Apple - Logging in to main user turns off the mac
The best thing you can do is creating a new admin user and inspecting the assaulted main user/the system.
Boot to Recovery Mode (hold cmdR while booting).
Unlock and mount the main encrypted volume either with Disk Utility or Terminal:
#list all CoreStorage items
diskutil cs list
#unlock the locked Logical Volume (replace lvUUID by the UUID found above. Usually it's the last one listed and looks similar to this one: 21019876-ABA9-5678-1234-123453789012!)
diskutil cs unlockVolume lvUUID
Get the name of the main volume (usually it's the last one of the many):
df
The name of the encrypted main volume is also visible if you enter diskutil cs list
again. Example:
...
+-> Logical Volume 21019876-ABA9-5678-1234-123453789012
---------------------------------------------------
Disk: disk16
Status: Online
Size (Total): 1106191572992 B (1.1 TB)
Conversion Progress: -none-
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
---> Volume Name: Macintosh HD
Content Hint: Apple_HFS
Change the working directory (here I assume the main volume name is "Macintosh HD"):
cd /Volumes/Macintosh\ HD/var/db
List all files:
ls -laO
Remove the file .AppleSetupDone
rm .AppleSetupDone
Check if the file was deleted:
ls -laO
Reboot the Mac. After rebooting you will be asked to unlock the encrypted volume. Enter the password even if it is the one for the only configured user.
After booting has finished you will be asked to set-up your Mac. After configuring locales create a new admin user. Log-in as new admin user.
Now you may either back up the data of the infected main user. Or you can inspect LogIn items, launch agents of the user or system wide launch agents/daemons.
You may also install an anti-malware solution like Anti-Malware for Mac and check for an infection.
Report back if you can't find a culprit.