detect recent installed unauthorized remote control applications

Download and run Etrecheck. Copy and paste the results into your reply. It's a diagnostic tool that was developed by one of the most respected users here in the ASC. It can help tell is there's any known malware or adware installed. Check out these pages, Adware Removal Guide and Mac Malware Guide, on this website: The Safe Mac.

If you know or suspect that a hostile intruder has either had physical access to it, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, depending on the circumstances, computer tampering may be a crime, a civil wrong, or both. If there's any chance that the matter will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to contaminate that evidence.

Running any kind of "anti-virus" software is pointless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. Commercial keylogging software—which has legitimate as well as illegitimate uses—won't be recognized as malware, because it's not malware.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

I hope you are still checking this line of questions, etc. I ran etrecheck and got only a red on gatekeeperI Which I reset. Everything else is black, do I need to reload my operating system. What if I just upgrade to Yosemite? Can I just download Yosemite, install it and then copy my backup data?

It's not only the red entries in the report that are important. Rerun Etrecheck and post the entire report.

What if I just upgrade to Yosemite? Can I just download Yosemite, install it and then copy my backup data?

Yes with Migration Assistant.

Here is the etrecheck report

EtreCheck version: 2.1.5 (108)

Report generated January 13, 2015 8:25:45 PM CST

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Adware] links for help removing adware.

Hardware Information: ℹ️

MacBook Air (11-inch, Mid 2013) (Verified)

MacBook Air - model: MacBookAir6,1

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Video Information: ℹ️

Intel HD Graphics 5000 - VRAM: 1024 MB

Color LCD 1366 x 768

System Software: ℹ️

OS X 10.8.5 (12F45) - Uptime: 5 days 8:39:30

Disk Information: ℹ️

APPLE SSD SD0256F disk0 : (251 GB)

disk0s1 (disk0s1) <not mounted> : 210 MB

Macintosh HD (disk0s2) / : 250.14 GB (190.70 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

USB Information: ℹ️

SanDisk Firebird USB Flash Drive 16.01 GB

LIL RED (disk3s1) /Volumes/LIL RED : 16.01 GB (8.37 GB free)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ℹ️

Apple Inc. thunderbolt_bus

Gatekeeper: ℹ️

Mac App Store

Kernel Extensions: ℹ️

/System/Library/Extensions

[not loaded] com.sony.driver.prs (1.0.1d1) [Support]

Launch Agents: ℹ️

[not loaded] com.sony.ReaderLibrary.RunReaderLibrary.plist [Support]

Launch Daemons: ℹ️

[loaded] com.adobe.fpsaud.plist [Support]

User Login Items: ℹ️

Garmin Express Service Application (/Applications/Garmin Express.app/Contents/Library/LoginItems/Garmin Express Service.app)

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application (/Applications/Dropbox.app)

Reader Library Launcher ApplicationHidden (/Library/Reader Library/Reader Library Launcher.app)

Internet Plug-ins: ℹ️

Silverlight: Version: 5.1.20513.0 - SDK 10.6 [Support]

FlashPlayer-10.6: Version: 16.0.0.235 - SDK 10.6 [Support]

CouponPrinter-FireFox_v2: Version: 1.1.10 - SDK 10.6 [Support]

Flash Player: Version: 16.0.0.235 - SDK 10.6 Mismatch! Adobe recommends 16.0.0.257

JavaAppletPlugin: Version: 14.9.0 - SDK 10.7 Check version

QuickTime Plugin: Version: 7.7.1

Safari Extensions: ℹ️

AdBlock [Installed]

3rd Party Preference Panes: ℹ️

Flash Player [Support]

Time Machine: ℹ️

Time Machine not configured!

Top Processes by CPU: ℹ️

4% WindowServer

2% WebProcess

2% hidd

2% SystemUIServer

1% configd

Top Processes by Memory: ℹ️

314 MB firefox

193 MB Finder

180 MB Safari

125 MB WebProcess

120 MB mds

Virtual Memory Information: ℹ️

1.19 GB Free RAM

1.87 GB Active RAM

614 MB Inactive RAM

618 MB Wired RAM

6.72 GB Page-ins

0 B Page-outs

There is nothing suspicious in the report except that your version of Flash Player is out of date. A new one was released yesterday.

Also I see you don't have Time Machine configured so do you have another backup strategy in place? If not you should strongly consider doing so before you upgrade to Yosemite.

Thanks so very much, you've been a great help. Just a couple of more questions. Do I need to worry about other computers on my network? I do have most of my files backed up --- I know stupid to not have immediate (or close to) backup in place. I can I still transfer files - not apps to a exterior drive and transfer them to the computer after I Update to Yosemite? Do I still need to upgrade.

