Wana1

Q: detect recent installed unauthorized remote control applications

One day ago I allowed remote access control to my Mac Book Pro OS10.9.4 to a company pretending to be Apple Authorized Online Services. After discovering this was a scam I need to be sure that they didn't leave or installed any app (hidden or not) and if so, how to delete it to prevent them to access my Mac again.

 

It would also be helpful if there is a way to find out which information they may have accessed during the mentioned "session".

Thanks in advance for your help

MacBook Pro, OS X Mavericks (10.9.4)

Posted on Sep 5, 2014 2:03 PM

Close

Q: detect recent installed unauthorized remote control applications

  • All replies
  • Helpful answers

Page 1 Next
  • by Old Toad,

    Old Toad Old Toad Sep 5, 2014 2:16 PM in response to Wana1
    Level 10 (141,125 points)
    Mac OS X
    Sep 5, 2014 2:16 PM in response to Wana1

    Download and run Etrecheck.  Copy and paste the results into your reply. It's a diagnostic tool that was developed by one of the most respected users here in the ASC. It can help tell is there's any known malware or adware installed.  Check out these pages, Adware Removal Guide and Mac Malware Guide, on this website: The Safe Mac.

    OTsig.png

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Sep 5, 2014 2:21 PM in response to Wana1
    Level 10 (207,973 points)
    Applications
    Sep 5, 2014 2:21 PM in response to Wana1

    If you know or suspect that a hostile intruder has either had physical access to it, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

    First, depending on the circumstances, computer tampering may be a crime, a civil wrong, or both. If there's any chance that the matter will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to contaminate that evidence.

    Running any kind of "anti-virus" software is pointless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. Commercial keylogging software—which has legitimate as well as illegitimate uses—won't be recognized as malware, because it's not malware.

    The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

    If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

    When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

    Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

    Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

    Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

    That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this  after the system has been secured, not before.

  • by Wana1,Solvedanswer

    Wana1 Wana1 Sep 5, 2014 3:09 PM in response to Linc Davis
    Level 1 (0 points)
    Sep 5, 2014 3:09 PM in response to Linc Davis

    Thanks Linc Davis:

    I will follow your recommendations, so I'll be doing a System Restore using a Backup I have previous to September 4, the day I allowed that company to remotely acces my mac.

    I'll let you know how it went.

  • by Wana1,

    Wana1 Wana1 Sep 5, 2014 8:45 PM in response to Linc Davis
    Level 1 (0 points)
    Sep 5, 2014 8:45 PM in response to Linc Davis

    To: Linc Davis:

    Just to let you know  that after performing the "Restore the entire System " process everything is working fine on my mac.

    Thanks for the peace of mind that  I have now.

  • by MerryMath,

    MerryMath MerryMath Jan 13, 2015 5:23 PM in response to Old Toad
    Level 1 (0 points)
    Jan 13, 2015 5:23 PM in response to Old Toad

    I hope you are still checking this line of questions, etc.  I ran etrecheck and got only a red on gatekeeperI Which I reset.  Everything else is black, do I need to reload my operating system.  What if I just upgrade to Yosemite?  Can I just download Yosemite, install it and then copy my backup data?

  • by Old Toad,

    Old Toad Old Toad Jan 13, 2015 5:37 PM in response to MerryMath
    Level 10 (141,125 points)
    Mac OS X
    Jan 13, 2015 5:37 PM in response to MerryMath

    It's not only the red entries in the report that are important. Rerun Etrecheck and post the entire report.

    What if I just upgrade to Yosemite?  Can I just download Yosemite, install it and then copy my backup data?

    Yes with Migration Assistant.

  • by MerryMath,

    MerryMath MerryMath Jan 13, 2015 6:29 PM in response to Old Toad
    Level 1 (0 points)
    Jan 13, 2015 6:29 PM in response to Old Toad

    Here is the etrecheck report

    EtreCheck version: 2.1.5 (108)

    Report generated January 13, 2015 8:25:45 PM CST

     

    Click the [Support] links for help with non-Apple products.

    Click the [Details] links for more information about that line.

    Click the [Adware] links for help removing adware.

