Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why is wiped and reset MBP constantly asking for Keychain passwords?


  • Please log in to reply
23 replies to this topic

#1 BustedFlush

BustedFlush

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 11 April 2017 - 07:58 AM

Why would a wiped MBP need to ask for these? Was it not wiped fully? 

 



BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:53 PM

Posted 11 April 2017 - 09:14 PM

Why would a wiped MBP need to ask for these? Was it not wiped fully?


What specific steps did you do to wipe the MBP? Have you migrated in old apps and/or data from a backup or other Mac after the wipe?

Are you sure it is not an AppleID password it is asking for? I don't want imply a mistake on your part, but just checking if that might be a possibility. If you used the recovery partition on the MBP to wipe and then re-install the macOS and it is NOT the macOS version that originally shipped with the MBP (i.e. you have updated it using the App Store to a new major macOS version...i.e. updated from say Mavericks to El Capitan), then it will ask for the AppleID associated with the "purchase" of the macOS update (i.e. the AppleID used in the App Store when you "bought" the macOS upgrade), I believe.

If the Mac was completely wiped and you did not migrate any old data to it after the wipe, then I cannot see why it would ask for a keychain password. About the only other variable might be FileVault, but I would assume you would have to deal with that BEFORE you wiped the Mac...but then I have never really messed with FileVault.

#3 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 12 April 2017 - 01:20 AM

Hi, thanks for the reply Smax.

 

I don't think it's asking for the AppleID - the messages I get are from AssistantD and Commcentre. Re the wiping, I took it to the Apple shop and the tech guy did it. Everything was seemingly wiped, no programs left on it, and I downloaded new OS. I had FileVault on previously (pre wipe), but since then I just checked and it's 'off'. 

 

I'm not that savvy with these things, but don't see why it would be asking for old passwords if it was wiped. Surely the previous passwords would be long gone at that point. 


Edited by BustedFlush, 12 April 2017 - 01:21 AM.


#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:53 PM

Posted 12 April 2017 - 02:08 AM

If you have not restored any files or applications from a backup or used Migration Assistant to "migrate" them back in, then I don't know why it would asking for a keychain password. All references to the previous keychain should have been nuked with the wipe, if it was truly wiped. In this kind of scenario, about the only thing I could think of is if the keychain associated with the NEW user account that you created after the wipe somehow got corrupted. If so, you might try opening up Keychain Access (in the Application folder inside the Utilities folder) and running the Keychain First Aid under the Keychain Access menu.

If you did restore old files/programs either from a backup or by way of Migration Assistant, then that would make more sense. Again you could try the First Aid option.

Or you could just try what is suggested here:

https://support.apple.com/en-us/HT201609

#5 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 12 April 2017 - 04:30 AM

Thanks Smax,

 

Leads me to assume that the tech guy in the shop did not do a full wipe. I did not do any back ups. I checked all apps, and there is something called 'citrux online launcher' on there which says last accessed January, and MalwareBytes from December, but I took the MacBook to be wiped in around 4 weeks ago. What I don't understand is how everything else appears to be wiped, it had to go through the whole new set up from scratch procedure, but these two would still be there :(

 

Everything else is still gone. Could it be that because I have since downloaded MalwareBytes that this shows previous downloads? 

 

Really am pissed off with this tech guy, I suspect there may have been a security breach on my router so wanted to wipe and start again. He said he did, I even bought him a bottle of wine for his trouble. If he's just done a half assed job and then lied, I'm really dissatisfied. 

 

What I don't get, is why do what appears to be a total wipe, but still there's two programs left? Sorry, I'm not very tech aware, but this is all very confusing to me. Is CitruxLauncher something to be concerned about? 


Edited by BustedFlush, 12 April 2017 - 04:32 AM.


#6 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:53 PM

Posted 12 April 2017 - 08:56 AM

Thanks Smax,
 
Leads me to assume that the tech guy in the shop did not do a full wipe. I did not do any back ups. I checked all apps, and there is something called 'citrux online launcher' on there which says last accessed January, and MalwareBytes from December, but I took the MacBook to be wiped in around 4 weeks ago.


