I am not a mac user, and honestly, I have no idea how to use one (besides the terminal). So, a friend asked if I could help them out with fixing their computer. She says the last thing she was on, was on some website with "free movies", and she mustt've been clicking something. We can get into recovery mode and we can go on the guest user, but not on the main user. Whenever you log in to the main user, it just shuts down.
Since I have a fair knowledge of Ubuntu, I thought I could just back up her files through a live USB (not store them on the live USB, but on an external hard drive) and reinstall OS X. I booted into the live USB, and there was no mounted hard drive, which was odd. I checked it, and figured it was encrypted, so I went on and installed libfvde on the live usb to see if I could hack the encrypted system open (had tried all kinds of other things before this), but I just could not do it.
So, what I want to do now is find out what is wrong, figure out if it can be fixed, and if not, back up the files and reinstall the OS. Thing is I don't know how to do it. Anything you guys can help with?
Best Answer
The best thing you can do is creating a new admin user and inspecting the assaulted main user/the system.
Boot to Recovery Mode (hold cmdR while booting).
Unlock and mount the main encrypted volume either with Disk Utility or Terminal:
Get the name of the main volume (usually it's the last one of the many):
The name of the encrypted main volume is also visible if you enter
diskutil cs list
again. Example:Change the working directory (here I assume the main volume name is "Macintosh HD"):
List all files:
Remove the file .AppleSetupDone
Check if the file was deleted:
Reboot the Mac. After rebooting you will be asked to unlock the encrypted volume. Enter the password even if it is the one for the only configured user.
After booting has finished you will be asked to set-up your Mac. After configuring locales create a new admin user. Log-in as new admin user.
Now you may either back up the data of the infected main user. Or you can inspect LogIn items, launch agents of the user or system wide launch agents/daemons.
You may also install an anti-malware solution like Anti-Malware for Mac and check for an infection.
Report back if you can't find a culprit.