     

    Hardware Information: ℹ️

      MacBook Air (11-inch, Mid 2013) (Verified)

      MacBook Air - model: MacBookAir6,1

      1 1.3 GHz Intel Core i5 CPU: 2-core

      4 GB RAM

      BANK 0/DIMM0

      2 GB DDR3 1600 MHz ok

      BANK 1/DIMM0

      2 GB DDR3 1600 MHz ok

      Bluetooth: Good - Handoff/Airdrop2 supported

      Wireless:  en0: 802.11 a/b/g/n/ac

     

    Video Information: ℹ️

      Intel HD Graphics 5000 - VRAM: 1024 MB

      Color LCD 1366 x 768

     

    System Software: ℹ️

      OS X 10.8.5 (12F45) - Uptime: 5 days 8:39:30

     

    Disk Information: ℹ️

      APPLE SSD SD0256F disk0 : (251 GB)

      disk0s1 (disk0s1) <not mounted> : 210 MB

      Macintosh HD (disk0s2) / : 250.14 GB (190.70 GB free)

      Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

     

    USB Information: ℹ️

      SanDisk Firebird USB Flash Drive 16.01 GB

      LIL RED (disk3s1) /Volumes/LIL RED : 16.01 GB (8.37 GB free)

      Apple Inc. BRCM20702 Hub

      Apple Inc. Bluetooth USB Host Controller

     

    Thunderbolt Information: ℹ️

      Apple Inc. thunderbolt_bus

     

    Gatekeeper: ℹ️

      Mac App Store

     

    Kernel Extensions: ℹ️

      /System/Library/Extensions

      [not loaded] com.sony.driver.prs (1.0.1d1) [Support]

     

    Launch Agents: ℹ️

      [not loaded] com.sony.ReaderLibrary.RunReaderLibrary.plist [Support]

     

    Launch Daemons: ℹ️

      [loaded] com.adobe.fpsaud.plist [Support]

     

    User Login Items: ℹ️

      Garmin Express Service Application (/Applications/Garmin Express.app/Contents/Library/LoginItems/Garmin Express Service.app)

      iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

      Dropbox Application (/Applications/Dropbox.app)

      Reader Library Launcher ApplicationHidden (/Library/Reader Library/Reader Library Launcher.app)

     

    Internet Plug-ins: ℹ️

      Silverlight: Version: 5.1.20513.0 - SDK 10.6 [Support]

      FlashPlayer-10.6: Version: 16.0.0.235 - SDK 10.6 [Support]

      CouponPrinter-FireFox_v2: Version: 1.1.10 - SDK 10.6 [Support]

      Flash Player: Version: 16.0.0.235 - SDK 10.6 Mismatch! Adobe recommends 16.0.0.257

      JavaAppletPlugin: Version: 14.9.0 - SDK 10.7 Check version

      QuickTime Plugin: Version: 7.7.1

     

    Safari Extensions: ℹ️

      AdBlock [Installed]

     

    3rd Party Preference Panes: ℹ️

      Flash Player  [Support]

     

    Time Machine: ℹ️

      Time Machine not configured!

     

    Top Processes by CPU: ℹ️

          4% WindowServer

          2% WebProcess

          2% hidd

          2% SystemUIServer

          1% configd

     

    Top Processes by Memory: ℹ️

      314 MB firefox

      193 MB Finder

      180 MB Safari

      125 MB WebProcess

      120 MB mds

     

    Virtual Memory Information: ℹ️

      1.19 GB Free RAM

      1.87 GB Active RAM

      614 MB Inactive RAM

      618 MB Wired RAM

      6.72 GB Page-ins

      0 B Page-outs

  • by Old Toad,

    Old Toad Old Toad Jan 14, 2015 9:21 AM in response to MerryMath
    Level 10 (141,125 points)
    Mac OS X
    Jan 14, 2015 9:21 AM in response to MerryMath

    There is nothing suspicious in the report except that your version of Flash Player is out of date.  A new one was released yesterday.

     

    Also I see you don't have Time Machine configured so do you have another backup strategy in place?  If not you should strongly consider doing so before you upgrade to Yosemite.

