Was almost scammed, and want to check if detritus was left behind. "Default Apps" in Settings—cannot be removed.

Roll in your most recent backup from prior to the exploit, and change all your passwords including those associated with your password reset paths. Five minutes is a whole lot of time for a prepared attacker to upload sensitive data, if not also to install exploits.

Post the free EtreCheck report here using the Additional Text option when posting. This will show up what is installed on your System and will be able to direct you to items that should be deleted.

Using EtreCheck - Apple Community

Safe mode - This computer is running in Safe Mode.

Don't run EtreCheck in Safe Mode. There's nothing wrong with Safe Mode, but potentially malicious apps or processes are not active in that mode. Restart your Mac normally, run it again, and post a new report.

Having said that, not even EtreCheck can provide absolute assurance of the absence of malware, Trojans, or various intrusions. Nothing can, so don't even look for something claiming that ability (such as the example you cited). The best EtreCheck or anything else might be able to accomplish is to identify the presence of something malicious — which might just exist as a distraction for something else more difficult to find.

This is the reason MrHoffman's recommendation is the only truly valid one:

Roll in your most recent backup from prior to the exploit, and change all your passwords including those associated with your password reset paths. Five minutes is a whole lot of time for a prepared attacker to upload sensitive data, if not also to install exploits.

👍

Nothing stands out from your EtreCheck report which is good. The major issue is shows is high CPU usage and the one that was identified was XProtectRemediatorWaterNet. This is an Apple process that will run in the background at times and is not unusual. As for the minor concerns, it does show some crashing/hanging issues that are identified as Safari. In that case, I would review any Extensions you have installed at Safari > Settings > Extensions. If there are some there that you do not need them remove them. By default there are no extensions installed on Safari. There are some orphan files which usually point to a file to launch, but the executable is missing. We can clean up some of those by following the steps below to post the screenshots of the file locations.

If you are no longer using the Transmit app, you can remove it from the Applications folder. It also contains a background process that will run when the computer is launched and if you do not use the app, then deleting it will also remove the background process.

Could you post a screenshot of these 5 locations by going to Finder > Go > Go to Folder and paste each one there. I normally would not ask for the preferencePane locations, but since your specific question deals with that I would include it. Normally those 2 preferencePane folders are empty by default, so if you have nothing in there then you do not need to include the screenshots of those.

/Library/LaunchDaemons

/Library/LaunchAgents

~/Library/LaunchAgents

/Library/PreferencePanes

~/Library/PreferencePanes