Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: KittyXPryde
KittyXPryde Author
User level: Level 1
4 points

Trying To Figure Out If Someone Has Remote Access With Physical Access To My Comp.

I'm hoping L!nc Davi$, or anyone else can help me....I've spent about 8 months trying to figure out who has has remote access to my computer and possibly created a way to access it through my Network (They set it up). I've narrowed it down to two "people" that have had physical access to my computer. I'm WAY beyond disabling screen sharing, etc. and the people I suspect may have access are through a previous employer and someone very close to me. Both had access to my computer and the latter has had constant access to my computer and set up my Wifi, and has spent 30 + years working with everything Apple related and works with computers for a living. I honestly cannot begin to put in a post everything that I have found, and do not currently have the resources to go to the Apple Store or have someone who knows enough (and that I trust) to help me with this issue. This is a shot in the dark, but after close to a year of following your (Linc) posts which have helped me out tremendously, I'm hoping I can get help from you, or anyone else, as to where to start with a post that will pinpoint the issues I'm having, without posting the insane amount of data that I've collected and saved. Yes, I'm opening myself up to trolls railing on me, but at this point, whatever. ;-) I figured I'd start with what I found on EtreCheck and go from there. And I don't know if it matters, but I've never had an "at_me" account...and as I scanned it pretty quickly I didn't see anything in this that has been a major concern..except the sudden RAM issue:


EtreCheck version: 2.9.3 (253)

Report generated 2016-02-07 03:16:54

Download EtreCheck from http://etrecheck.com

Runtime 2:22

Performance: Excellent


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Check files] link for help with unknown files.


Problem: Other problem


Hardware Information: ⓘ

MacBook Pro (17-inch, Mid 2010)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro6,1

1 2.53 GHz Intel Core i5 CPU: 2-core

8 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1067 MHz ok

BANK 1/DIMM0

4 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Check Battery - Cycle count = 437 - SN = 9G00900MQDN5A


Video Information: ⓘ

Intel HD Graphics

NVIDIA GeForce GT 330M - VRAM: 512 MB

Color LCD 1920 x 1200


System Software: ⓘ

OS X El Capitan 10.11.3 (15D21) - Time since boot: about 2 days


Disk Information: ⓘ

OWC Mercury Electra 6G SSD disk0 : (480.1 GB) (Solid State - TRIM: No)

EFI (disk0s1) <not mounted> : 210 MB

Kristen I (disk0s2) / : 479.24 GB (205.02 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB


Hitachi HTS545050B9SA02 disk1 : (500.11 GB) (Rotational)

EFI (disk1s1) <not mounted> : 210 MB

Kristen II (disk1s2) /Volumes/Kristen II : 499.76 GB (78.98 GB free)


USB Information: ⓘ

Apple Computer, Inc. IR Receiver

Apple Inc. Built-in iSight

Apple, Inc. Keyboard Hub

Logitech G100s Optical Gaming Mouse

Apple Inc. Apple Keyboard

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM2070 Hub

Apple Inc. Bluetooth USB Host Controller


Configuration files: ⓘ

/etc/hosts - Count: 102


Gatekeeper: ⓘ

Mac App Store and identified developers


Unknown Files: ⓘ

/Library/LaunchDaemons/com.freemacsoft.appcleanerdaemon.plist

One unknown file found. [Check files]


Kernel Extensions: ⓘ

/Applications/Utilities/TechTool Pro 8.app

[not loaded] com.micromat.driver.spdKernel (1 - SDK 10.11) [Support]

[not loaded] com.micromat.driver.spdKernel-10-8 (1 - SDK 10.11) [Support]


/Library/Extensions

[loaded] com.avira.kext.FileAccessControl (1.2.2 - SDK 10.9) [Support]


System Launch Agents: ⓘ

[killed] com.apple.SafariCloudHistoryPushAgent.plist

[loaded] 150 Apple tasks

[running] 85 Apple tasks

one process killed due to insufficient RAM


System Launch Daemons: ⓘ

[killed] com.apple.nsurlsessiond.plist

[killed] com.apple.wdhelper.plist

[loaded] 194 Apple tasks

[running] 92 Apple tasks

2 processes killed due to insufficient RAM


Launch Agents: ⓘ

[loaded] com.avira.antivirus.general.agent.plist [Support]

