolt Information: ⓘ

        Apple Inc. thunderbolt_bus

     

    Gatekeeper: ⓘ

        Mac App Store and identified developers

     

    Adware: ⓘ

        /System/Library/Frameworks/VSearch.framework

        One adware file found. [Remove]

     

    System Launch Agents: ⓘ

        [not loaded]    7 Apple tasks

        [loaded]    157 Apple tasks

        [running]    74 Apple tasks

     

    System Launch Daemons: ⓘ

        [not loaded]    47 Apple tasks

        [loaded]    156 Apple tasks

        [running]    87 Apple tasks

     

    User Launch Agents: ⓘ

        [loaded]    com.citrixonline.GoToMeeting.G2MUpdate.plist (2015-12-01) [Support]

     

    User Login Items: ⓘ

        iTunesHelper    Application  (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

        Dropbox    Application  (/Applications/Dropbox.app)

        WDDriveUtilityHelper    Application  (/Applications/WD Drive Utilities.app/Contents/WDDriveUtilityHelper.app)

        Wondershare Helper Compact    Application  (~/Library/Application Support/Helper/Wondershare Helper Compact.app)

        CrossOver CD Helper    Application  (~/Applications/CrossOver-3.app/Contents/Resources/CrossOver CD Helper.app)

        Wunderlist    Application  (/Applications/Wunderlist.app)

        Skype    Application  (/Applications/Skype.app)

     

    Other Apps: ⓘ

        [running]    QA2G25RMZ4.com.wunderkinder.wunderlist-helper

        [loaded]    TillodontiaUpd.plist

        [running]    com.codeweavers.CrossOverCDHelper.18592

        [running]    com.getdropbox.dropbox.47392

        [loaded]    com.skype.skype.8352

        [running]    com.wondershare.helper_compact.17952

        [loaded]    com.wunderkinder.wunderlistdesktop.66272

        [loaded]    390 Apple tasks

        [running]    203 Apple tasks

     

    User internet Plug-ins: ⓘ

        CitrixOnlineWebDeploymentPlugin: 1.0.105 (2013-04-26) [Support]

     

    3rd Party Preference Panes: ⓘ

        None

     

    Bad Fonts: ⓘ

        Verdana Bold.ttf: /Library/Fonts/Verdana Bold.ttf

        Trebuchet MS: /Library/Fonts/Microsoft/Trebuchet MS

        Arial Rounded Bold: /Library/Fonts/Microsoft/Arial Rounded Bold

        Wingdings 2.ttf: /Library/Fonts/Wingdings 2.ttf

        Arial Bold Italic.ttf: /Library/Fonts/Arial Bold Italic.ttf

        Verdana.ttf: /Library/Fonts/Verdana.ttf

        Arial Black: /Library/Fonts/Microsoft/Arial Black

        Arial.ttf: /Library/Fonts/Arial.ttf

        Wingdings.ttf: /Library/Fonts/Wingdings.ttf

        Georgia: /Library/Fonts/Microsoft/Georgia

        Times New Roman Bold.ttf: /Library/Fonts/Times New Roman Bold.ttf

        Verdana Bold Italic.ttf: /Library/Fonts/Verdana Bold Italic.ttf

        Comic Sans MS: /Library/Fonts/Microsoft/Comic Sans MS

        Palatino: /Library/Fonts/Palatino

        Wingdings 3.ttf: /Library/Fonts/Wingdings 3.ttf

        Tahoma: /Library/Fonts/Microsoft/Tahoma

        Brush Script.ttf: /Library/Fonts/Microsoft/Brush Script.ttf

        Impact: /Library/Fonts/Microsoft/Impact

        Arial Italic.ttf: /Library/Fonts/Arial Italic.ttf

        Times New Roman Bold Italic.ttf: /Library/Fonts/Times New Roman Bold Italic.ttf

        Verdana Italic.ttf: /Library/Fonts/Verdana Italic.ttf

        Times New Roman.ttf: /Library/Fonts/Times New Roman.ttf

        Gill Sans Ultra Bold: /Library/Fonts/Microsoft/Gill Sans Ultra Bold

        Arial Narrow: /Library/Fonts/Microsoft/Arial Narrow

        Times New Roman Italic.ttf: /Library/Fonts/Times New Roman Italic.ttf

        Arial Bold.ttf: /Library/Fonts/Arial Bold.ttf

        Andale Mono: /Library/Fonts/Microsoft/Andale Mono

     

    Time Machine: ⓘ

        Time Machine not configured!