  • by MerryMath,

    MerryMath MerryMath Jan 14, 2015 10:23 AM in response to Old Toad
    Level 1 (0 points)
    Jan 14, 2015 10:23 AM in response to Old Toad

    Thanks so very much, you've been a great help.  Just a couple of more questions.  Do I need to worry about other computers on my network?  I do have most of my files backed up --- I know stupid to not have immediate (or close to) backup in place.  I can I still transfer files - not apps to a exterior drive and transfer them to the computer after I Update to Yosemite?  Do I still need to upgrade.

     

    Again THANKS you've great help.

  • by Old Toad,

    Old Toad Old Toad Jan 14, 2015 11:06 AM in response to MerryMath
    Level 10 (141,125 points)
    Mac OS X
    Jan 14, 2015 11:06 AM in response to MerryMath

    You don't need to upgrade the other Macs to Yosemite to transfer files.  Once you've upgraded to Yosemite and all is running as it should you can copy data files from your other Macs as needed. 

  • by MerryMath,

    MerryMath MerryMath Jan 14, 2015 11:18 AM in response to Old Toad
    Level 1 (0 points)
    Jan 14, 2015 11:18 AM in response to Old Toad

    Again,  thanks you are great and a patient person.  I guess I did not write a clear question on the last reply.  Can I assume that the person who was on my computer (mac air) could not do anything to my macbook pro and it is safe?

    Just a note, the company sent a refund amount equal to the charge to my credit card. (I cancelled that card)

  • by Old Toad,

    Old Toad Old Toad Jan 14, 2015 11:26 AM in response to MerryMath
    Level 10 (141,125 points)
    Mac OS X
    Jan 14, 2015 11:26 AM in response to MerryMath

    Follow Linc's suggestions and be sure to change your login password for your user account and also for your iCloud account.

     

    If you had other personal information on your Mac like bank accounts, credit card accounts, web accounts, etc.  start keeping a close surveillance of them for any suspicious activity.

  • by Jasmine Green,

    Jasmine Green Jasmine Green May 12, 2015 9:55 AM in response to Wana1
    Level 1 (11 points)
    May 12, 2015 9:55 AM in response to Wana1

    I got that scammy pop up "Your computer might have adware / spyware virus, call this number, bla bla bla." I ran Bit Defender and EtreCheck. Does everything look okay on the EtreCheck report? I didn't call the phone number or  anything like that. I just didn't know what this pop up was all about. I was running Chrome.

     

    Thanks

     

    Problem description:

    Spam pop up about virus/adware

     

    EtreCheck version: 2.2 (132)

    Report generated 5/12/15, 3:30 AM

    Download EtreCheck from http://etresoft.com/etrecheck

     

    Click the [Click for support] links for help with non-Apple products.

    Click the [Click for details] links for more information about that line.

     

    Hardware Information: ℹ️

        MacBook Pro (15-inch, Mid 2010) (Technical Specifications)

        MacBook Pro - model: MacBookPro6,2

        1 2.4 GHz Intel Core i5 CPU: 2-core

        8 GB RAM Upgradeable

            BANK 0/DIMM0

                4 GB DDR3 1067 MHz ok

            BANK 1/DIMM0

                4 GB DDR3 1067 MHz ok

        Bluetooth: Old - Handoff/Airdrop2 not supported

        Wireless:  en1: 802.11 a/b/g/n

        Battery: Health = Normal - Cycle count = 999 - SN = W0020PVV6BWZA

     

    Video Information: ℹ️

        Intel HD Graphics

        NVIDIA GeForce GT 330M - VRAM: 256 MB

            Color LCD 1440 x 900

     

    System Software: ℹ️

        OS X 10.10.3 (14D136) - Time since boot: 6 days 11:36:1

     

    Disk Information: ℹ️

        Hitachi HTS545032B9SA02 disk0 : (320.07 GB)

            EFI (disk0s1) <not mounted> : 210 MB

            Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

            Jas (disk1) / : 318.84 GB (27.39 GB free)

                Core Storage: disk0s2 319.21 GB Online

     

        MATSHITADVD-R   UJ-898

     

