My Safari is freezes this morning and asked me to contact this number 1-800-656-8547. I contacted them and let the technician browsing my computer. She told me my computer security went off and I need to choose one of the 2 options she offered to fix this problem. I need to pay around USD$300 to get the problem fixed. I told her I need second opinion and stop the conversation.
Is this real Apple Store Services?
MacBook Air
It's a scam and you should have seen it coming before you called.
No telling what software they may have installed on your machine that could cause you even more problems.
Thank you. I am glad I did not take her offer. However, I let her get on my computer during our conversation. Will I lost my personal information?
Thanks. How do I find out?
Difficult to say, but yes, you are certainly at risk.
Please download and install EtreCheck from http://www.etresoft.com/etrecheck
Run it and post the report here
Problem description:
My computer may be hacked
EtreCheck version: 2.1.8 (121)
Report generated April 13, 2015 at 9:44:05 AM EDT
Download EtreCheck from http://etresoft.com/etrecheck
Click the [Click for support] links for help with non-Apple products.
Click the [Click for details] links for more information about that line.
Hardware Information: ℹ️
MacBook Air (Technical Specifications)
MacBook Air - model: MacBookAir6,2
1 1.3 GHz Intel Core i5 CPU: 2-core
8 GB RAM Not upgradeable
BANK 0/DIMM0
4 GB DDR3 1600 MHz ok
BANK 1/DIMM0
4 GB DDR3 1600 MHz ok
Bluetooth: Good - Handoff/Airdrop2 supported
Wireless: en0: 802.11 a/b/g/n/ac
Battery Health: Normal - Cycle count 24
Video Information: ℹ️
Intel HD Graphics 5000
Color LCD 1440 x 900
System Software: ℹ️
OS X 10.10.3 (14D131) - Time since boot: 1:56:3
Disk Information: ℹ️
APPLE SSD SD0128F disk0 : (121.33 GB)
EFI (disk0s1) <not mounted> : 210 MB
Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB
Macintosh HD (disk1) / : 120.10 GB (37.53 GB free)
Core Storage: disk0s2 120.47 GB Online
USB Information: ℹ️
Apple Internal Memory Card Reader
Apple Inc. BRCM20702 Hub
Apple Inc. Bluetooth USB Host Controller
Thunderbolt Information: ℹ️
Apple Inc. thunderbolt_bus
Gatekeeper: ℹ️
Mac App Store and identified developers
Launch Agents: ℹ️
[loaded] com.google.keystone.agent.plist [Click for support]
Launch Daemons: ℹ️
[loaded] com.adobe.fpsaud.plist [Click for support]
[loaded] com.google.keystone.daemon.plist [Click for support]
User Login Items: ℹ️
iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
Google Chrome Application Hidden (/Applications/Google Chrome.app)
Internet Plug-ins: ℹ️
googletalkbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]
FlashPlayer-10.6: Version: 17.0.0.134 - SDK 10.6 [Click for support]
Flash Player: Version: 17.0.0.134 - SDK 10.6 [Click for support]
QuickTime Plugin: Version: 7.7.3
o1dbrowserplugin: Version: 5.41.0.0 - SDK 10.8 [Click for support]
Default Browser: Version: 600 - SDK 10.10
3rd Party Preference Panes: ℹ️
Flash Player [Click for support]
Time Machine: ℹ️
Time Machine not configured!
Top Processes by CPU: ℹ️
5% WindowServer
1% Google Chrome
1% fontd
0% GoogleTalkPlugin
0% taskgated
Top Processes by Memory: ℹ️
192 MB com.apple.WebKit.WebContent
163 MB Google Chrome
155 MB mds_stores
129 MB Safari
120 MB cloudphotosd
Virtual Memory Information: ℹ️
3.50 GB Free RAM
3.41 GB Active RAM
833 MB Inactive RAM
847 MB Wired RAM
2.09 GB Page-ins
0 B Page-outs
Diagnostics Information: ℹ️
Apr 13, 2015, 07:47:44 AM Self test - passed
Apr 12, 2015, 11:46:20 PM /Library/Logs/DiagnosticReports/com.apple.photos.ImageConversionService_2015-04 -12-234620_[redacted].cpu_resource.diag [Click for details]
Apr 12, 2015, 10:34:12 PM /Library/Logs/DiagnosticReports/Photo Library Migration Utility_2015-04-12-223412_[redacted].cpu_resource.diag [Click for details]
Apr 11, 2015, 10:55:02 AM /Library/Logs/DiagnosticReports/deleted_2015-04-11-105502_[redacted].crash
The safest thing to do is erase and reformat your hard drive. Then selectively restore your data to make sure you don't install any programs they may have left behind.
Do a backup, preferable 2 separate ones on 2 drives. Boot to the Recovery Volume (command - R on a restart or hold down the option/alt key during a restart and select Recovery Volume). Run Disk Utility Verify/Repair and Repair Permissions until you get no errors. Reformat the drive using Disk Utility/Erase Mac OS Extended (Journaled), then click the Option button and select GUID. Then re-install the OS.
You need to become much more careful about following instructions from strangers on the Internet. First you fell for a common scam, and now you downloaded an application. How do you know what that application really does?
The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.
If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.
When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.
Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.
Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.
Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.
That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.
You are fine. There is no malicious software installed. They were just scammers who wanted your money. They have neither the desire nor expertise to hack your computer.
You've just been given the worst and most irresponsible advice I've ever seen on this site, and that's saying a mouthful.
