Logging in to main user turns off the mac

The best thing you can do is creating a new admin user and inspecting the assaulted main user/the system.


Boot to Recovery Mode (hold cmdR while booting).

Unlock and mount the main encrypted volume either with Disk Utility or Terminal:

#list all CoreStorage items
diskutil cs list
#unlock the locked Logical Volume (replace lvUUID by the UUID found above. Usually it's the last one listed and looks similar to this one: 21019876-ABA9-5678-1234-123453789012!)
diskutil cs unlockVolume lvUUID

Get the name of the main volume (usually it's the last one of the many):

df

The name of the encrypted main volume is also visible if you enter diskutil cs list again. Example:

    ...
    +-> Logical Volume 21019876-ABA9-5678-1234-123453789012
        ---------------------------------------------------
        Disk:                  disk16
        Status:                Online
        Size (Total):          1106191572992 B (1.1 TB)
        Conversion Progress:   -none-
        Revertible:            Yes (unlock and decryption required)
        LV Name:               Macintosh HD
  --->  Volume Name:           Macintosh HD
        Content Hint:          Apple_HFS

Change the working directory (here I assume the main volume name is "Macintosh HD"):

cd /Volumes/Macintosh\ HD/var/db

List all files:

ls -laO

Remove the file .AppleSetupDone

rm .AppleSetupDone

Check if the file was deleted:

ls -laO

Reboot the Mac. After rebooting you will be asked to unlock the encrypted volume. Enter the password even if it is the one for the only configured user.

After booting has finished you will be asked to set-up your Mac. After configuring locales create a new admin user. Log-in as new admin user.

Now you may either back up the data of the infected main user. Or you can inspect LogIn items, launch agents of the user or system wide launch agents/daemons.

You may also install an anti-malware solution like Anti-Malware for Mac and check for an infection.


Report back if you can't find a culprit.