     

    Top Processes by CPU: ⓘ

             7%    WindowServer

             3%    fontd

             2%    kernel_task

             1%    Dock

             0%    cloudpaird

     

    Top Processes by Memory: ⓘ

        1.00 GB    kernel_task

        705 MB    firefox

        328 MB    mdworker(17)

        279 MB    mds_stores

        229 MB    WindowServer

     

    Virtual Memory Information: ⓘ

        8.83 GB    Free RAM

        7.17 GB    Used RAM (2.18 GB Cached)

        0 B    Swap Used

     

    Diagnostics Information: ⓘ

        May 31, 2016, 10:15:21 PM    Self test - passed

        May 31, 2016, 08:31:05 PM    ~/Library/Logs/DiagnosticReports/Photos_2016-05-31-203105_[redacted].crash

            com.apple.Photos - /Applications/Photos.app/Contents/MacOS/Photos

        May 31, 2016, 12:46:24 PM    ~/Library/Logs/DiagnosticReports/plugin-container_2016-05-31-124624_[redacted]. crash

            org.mozilla.plugincontainer - /Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/pl ugin-container

  • by pinkstones,

    pinkstones pinkstones May 31, 2016 1:41 PM in response to MBA5
    Level 5 (4,209 points)
    Safari
    May 31, 2016 1:41 PM in response to MBA5

    Two things:

     

    1. You have adware.  To remove it, you have two options.  You can download Malwarebytes' Anti-Malware for Mac which was developed by a trusted and respected contributor here, and simply removes malware/adware from your hard drive or you can restart your computer.  As of April 26, 2016, changes made to the support article here --> Stop pop-up ads in Safari - Apple Support state that El Capitan removes adware at login, but only at login.  So, if you don't want to use Malwarebytes, this is another option for you. 
    2. You have a lot of bad fonts.  Those also look like fonts that come standard on Macs, as opposed to fonts you downloaded from the Internet.  Have you done anything recently with fonts or with the Font Book?

  • by Alfredo Jahn,

    Alfredo Jahn Alfredo Jahn May 31, 2016 1:48 PM in response to pinkstones
    Level 3 (844 points)
    Desktops
    May 31, 2016 1:48 PM in response to pinkstones

    pinkstones wrote:

     

    Two things:

     

    1. You have adware.  To remove it, you have two options. 

    Sorry to hijack this post, but can you explain how you determined that this guy has adware from the EtreCheck output?

     

    Thanks

  • by macjack,

    macjack macjack May 31, 2016 1:50 PM in response to MBA5
    Level 9 (55,709 points)
    Mac OS X
    May 31, 2016 1:50 PM in response to MBA5

    You can also, click on remove adware in EtreCheck. But malwarebytes will do a more through scan.

  • by Alfredo Jahn,

    Alfredo Jahn Alfredo Jahn May 31, 2016 1:55 PM in response to Alfredo Jahn
    Level 3 (844 points)
    Desktops
    May 31, 2016 1:55 PM in response to Alfredo Jahn

    Alfredo Jahn wrote:

     

    pinkstones wrote:

     

    Two things:

     

    1. You have adware.  To remove it, you have two options.

    Sorry to hijack this post, but can you explain how you determined that this guy has adware from the EtreCheck output?

     

    Thanks

    Nevermind...

     

    Adware: ⓘ

        /System/Library/Frameworks/VSearch.framework

        One adware file found. [Remove]

  • by Linc Davis,

    Linc Davis Linc Davis May 31, 2016 2:11 PM in response to MBA5
    Level 10 (208,000 points)
    Applications
    May 31, 2016 2:11 PM in response to MBA5
    Has my macbook been hacked?

    No. You are getting the usual results of posting the output of that app on this site. It's giving you completely false information. There is no adware. Never allow any software, no matter what it is, to remove files that it didn't install.

     

    What is the name of the new user account?

  • by MBA5,

    MBA5 MBA5 May 31, 2016 2:20 PM in response to macjack
    Level 1 (8 points)
    Notebooks
    May 31, 2016 2:20 PM in response to macjack

    I removed it this way for now. That is OK. As for the fonts, I did not do anything in particular. But, I have now error messages regarding office for Mac (problem with installer and when looking at the log file at the end, a problem with "photos" is mentioned. I actually have lost iPhoto and Photos does not work either. Might this be because of the El Capitan version (I actually skipped former OS X versions)? Sorry to bother you with all these questions.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 May 31, 2016 2:23 PM in response to Linc Davis
    Level 8 (43,853 points)
    iPhone
    May 31, 2016 2:23 PM in response to Linc Davis

    Linc Davis wrote:


    You are getting the usual results of posting the output of that app on this site. It's giving you completely false information. There is no adware.

    No it's not, and you've provided no evidence.

    What is the name of the new user account?

    The OP already answered that.

    The name is strange "User cucoline". In the the list of users, I recognise two old ones and a guest one. Now there is even another user with a strange name (User prosoplegic) in the list "other users" under preferences.

Page 1 of 4 last Next