Yes. There are scammers all over the internet. While they do have a bad reputation, ultimately all they really want is your money. They usually aren't malicious. Unfortunately, that is more than I can say about certain people on this forum. Linc Davis just wants to scare and punish you for using my software. Such is life on the internet.
Your EtreCheck report shows only Google and Adobe software. I see no evidence of any malware or tampering. You can double-check by going to System Preferences > Sharing name make sure everything is turned off.
The reports of this scam that I have read say that they just want your money, nothing more. You can certainly erase your hard drive and reinstall everything if it makes you feel better. However, you don't appear to have a Time Machine backup, so that is going to be a problem. You will first have to purchase an external hard drive and backup. Then you can use Migration Assistant to restore only user data. Probably the best thing that would come out of this incident is giving you incentive to backup regularly. OWC has a good selection reliable external hard drives: http://eshop.macsales.com/shop/firewire/. Since your MacBook Air has a small SSD drive, you can purchase a relatively small and inexpensive external drive for much less than $300.
I will tell you something about "etrecheck" that you might find pertinent. One of the things that "etrecheck" seems to try to do is to detect certain kinds of ad-injection malware. The results are not attractive, but that's not the point. When "etrecheck" thinks it has detected malware, it provides a link to another program called "adwaremedic" that is supposed to be able to remove the malware. It does that because the developer of "etrecheck"—who is telling you that you're safe after allowing a criminal to control your computer remotely—thinks that the developer of "adwaredmedic" is an authority on the subject of computer security. Let's assume that he's right about that: the developer of "adwaremedic" is an authority on computer security.
Here is what the developer of "adwaremedic" has told others in your situation:
So, just to be clear, you got a pop-up and called the number, and they directed you to install LogMeIn and then gained control of your Mac through that? If that's the case, your Mac cannot be considered safe to use. The people at that number are scammers, and may very well have done things to your Mac that no anti-virus software would ever detect and that a Mac security expert would be hard-pressed to find. (Keep in mind that the average Mac tech is quite far from being a security expert.)
Thus, you will need to erase the hard drive and reinstall everything from scratch. This must be done properly, as restoring the wrong things could restore something malicious.
Because you gave the scammers remote access to your Mac, it should now be considered compromised. You need to erase your hard drive and reinstall everything from scratch.
Unfortunately, since you allowed this person to have remote access to your machine via Team Viewer, it is now impossible to rule out the possibility that he installed some kind of keylogger or backdoor on your system. There is no anti-virus software in the world that can guarantee your system is safe in this situation. Your only option at this point is to wipe your hard drive clean and reinstall everything from scratch. You will need to be cautious about what you import to the clean system from backups, as you don't want to carry over anything malicious.
Unfortunately, if you did get tricked, your computer has been remotely manipulated by scammers, and its system and all data on it should now be considered compromised. There is no anti-virus in the world that will fix this for you. You will need to erase your computer's hard drive and reinstall everything from scratch.
And so forth. So here is a conundrum. According to the person who is telling that you're safe, the person who gave the advice quoted above (and who was not trying to "punish" anyone for using "etrecheck") is wrong. Yet that person is recognized by "etrecheck" as a security expert. You will have to resolve that contradiction in your own mind before deciding what to do next.
My, that's a lot of quotation marks. 🙂
While I am quite happy to let "the person" (AKA Thomas) deal with malware and adware, that doesn't necessarily mean I have to agree with him on every topic and in every situation. Each situation is different. Some people are able to easily erase and restore from backup and some people aren't. Should a machine be considered "compromised" in such a situation? Of course. Does that guarantee that the scammers installed viruses, key loggers, and all kinds of other nasty stuff? Not necessarily. Unless these particular scammers were extraordinarily skilled, EtreCheck would have reported anything they installed. Could they have hidden their wares from EtreCheck? Sure. What is the probability that they did? Pretty low, I think.
Again, if the Linda wants to erase her hard drive, that would be the safest option. She could always take her machine in to an Apple Store or Authorized Apple Service centre to have it checked out too.
LOL, Linc, it must be giving you a coronary to use my words to help you make your point, considering all the nasty things you've said about me.
To any readers who are confused by this, there is truth on both sides here. Etrecheck is certainly correct that it is very unlikely that the scammers at that number actually installed anything malicious. The payoff they're looking for is the $300, and whatever else they can figure out a way to charge unsuspecting people for. I've spoken with a lot of people who have gotten one of these scam pop-ups, called the number and given the scammer remote access to their Mac. I have seen absolutely no cases where there was any reason to believe that malicious changes had been made to the system by that scammer.
However, Linc is correct that the only way to guarantee that your system is safe following remote access by a scammer is to erase the hard drive and reinstall everything from scratch. Anti-virus software and any other automated utilities cannot help you in this case. EtreCheck is a good utility that can indicate that there's no known third-party software installed that could be used by scammers for dishonest purposes, but that's not a guarantee that functionality built into the system hasn't been abused, or that some other malicious modification hasn't been made.
Obviously, different people have different opinions about the necessity of taking this action. Because each scammer is an individual and they're all dishonest, I recommend erasing the hard drive. I do believe, as etresoft does, that this is likely to be unnecessary, but my opinion is that it should be done nonetheless to ensure that the system is safe. Linda, and anyone else reading this who has the same problem, will need to make this decision for themselves, based on what they're comfortable with.
1-800-656-8547