Again THANKS you've great help.

You don't need to upgrade the other Macs to Yosemite to transfer files. Once you've upgraded to Yosemite and all is running as it should you can copy data files from your other Macs as needed.

Again, thanks you are great and a patient person. I guess I did not write a clear question on the last reply. Can I assume that the person who was on my computer (mac air) could not do anything to my macbook pro and it is safe?

Just a note, the company sent a refund amount equal to the charge to my credit card. (I cancelled that card)

Follow Linc's suggestions and be sure to change your login password for your user account and also for your iCloud account.

If you had other personal information on your Mac like bank accounts, credit card accounts, web accounts, etc. start keeping a close surveillance of them for any suspicious activity.

I got that scammy pop up "Your computer might have adware / spyware virus, call this number, bla bla bla." I ran Bit Defender and EtreCheck. Does everything look okay on the EtreCheck report? I didn't call the phone number or anything like that. I just didn't know what this pop up was all about. I was running Chrome.

Thanks 🙂

Problem description:

Spam pop up about virus/adware

EtreCheck version: 2.2 (132)

Report generated 5/12/15, 3:30 AM

Download EtreCheck from http://etresoft.com/etrecheck

Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.

Hardware Information: ℹ️

MacBook Pro (15-inch, Mid 2010) (Technical Specifications)

MacBook Pro - model: MacBookPro6,2

1 2.4 GHz Intel Core i5 CPU: 2-core

8 GB RAM Upgradeable

BANK 0/DIMM0

4 GB DDR3 1067 MHz ok

BANK 1/DIMM0

4 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 999 - SN = W0020PVV6BWZA

Video Information: ℹ️

Intel HD Graphics

NVIDIA GeForce GT 330M - VRAM: 256 MB

Color LCD 1440 x 900

System Software: ℹ️

OS X 10.10.3 (14D136) - Time since boot: 6 days 11:36:1

Disk Information: ℹ️

Hitachi HTS545032B9SA02 disk0 : (320.07 GB)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Jas (disk1) / : 318.84 GB (27.39 GB free)

Core Storage: disk0s2 319.21 GB Online

MATSHITADVD-R UJ-898

USB Information: ℹ️

Apple Internal Memory Card Reader

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM2070 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Computer, Inc. IR Receiver

Apple Inc. Built-in iSight

Gatekeeper: ℹ️

Mac App Store and identified developers

Kernel Extensions: ℹ️

/Applications/Tether.app

[not loaded] net.tunnelblick.tun (2871) [Click for support]

/System/Library/Extensions

[not loaded] com.Seagate.driver.PowSecDriver (4.4.10) [Click for support]

[not loaded] com.olympus.CamBlockCommandsDeviceUP (2.0.1) [Click for support]

[loaded] net.telestream.driver.TelestreamAudio (1.1.0 - SDK 10.8) [Click for support]

Problem System Launch Agents: ℹ️

[killed] com.apple.CallHistoryPluginHelper.plist

[killed] com.apple.CallHistorySyncHelper.plist

[killed] com.apple.cloudphotosd.plist

[killed] com.apple.coreservices.appleid.authentication.plist

[killed] com.apple.icloud.fmfd.plist

[killed] com.apple.photolibraryd.plist

[killed] com.apple.SafariNotificationAgent.plist

[killed] com.apple.telephonyutilities.callservicesd.plist

[killed] com.apple.xpc.loginitemregisterd.plist

9 processes killed due to memory pressure

Problem System Launch Daemons: ℹ️

[killed] com.apple.awdd.plist

[killed] com.apple.ctkd.plist

[killed] com.apple.emond.aslmanager.plist

[killed] com.apple.ifdreader.plist

[failed] com.apple.mtrecorder.plist

[killed] com.apple.nehelper.plist

[killed] com.apple.periodic-daily.plist

[killed] com.apple.periodic-monthly.plist

[killed] com.apple.periodic-weekly.plist

[killed] com.apple.systemstats.analysis.plist

[killed] com.apple.wdhelper.plist

[killed] com.apple.xpc.smd.plist

11 processes killed due to memory pressure

Launch Agents: ℹ️

[failed] com.epson.ecpd.launcher.plist [Click for support]

[loaded] com.google.keystone.agent.plist [Click for support]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]

Launch Daemons: ℹ️

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.adobe.SwitchBoard.plist [Click for support]

[failed] com.apple.spirecorder.plist

[running] com.crashplan.engine.plist [Click for support]