    USB Information: ℹ️

        Apple Internal Memory Card Reader

        Apple Inc. Apple Internal Keyboard / Trackpad

        Apple Inc. BRCM2070 Hub

            Apple Inc. Bluetooth USB Host Controller

        Apple Computer, Inc. IR Receiver

        Apple Inc. Built-in iSight

     

    Gatekeeper: ℹ️

        Mac App Store and identified developers

     

    Kernel Extensions: ℹ️

            /Applications/Tether.app

        [not loaded]    net.tunnelblick.tun (2871) [Click for support]

     

            /System/Library/Extensions

        [not loaded]    com.Seagate.driver.PowSecDriver (4.4.10) [Click for support]

        [not loaded]    com.olympus.CamBlockCommandsDeviceUP (2.0.1) [Click for support]

        [loaded]    net.telestream.driver.TelestreamAudio (1.1.0 - SDK 10.8) [Click for support]

     

    Problem System Launch Agents: ℹ️

        [killed]    com.apple.CallHistoryPluginHelper.plist

        [killed]    com.apple.CallHistorySyncHelper.plist

        [killed]    com.apple.cloudphotosd.plist

        [killed]    com.apple.coreservices.appleid.authentication.plist

        [killed]    com.apple.icloud.fmfd.plist

        [killed]    com.apple.photolibraryd.plist

        [killed]    com.apple.SafariNotificationAgent.plist

        [killed]    com.apple.telephonyutilities.callservicesd.plist

        [killed]    com.apple.xpc.loginitemregisterd.plist

        9 processes killed due to memory pressure

     

    Problem System Launch Daemons: ℹ️

        [killed]    com.apple.awdd.plist

        [killed]    com.apple.ctkd.plist

        [killed]    com.apple.emond.aslmanager.plist

        [killed]    com.apple.ifdreader.plist

        [failed]    com.apple.mtrecorder.plist

        [killed]    com.apple.nehelper.plist

        [killed]    com.apple.periodic-daily.plist

        [killed]    com.apple.periodic-monthly.plist

        [killed]    com.apple.periodic-weekly.plist

        [killed]    com.apple.systemstats.analysis.plist

        [killed]    com.apple.wdhelper.plist

        [killed]    com.apple.xpc.smd.plist

        11 processes killed due to memory pressure

     

    Launch Agents: ℹ️

        [failed]    com.epson.ecpd.launcher.plist [Click for support]

        [loaded]    com.google.keystone.agent.plist [Click for support]

        [loaded]    com.oracle.java.Java-Updater.plist [Click for support]

     

    Launch Daemons: ℹ️

        [loaded]    com.adobe.fpsaud.plist [Click for support]

        [loaded]    com.adobe.SwitchBoard.plist [Click for support]

        [failed]    com.apple.spirecorder.plist

        [running]    com.crashplan.engine.plist [Click for support]

        [loaded]    com.google.keystone.daemon.plist [Click for support]

        [loaded]    com.oracle.java.Helper-Tool.plist [Click for support]

        [loaded]    com.oracle.java.JavaUpdateHelper.plist [Click for support]

        [running]    com.prey.agent.plist [Click for support]

     

    User Launch Agents: ℹ️

        [loaded]    com.adobe.AAM.Updater-1.0.plist [Click for support]

        [loaded]    com.adobe.ARM.[...].plist [Click for support]

        [running]    com.amazon.music.plist [Click for support]

        [failed]    com.facebook.videochat.[redacted].plist [Click for support]

        [running]    com.google.Chrome.framework.plist [Click for support]

        [running]    com.spotify.webhelper.plist [Click for support]

        [not loaded]    com.victorpimentel.TVShowsHelper.plist [Click for support]

     

    User Login Items: ℹ️

        Android File Transfer Agent    Application  (/Users/[redacted]/Library/Application Support/Google/Android File Transfer/Android File Transfer Agent.app)

        Google+ Auto Backup    Application  (/Applications/Google+ Auto Backup.app)

        Music Manager    Application  (/Users/[redacted]/Library/PreferencePanes/MusicManager.prefPane/Contents/Helpe rs/MusicManagerHelper.app)