How are you determining when these apps would last "accessed"? Is it a date that shows up in the Finder? If so, then I believe the only options are Date Added, Date Modified, Date Last Opened, and Date Created. Date Created and Date Modified for applications are both dates that should predate when the application was installed on your computer, while Date Added for an application should correspond to the date the program was installed on the computer or the last time it was updated (which is typically kind of equivalent to installing it again). Date Last Opened would be closest to what I would consider what you might be calling "accessed", but it is possible too that it could also predate installation on your computer depending on how it was installed (many Mac apps can just be copied from one computer to another without needing an installer, so it is possible that if the program was opened on the other computer that date might carry over...I don't really know...never tested it). Date Added would be the best date to look at for the application. That will be the date that application was installed or copied to the hard drive of the computer.

What I don't understand is how everything else appears to be wiped, it had to go through the whole new set up from scratch procedure, but these two would still be there :(


What do you mean by "whole new set up from scratch procedure"? Do you mean that you got the "Welcome to Mac" type screen then picked a language, etc? If so, then it seems it would have been effectively truly wiped. The only way I know to get ride of all user accounts and get back to the "Welcome to Mac" types screen, etc is to wipe the hard drive and then reinstall the OS.

One possible way to kind of wipe the computer is to just nuke user accounts. If this route was taken, then more than likely any application that you have previously installed would still be there UNLESS the person manually removed all the applications (and just missed the Citrix and Malwarebytes apps). And this method would still have at least one user account setup.

The only way to that old applications and data could remain is if the person did not actually wipe the drive prior to the reinstallation of the OS. I am not sure, however, how easy this option is to do anymore. It used to be easy to do with the Install and Archive option when installing the macOS. I am not sure that Sierra still offers that option, however (I have not updated to Sierra myself...yet). And I am honestly no sure what would happen using the reinstall option from the recovery partition if the drive was not wiped first...in other words, I don't know if would wipe everything and do a clean install without the user first wiping the drive with Disk Utility or if it would in effect just reinstall all the OS files, but leave all applications and data in place...I have never tried this myself. If it was the latter, then you would still have all your previously installed apps and data on the drive, so it seems unlikely to be the case if all that is gone.
 

Everything else is still gone. Could it be that because I have since downloaded MalwareBytes that this shows previous downloads?


If you downloaded Malwarebytes, then see the above part about dates listed in the Finder. The key date for it (and the Citrix) application, as noted, would be the Date Added entry. 
 

Really am pissed off with this tech guy, I suspect there may have been a security breach on my router so wanted to wipe and start again. He said he did, I even bought him a bottle of wine for his trouble. If he's just done a half assed job and then lied, I'm really dissatisfied.


Don't jump the gun to fast. As I noted above, it is possible that you might be interpreting a date listed in the Finder incorrectly. And thus, it is possible that it was truly wiped and you are just having a corruption issue with the keychain. Once we figure out more, things hopefully will become clearer and we can determine if you should be pissed off or not.
 

What I don't get, is why do what appears to be a total wipe, but still there's two programs left? Sorry, I'm not very tech aware, but this is all very confusing to me. Is CitruxLauncher something to be concerned about?


Is it "citrux" or "citrix"?

If it is the latter, that is a likely a legitimate program. Citrix is a virtualization system that allows user to log into a server to run a full Windows (or potentially other OS) virtually in a browser. One of my past employers used it. It basically allowed them to have PCs be a "dumb" terminal and had Windows running on the remote server. It make IT's job easier in may ways as they did not need to install Word, Excel, etc on all the local computer and have to them update all those local computers...and it also allowed them to have fewer licenses of such programs. Now, why it is installed on your computer might be the bigger mystery unless you use it for work or some other reason. It is not a commonly installed program for your run of the mill user.

If it is former, then that is more likely to be a possible bad program as I am not aware of any such program and a Google search did not turn up anything (just a thing from Google say "are you sure it is not citrix?").