[loaded] com.avira.antivirus.ipm.ui.plist [Support]

[loaded] com.avira.antivirus.notifications.agent.plist [Support]

[loaded] com.avira.antivirus.odscan.default.plist [Support]

[loaded] com.avira.antivirus.scheduler.agent.plist [Support]

[running] com.avira.antivirus.systray.plist [Support]

[loaded] com.avira.antivirus.telemetry.agent.plist [Support]

[loaded] com.avira.antivirus.update.default.plist [Support]

[running] com.avira.helper.avstats.plist [Support]


Launch Daemons: ⓘ

[loaded] com.adobe.SwitchBoard.plist [Support]

[loaded] com.adobe.fpsaud.plist [Support]

[loaded] com.avira.antivirus.dbcleaner.plist [Support]

[loaded] com.avira.antivirus.ipm.loader.plist [Support]

[running] com.avira.helper.watchdox.plist [Support]

[running] com.freemacsoft.appcleanerdaemon.plist [Support]

[loaded] com.google.keystone.daemon.plist [Support]

[loaded] com.malwarebytes.MBAMHelperTool.plist [Support]

[loaded] com.microsoft.office.licensing.helper.plist [Support]


User Launch Agents: ⓘ

[loaded] com.adobe.ARM.[...].plist [Support]

[failed] com.apple.CSConfigDotMacCert-[...]@me.com-SharedServices.Agent.plist

[running] com.microsoft.LaunchAgent.SyncServicesAgent.plist [Support]

[loaded] com.valvesoftware.steamclean.plist [Support]


User Login Items: ⓘ

Dropbox Application (/Applications/Dropbox.app)


Other Apps: ⓘ

[loaded] com.adobe.Acrobat.Pro.45792

[running] com.apple.xpc.launchd.oneshot.0x1000000f.EtreCheck

[running] com.getdropbox.dropbox.7712

[running] com.microsoft.Excel.70432

[loaded] com.microsoft.SyncServicesAgent.76192

[running] com.microsoft.Word.71392

[running] com.microsoft.autoupdate.fba.19232

[running] com.microsoft.outlook.databasedaemon.72992

[running] org.mozilla.firefox.105632


Internet Plug-ins: ⓘ

npg: Version: 1.0 [Support]

Default Browser: Version: 601 - SDK 10.11

OfficeLiveBrowserPlugin: Version: 12.3.6 [Support]

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Support]

FlashPlayer-10.6: Version: 20.0.0.267 - SDK 10.6 [Support]

AdobePDFViewerNPAPI: Version: 11.0.12 - SDK 10.6 [Support]

Silverlight: Version: 5.1.41105.0 - SDK 10.6 [Support]

QuickTime Plugin: Version: 7.7.3

Flash Player: Version: 20.0.0.267 - SDK 10.6 Outdated! Update

iPhotoPhotocast: Version: 7.0

SharePointBrowserPlugin: Version: 14.5.2 - SDK 10.6 [Support]

AdobePDFViewer: Version: 11.0.12 - SDK 10.6 [Support]

RL Secure Plug-In Layer: Version: Unknown - SDK 10.5 [Support]

JavaAppletPlugin: Version: 15.0.1 - SDK 10.7 Check version


User internet Plug-ins: ⓘ

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Support]


3rd Party Preference Panes: ⓘ

Flash Player [Support]


Time Machine: ⓘ

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

Kristen I: Disk size: 479.24 GB Disk used: 274.23 GB

Destinations:

Susi Seagate 1 [Local]

Total size: 999.86 GB

Total number of backups: 14

Oldest backup: 10/13/15, 1:48 PM

Last backup: 2/5/16, 1:26 PM

Size of backup disk: Adequate

Backup size 999.86 GB > (Disk used 274.23 GB X 3)


Top Processes by CPU: ⓘ

32% kernel_task

14% firefox

6% WindowServer

3% savapi

2% Finder


Top Processes by Memory: ⓘ

796 MB kernel_task

795 MB firefox

279 MB WindowServer

205 MB mdworker(11)

164 MB mds_stores


Virtual Memory Information: ⓘ

1.50 GB Free RAM

6.50 GB Used RAM (1.87 GB Cached)

143 MB Swap Used


Diagnostics Information: ⓘ

Feb 6, 2016, 10:11:16 PM /Library/Logs/DiagnosticReports/firefox_2016-02-06-221116_[redacted].cpu_resour ce.diag [Details]