        CrashPlan menu bar    Application  (/Applications/CrashPlan.app/Contents/Helpers/CrashPlan menu bar.app)

     

    Internet Plug-ins: ℹ️

        o1dbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]

        nplastpass: Version: 2.5.5 [Click for support]

        Default Browser: Version: 600 - SDK 10.10

        OfficeLiveBrowserPlugin: Version: 12.3.6 [Click for support]

        AdobePDFViewerNPAPI: Version: 11.0.10 - SDK 10.6 [Click for support]

        FlashPlayer-10.6: Version: 17.0.0.169 - SDK 10.6 [Click for support]

        Silverlight: Version: 5.1.30514.0 - SDK 10.6 [Click for support]

        Flash Player: Version: 17.0.0.169 - SDK 10.6 [Click for support]

        iPhotoPhotocast: Version: 7.0

        googletalkbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]

        QuickTime Plugin: Version: 7.7.3

        AdobePDFViewer: Version: 11.0.10 - SDK 10.6 [Click for support]

        CouponPrinter-FireFox_v2: Version: 1.1.10 - SDK 10.5 [Click for support]

        JavaAppletPlugin: Version: Java 8 Update 45 Check version

     

    User internet Plug-ins: ℹ️

        fbplugin_1_0_3: Version: Unknown [Click for support]

        npBcsMcTcIO: Version: Unknown [Click for support]

        Picasa: Version: 1.0 [Click for support]

        Google Earth Web Plug-in: Version: 7.1 [Click for support]

        RealPlayer Plugin: Version: Unknown

     

    Audio Plug-ins: ℹ️

        JackRouter: Version: JackRouter [Click for support]

     

    3rd Party Preference Panes: ℹ️

        Flash Player  [Click for support]

        Java  [Click for support]

        MusicManager  [Click for support]

     

    Time Machine: ℹ️

        Skip System Files: NO

        Mobile backups: OFF

        Auto backup: NO - Auto backup turned off

        Volumes being backed up:

            Jas: Disk size: 318.84 GB Disk used: 291.45 GB

        Destinations:

            Free Space for Movies Etc. [Local]

            Total size: 0 B

            Total number of backups: 0

            Oldest backup: -

            Last backup: -

            Size of backup disk: Too small

                Backup size 0 B < (Disk used 291.45 GB X 3)

     

    Top Processes by CPU: ℹ️

            10%    Google Chrome Helper(11)

            10%    WindowServer

             4%    DashlanePluginService

             1%    com.dashlane.DashlaneAgent

             1%    mdworker(10)

     

    Top Processes by Memory: ℹ️

        999 MB    Google Chrome Helper(11)

        766 MB    kernel_task

        598 MB    CrashPlanService

        328 MB    DashlanePluginService

        319 MB    Google Chrome

     

    Virtual Memory Information: ℹ️

        26 MB    Free RAM

        7.97 GB    Used RAM

        196 MB    Swap Used

     

    Diagnostics Information: ℹ️

        May 11, 2015, 10:44:40 PM    /Users/[redacted]/Library/Logs/DiagnosticReports/EpsonCP_2015-05-11-224440_[red acted].crash

  • by TiffanyKRK,

    TiffanyKRK TiffanyKRK May 30, 2015 1:16 PM in response to Wana1
    Level 1 (0 points)
    May 30, 2015 1:16 PM in response to Wana1

    I was targeted yesterday  by scammers as well  , I got warning on my computer :  Apple Security Alert  telling me my browser was hijacked   they told me to call 1844-743-5316 number which was suppose to be Apple Support…

    I did call the number believing its Apple


    They told me to go to this website :

    www.lmi7.com  which showed site exactly like Apple Support site.


    click on DOWNLOAD  open Team Viewer Quick Support and give them ID and password for them to help me…  I did unfortunately ..

      They told me more then 10 people is trying to access my computer and I must pay Apple 99.00$  for one year security  program.  They offer also more options as far for 2 years and 3 years ( which was over $250. 00 )   I did not pay them,  and I disconnected telling them that I had no idea I must pay to Apple to have secure computer..

     

    Can you please advice if my computer is safe ??    Thank you for your help


Page 1 Next