#7 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 03 May 2017 - 06:40 AM

Hi Smax, 

 

Thanks for your reply - sorry I must have missed it, so apologies for late response. Yes the Mac was back to the 'pick a language' setting, so can only conclude was done in entirety. I still get the Keychain messages all the time, at this point I just live with them, and click cancel about a dozen times and they disappear for ten mins or so. Its a pain, but I am really not up to working out how to deal with it properly, and I suppose it's something I can live with. 

 

Re Citrux / Citrix, I can't remember at this point, though I did have an issue with Audible books, and at the Helpdesk the person used a remote access (getting control of my mouse) to put it right. maybe it was something that had to be installed for that. 

 

I still don't understand how a wiped Mac would get the Keychain messages, but such is my lacking of tech skills, and general feeling of resignation with all things IT, I think I'll just carry on with things as they are. Other than that the Mac seems to function fine.

 

One thing though, do you think the Keychain messages could conceivably be a hangover from the Mac being hacked? My knowledge of these things is pretty basic, so I guess I'm clutching at straws.

 

Thanks again. 



#8 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:53 PM

Posted 03 May 2017 - 07:26 PM

Hi Smax, 
 
Thanks for your reply - sorry I must have missed it, so apologies for late response.


No problem.

Yes the Mac was back to the 'pick a language' setting, so can only conclude was done in entirety. I still get the Keychain messages all the time, at this point I just live with them, and click cancel about a dozen times and they disappear for ten mins or so. Its a pain, but I am really not up to working out how to deal with it properly, and I suppose it's something I can live with.


That does sound like it was truly wiped.

As to dealing with the notices, have you looked at the link I provided above in post #4 of this topic? It provides some pretty straight forward instruction for both 1) if you know the old Keychain password on how to reset it; or 2) create a new login keychain (you have to follow a link on that page I link to and then scroll down a bit).

And have you tried running Keychain FirstAid as I described in that same post? It should be pretty straight forward to try.
 

Re Citrux / Citrix, I can't remember at this point, though I did have an issue with Audible books, and at the Helpdesk the person used a remote access (getting control of my mouse) to put it right. maybe it was something that had to be installed for that.


That would be a possibility. The whole basic concept of Citrix is remotely logging into another computer, but it is more aimed at logging into a business server to run a remote desktop to run applications. And I don't know if they do/offer just remote access options for helpdesk type stuff. 
 

I still don't understand how a wiped Mac would get the Keychain messages, but such is my lacking of tech skills, and general feeling of resignation with all things IT, I think I'll just carry on with things as they are. Other than that the Mac seems to function fine.


I honestly don't know either. If it was wiped, then I don't know how a keychain would still be there unless it is some bug. Other than try the stuff I mentioned above (i.e. check out the link), the only other thing that I can thing to try is to make an appointment at an Apple Store and take it in for them to look at (this assumes you have an Apple Store reasonably close to you). You could also try contacting Apple Support by chat (there is a link for contacting Apple Support at the bottom of the page that I linked to in post #4), but I don't know if you can get free support that way if you don't have current AppleCare support...but worth a try. Other option is to try posting the forums on Apple's support site. Since there are rather few Mac users on this site, you chances of having someone have the same problem you have had being on this site are lower. Since EVERYONE on the forums on the Apple site are all Apple users, you have a much better chance that someone might have encountered the same problem.
 

One thing though, do you think the Keychain messages could conceivably be a hangover from the Mac being hacked? My knowledge of these things is pretty basic, so I guess I'm clutching at straws.
 
Thanks again.


Doubtful, but I cannot 100% rule it out. The reality is that there is not a lot of Mac malware out in the wild, so your odds of actually encountering something is pretty low. And the most current versions of the macOS have pretty strong protections built into the OS. Which macOS version are you running?

If you are concerned, then at a minimum you can run a Malwarebyte Antimalware scan and get an install a Mac antivirus program (there are free options as well as paid options...I use Intego's VirusBarrier on my Macs).

If you are still concerned, then you could try posting to the "Am I Infected?" forum on this site. They might be able to help alleviate your concerns.

