Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: draciron
draciron Author
User level: Level 1
5 points

Very skilled hack

Specs Imac mini. Current OS Sierra. Started as Mavericks, machine was purchased right before Yosimite came out. Eventually upgraded to Yosimite and then recently to Sierra.


I first tried the Google app, but it couldn't see my phone. So I installed an app from the Apple store to let me talk to a new Android phone I just purchased. That failed also. I gave up, just easier to move the files from a Google drive at this point. This clobbered my keychain right off the bat. I wound up having to change my password, delete the old keychain and create a new one as a result. Initially I thought that recreating the key chain was the problem and that I had just misstyped the password I thought I set. Annoying but I didn't worry too much initially. Everything worked even though every saved password I had for everything on Chrome & Firefox was wiped out by the keychain reset.


I rarely reboot and was extremely busy so I set it aside for a bit since everything worked. Then I needed to reboot for an update. I went strait into my account. That was disturbing as I have it set to make me log in. If I log out I can fail at the password to log back in then it logs me back in with a failed password. I never get the option to reset the password from the log in prompt. If I boot into Command-R it logs me in. No log in screen. I cannot get to the recovery partition. Without the password I cannot install High Sierra from the Mac store. The log in screen won't let me reset the password either.


I don't have a time machine backup. Turned it off as it was wearing out the HD and not really helping me any. Too few options as to how and when to make backups. In particular the inability to add only changed files or rotate out backups so I didn't fill up my external drive. I just do manual backups and all user files are backed up.


In /library/Application Support/ I found a suspicious dir called T Under T was /RootTools with roottools.conf as the only file. The contents of the file is node_id= long number & node_id2= another long number. It's hex but doesn't look like an IP addy. Too short.


So my question is how do I reinstall the OS and wipe out any suspicious apps? The only suggestions I can find in a Google search have failed. Would any Apple staff be interested in forensics on the machine? I am comfortable with the command line, have a strong Linux/Unix background. In fact I'm typing this from a Linux machine right now.

Mac mini, Mac OS X (10.6.8)

Posted on Nov 11, 2017 8:17 PM

Reply
10 replies
User profile for user: Kappy
Kappy
User level: Level 10
361,741 points

Nov 11, 2017 8:25 PM in response to draciron

No such animal as an iMac Mini. There is an iMac and there is a Mac Mini. Please pick one.


How To Do A Factory Reset


Selection A should be used on computers that came with Lion or later when factory new. Selection B is for Macs that came originally with Snow Leopard or earlier.


A. Factory reset your Mac - Apple Support

B. Factory Reset Your Pre-Lion Mac


Follow these instructions until you get to Step 5: Factory reset your Mac - Apple Support. At Step 5 you will need a Snow Leopard DVD or the installer disc that came with the computer.


  1. Boot the computer using the Snow Leopard Installer Disc or the Disc 1 that came with your computer. Insert the disc into the optical drive and restart the computer. After the chime press and hold down the "C" key. Release the key when you see a small spinning gear appear below the dark gray Apple logo.
  2. After the installer loads select your language and click on the Continue button. When the menu bar appears select Disk Utility from the Utilities' menu. After Disk Utility loads select the hard drive entry from the left side list (un-dented entry - mfgr.'s ID and drive size.) Click on the Partition tab in the Disk Utility main window. Set the number of partitions to one (1) from the Partitions drop down menu, click on Options button and select GUID, click on OK, then set the format type to MacOS Extended (Journaled), then click on the Apply button.
  3. When the formatting has finished quit Disk Utility. Proceed with the OS X installation and follow the directions included with the installer.
  4. If you are planning to sell or give your computer away, then do the following: After you reformat your hard drive and reinstall OS X, the computer restarts to a Welcome screen and asks you to choose a country or region. If you want to leave the Mac in an out-of-box state, don't continue with the setup of your system. Instead, press Command-Q to shut down the Mac. When the new owner turns on the Mac, the Setup Assistant will guide them through the setup process.
Reply
User profile for user: PN2
PN2
User level: Level 4
1,052 points

Nov 12, 2017 1:46 AM in response to PN2

Certain earlier Skype versions seem to have created those potentially disturbing folder & file names that you saw.


More recent versions used files with similar content in ~/Library/Application Support/T/ , named ecs.conf & skypert.conf.


The latest update here shifted those files to ~/Library/Application Support/Skype Helper/SkypeRT and added one named ui.conf, but didn't delete the old T folder & contents.

Reply
User profile for user: KiltedTim
KiltedTim
User level: Level 10
195,189 points

Nov 11, 2017 8:32 PM in response to draciron

Sorry, but 90% of what you said either makes no sense at all or is complete nonsense... that or it's completely irrelevant.


No one has hacked your mac. It's entirely possible that you downloaded some kind of malware/adware garbage, but that is not the same as someone hacking your mac.


Back up your data, then use the links above to completely erase your drive and re-install macOS from scratch.

Reply
User profile for user: draciron
draciron Author
User level: Level 1
5 points

Nov 12, 2017 12:59 AM in response to Eric Root

Command R doesn't work as I specified in my post. I've tried it a dozen times. The machine just boots strait into my account. It's not supposed too. Until I installed the malware from the Apple store, which does not appear on my installed list or apps any more. I had to log in every time I rebooted. That was how I had the machine set up but that changed and I did not change it.


Don't know if the recovery partition is supposed to show up in Disk Utility but I do not see one in disk utility.


I do not have the current password. So I cannot install from the app store as it requires a password to install the helper.

Reply
User profile for user: PN2
PN2
User level: Level 4
1,052 points

Nov 12, 2017 1:28 AM in response to draciron

It may be that you don't have a Recovery partition. Enter the following in Terminal to see if one is listed. It isn't usually visible in Disk Utility.


diskutil list


If it's listed, yet seemingly doesn't work : does manually attempting Internet Recovery work ? (Hold Command Option R until a globe appears) . That should have loaded automatically when normal Recovery didn't… but it can't hurt to try.


If Single User mode is available, you may be able to prompt the setup of a new Admin user from which you can change the existing user password; or change your current password.

Reply

Very skilled hack

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up