macOS – Fix Mac Turning Off When Logging into Main User

encryptionmacosmalwarerecovery

I am not a mac user, and honestly, I have no idea how to use one (besides the terminal). So, a friend asked if I could help them out with fixing their computer. She says the last thing she was on, was on some website with "free movies", and she mustt've been clicking something. We can get into recovery mode and we can go on the guest user, but not on the main user. Whenever you log in to the main user, it just shuts down.

Since I have a fair knowledge of Ubuntu, I thought I could just back up her files through a live USB (not store them on the live USB, but on an external hard drive) and reinstall OS X. I booted into the live USB, and there was no mounted hard drive, which was odd. I checked it, and figured it was encrypted, so I went on and installed libfvde on the live usb to see if I could hack the encrypted system open (had tried all kinds of other things before this), but I just could not do it.

So, what I want to do now is find out what is wrong, figure out if it can be fixed, and if not, back up the files and reinstall the OS. Thing is I don't know how to do it. Anything you guys can help with?

Best Answer

The best thing you can do is creating a new admin user and inspecting the assaulted main user/the system.

Boot to Recovery Mode (hold cmdR while booting).

Unlock and mount the main encrypted volume either with Disk Utility or Terminal:

#list all CoreStorage items
diskutil cs list
#unlock the locked Logical Volume (replace lvUUID by the UUID found above. Usually it's the last one listed and looks similar to this one: 21019876-ABA9-5678-1234-123453789012!)
diskutil cs unlockVolume lvUUID

Get the name of the main volume (usually it's the last one of the many):

df

The name of the encrypted main volume is also visible if you enter diskutil cs list again. Example:

    ...
    +-> Logical Volume 21019876-ABA9-5678-1234-123453789012
        ---------------------------------------------------
        Disk:                  disk16
        Status:                Online
        Size (Total):          1106191572992 B (1.1 TB)
        Conversion Progress:   -none-
        Revertible:            Yes (unlock and decryption required)
        LV Name:               Macintosh HD
  --->  Volume Name:           Macintosh HD
        Content Hint:          Apple_HFS

Change the working directory (here I assume the main volume name is "Macintosh HD"):

cd /Volumes/Macintosh\ HD/var/db

List all files: 

ls -laO

Remove the file .AppleSetupDone

rm .AppleSetupDone

Check if the file was deleted:

ls -laO

Reboot the Mac. After rebooting you will be asked to unlock the encrypted volume. Enter the password even if it is the one for the only configured user.

After booting has finished you will be asked to set-up your Mac. After configuring locales create a new admin user. Log-in as new admin user.

Now you may either back up the data of the infected main user. Or you can inspect LogIn items, launch agents of the user or system wide launch agents/daemons.

You may also install an anti-malware solution like Anti-Malware for Mac and check for an infection.

Report back if you can't find a culprit.

Related Question