#9 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 04 May 2017 - 12:27 PM

Thanks Smax, I'll give those links a go. The thing I don't understand is that prior to the recent Wiping, I'd never once seen a prompt for Keychain, or even encountered it. Soon as I restarted it after having it wiped, it kicked in. I'd never set a 'keychain password', or used one that I'm aware of. The whole thing has been extremely confusing and tiring frankly. I am an unreconstructed Luddite, and this sort of thing just makes me more entrenched in my views on it all. Thanks again!



#10 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:53 PM

Posted 04 May 2017 - 10:43 PM

By default, the Keychain password is the same as your account password. So, in the past, when you entered the password for your account, you were also entering the password for your Keychain.

Under normal circumstances, the only way the Keychain password would end up different than your account password is if 1) you manually chained the Keychain password to something that does not match your account password; 2) create new or additional keychain (i.e. somethings saved to a different Keychain that does not have the same password as your account while somethings are saved to the default Keychain; or 3) something goes wrong with the Keychain (i.e. it gets corrupted) or you encounter some sort of bug.

In this case, it is not quite normal. For some reason, with the newly wiped Mac and a newly setup account, you apparently have either a default Keychain that has a different password than your account password or you have a second Keychain that is asking for a password. I just don't know which or why it happened. Theoretically, with a wiped Mac set up and new, you should have no issues with Keychain (unless there was an old Keychain imported in from a backup, which you have said cannot be the case). So, either an old Keychain somehow remained after the wipe (I have no clue how) or your default Keychain for the new account is corrupted or some bug created another Keychain.

So, try the First Aid option first. If that does not work, then try creating a new Keychain. If you don't have anything critical in the old Keychain, then creating a new Keychain should be fine and then removing the old Keychain.

#11 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 09 May 2017 - 08:24 AM

Thanks Smax, 

 

Edit ! Finally I think I've done it. I just needed to create a new keychain. I'm such a dope, that I didn't see that option in the Keychain Access folder, until I made the screen full size.

 

Really appreciate the time you spent helping me with this Smax, much obliged, and all the best!


Edited by BustedFlush, 09 May 2017 - 01:07 PM.


#12 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 09 May 2017 - 02:57 PM

Oh for the love of god... Spoke to soon, it's back!!! Oh well...



#13 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:02:53 PM

Posted 09 May 2017 - 07:28 PM

What OS is your MBP? 

 

Back up all your data and reset your MBP yourself. There should be no more keychain password prompts.

I can give you further instructions on how to reset it if I know the OS.


Edited by iMacg3, 09 May 2017 - 07:30 PM.

Regards, iMacg3

"Do, or do not. There is no try." - Yoda

#14 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:53 PM

Posted 10 May 2017 - 03:40 AM

OS Sierra 10.12.4

 

Been thinking, is it likely that the Mac was wiped, then the IT guy set a proxy password, then when he reset it and I entered a new one, the keychain got 'confused' and thats why it keeps asking me? I just can't understand why else a wiped Mac would do so. 



#15 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:02:53 PM

Posted 10 May 2017 - 08:41 AM

These are instructions for wiping your Mac yourself. You should get no more keychain prompts.

 

Back up ALL your data, including documents, pictures, etc.

 

Click on the Apple logo > Shut Down.

Shut down your MBP. Turn your MBP on with the power button and immediately press Shift+Option+Command+R.

Release the keys when you see a spinning globe or Apple logo.

You should now see the macOS Utilities window. Click Reinstall macOS. 

Follow the onscreen prompts to connect to the Internet and enter your Apple ID.

If you get an Unavailable popup, stop there and post a reply in this forum topic.

If you enter your Apple ID and you do not get a pop-up that says "This item is unavailable" immediately get out of the installer.

Go back to the macOS Utilities screen and select Disk Utility.

Select your Startup disk, not the volume name.

Click the Erase tab/button. Enter the name of the disk partition (for example, Mac HD), Format (choose Mac OS Extended, Journaled), and then Scheme (if available). Choose GUID Partition Map.

Click Erase to start erasing the disk.

Once done, quit Disk Utility and go back to the Utilities section. Click Reinstall macOS and then start reinstalling your OS from scratch!


Regards, iMacg3

"Do, or do not. There is no try." - Yoda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users