[loaded] com.google.keystone.daemon.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]

[loaded] com.oracle.java.JavaUpdateHelper.plist [Click for support]

[running] com.prey.agent.plist [Click for support]

User Launch Agents: ℹ️

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[loaded] com.adobe.ARM.[...].plist [Click for support]

[running] com.amazon.music.plist [Click for support]

[failed] com.facebook.videochat.[redacted].plist [Click for support]

[running] com.google.Chrome.framework.plist [Click for support]

[running] com.spotify.webhelper.plist [Click for support]

[not loaded] com.victorpimentel.TVShowsHelper.plist [Click for support]

User Login Items: ℹ️

Android File Transfer Agent Application (/Users/[redacted]/Library/Application Support/Google/Android File Transfer/Android File Transfer Agent.app)

Google+ Auto Backup Application (/Applications/Google+ Auto Backup.app)

Music Manager Application (/Users/[redacted]/Library/PreferencePanes/MusicManager.prefPane/Contents/Helpe rs/MusicManagerHelper.app)

CrashPlan menu bar Application (/Applications/CrashPlan.app/Contents/Helpers/CrashPlan menu bar.app)

Internet Plug-ins: ℹ️

o1dbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]

nplastpass: Version: 2.5.5 [Click for support]

Default Browser: Version: 600 - SDK 10.10

OfficeLiveBrowserPlugin: Version: 12.3.6 [Click for support]

AdobePDFViewerNPAPI: Version: 11.0.10 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 17.0.0.169 - SDK 10.6 [Click for support]

Silverlight: Version: 5.1.30514.0 - SDK 10.6 [Click for support]

Flash Player: Version: 17.0.0.169 - SDK 10.6 [Click for support]

iPhotoPhotocast: Version: 7.0

googletalkbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewer: Version: 11.0.10 - SDK 10.6 [Click for support]

CouponPrinter-FireFox_v2: Version: 1.1.10 - SDK 10.5 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 45 Check version

User internet Plug-ins: ℹ️

fbplugin_1_0_3: Version: Unknown [Click for support]

npBcsMcTcIO: Version: Unknown [Click for support]

Picasa: Version: 1.0 [Click for support]

Google Earth Web Plug-in: Version: 7.1 [Click for support]

RealPlayer Plugin: Version: Unknown

Audio Plug-ins: ℹ️

JackRouter: Version: JackRouter [Click for support]

3rd Party Preference Panes: ℹ️

Flash Player [Click for support]

Java [Click for support]

MusicManager [Click for support]

Time Machine: ℹ️

Skip System Files: NO

Mobile backups: OFF

Auto backup: NO - Auto backup turned off

Volumes being backed up:

Jas: Disk size: 318.84 GB Disk used: 291.45 GB

Destinations:

Free Space for Movies Etc. [Local]

Total size: 0 B

Total number of backups: 0

Oldest backup: -

Last backup: -

Size of backup disk: Too small

Backup size 0 B < (Disk used 291.45 GB X 3)

Top Processes by CPU: ℹ️

10% Google Chrome Helper(11)

10% WindowServer

4% DashlanePluginService

1% com.dashlane.DashlaneAgent

1% mdworker(10)

Top Processes by Memory: ℹ️

999 MB Google Chrome Helper(11)

766 MB kernel_task

598 MB CrashPlanService

328 MB DashlanePluginService

319 MB Google Chrome

Virtual Memory Information: ℹ️

26 MB Free RAM

7.97 GB Used RAM

196 MB Swap Used

Diagnostics Information: ℹ️

May 11, 2015, 10:44:40 PM /Users/[redacted]/Library/Logs/DiagnosticReports/EpsonCP_2015-05-11-224440_[red acted].crash

I was targeted yesterday by scammers as well , I got warning on my computer : Apple Security Alert telling me my browser was hijacked they told me to call 1844-743-5316 number which was suppose to be Apple Support…

I did call the number believing its Apple

They told me to go to this website :

www.lmi7.com which showed site exactly like Apple Support site.

click on DOWNLOAD open Team Viewer Quick Support and give them ID and password for them to help me… I did unfortunately ..

They told me more then 10 people is trying to access my computer and I must pay Apple 99.00$ for one year security program. They offer also more options as far for 2 years and 3 years ( which was over $250. 00 ) I did not pay them, and I disconnected telling them that I had no idea I must pay to Apple to have secure computer..

Can you please advice if my computer is safe ?? Thank you for your help

Restore the computer from a backup that pre-dates when you allowed access to your computer. Change your ID password immediately.