/Applications/Firefox.app/Contents/MacOS/firefox

Feb 6, 2016, 09:16:57 PM /Library/Logs/DiagnosticReports/Photos_2016-02-06-211657_[redacted].cpu_resourc e.diag [Details]

/Applications/Photos.app/Contents/MacOS/Photos

Feb 6, 2016, 08:55:12 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-06-205512_[redacted ].cpu_resource.diag [Details]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTEnco derXPCService.xpc/Contents/MacOS/VTEncoderXPCService

Feb 6, 2016, 08:38:17 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-06-203817_[redacted ].cpu_resource.diag [Details]

Feb 4, 2016, 05:08:47 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-04-170847_[redacted ].cpu_resource.diag [Details]

Feb 4, 2016, 05:03:32 PM /Library/Logs/DiagnosticReports/PTPCamera_2016-02-04-170332_[redacted].cpu_reso urce.diag [Details]

/System/Library/Image Capture/Devices/PTPCamera.app/Contents/MacOS/PTPCamera

Feb 4, 2016, 04:24:32 PM /Library/Logs/DiagnosticReports/Photos_2016-02-04-162432_[redacted].cpu_resourc e.diag [Details]

Feb 4, 2016, 03:30:47 PM ~/Library/Logs/DiagnosticReports/AdobeAcrobat_2016-02-04-153047_[redacted].cras h

com.adobe.Acrobat.Pro - /Applications/Adobe Acrobat XI Pro/Adobe Acrobat Pro.app/Contents/MacOS/AdobeAcrobat

Feb 4, 2016, 03:28:13 PM ~/Library/Logs/DiagnosticReports/AdobeAcrobat_2016-02-04-152813_[redacted].cras h

Feb 4, 2016, 02:19:18 PM Self test - passed



I'm hoping Linc Davis, or anyone else can help me....I've spent about 8 months trying to figure out who has has remote access to my computer and possibly created a way to access it through my Network (They set it up). I've narrowed it down to two "people" that have had physical access to my computer. I'm WAY beyond disabling screen sharing, etc. and the people I suspect may have access are through a previous employer and someone very close to me. Both had access to my computer and the latter has had constant access to my computer and set up my Wifi, and has spent 30 + years working with everything Apple related and works with computers for a living. I honestly cannot begin to put in a post everything that I have found, and do not currently have the resources to go to the Apple Store or have someone who knows enough (and that I trust) to help me with this issue. This is a shot in the dark, but after close to a year of following your (Linc) posts which have helped me out tremendously, I'm hoping I can get help from you, or anyone else, as to where to start with a post that will pinpoint the issues I'm having, without posting the insane amount of data that I've collected and saved. Yes, I'm opening myself up to trolls railing on me, but at this point, whatever. ;-) I figured I'd start with what I found on EtreCheck and go from there. And I don't know if it matters, but I've never had an "at_me" account...and as I scanned it pretty quickly I didn't see anything in this that has been a major concern..except the sudden RAM issue:


EtreCheck version: 2.9.3 (253)

Report generated 2016-02-07 03:16:54

Download EtreCheck from http://etrecheck.com

Runtime 2:22

Performance: Excellent


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Check files] link for help with unknown files.


Problem: Other problem


Hardware Information: ⓘ

MacBook Pro (17-inch, Mid 2010)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro6,1

1 2.53 GHz Intel Core i5 CPU: 2-core

8 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1067 MHz ok

BANK 1/DIMM0

4 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Check Battery - Cycle count = 437 - SN = 9G00900MQDN5A


Video Information: ⓘ

Intel HD Graphics

NVIDIA GeForce GT 330M - VRAM: 512 MB

Color LCD 1920 x 1200


System Software: ⓘ

OS X El Capitan 10.11.3 (15D21) - Time since boot: about 2 days


Disk Information: ⓘ

OWC Mercury Electra 6G SSD disk0 : (480.1 GB) (Solid State - TRIM: No)

EFI (disk0s1) <not mounted> : 210 MB

Kristen I (disk0s2) / : 479.24 GB (205.02 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB


Hitachi HTS545050B9SA02 disk1 : (500.11 GB) (Rotational)

EFI (disk1s1) <not mounted> : 210 MB

Kristen II (disk1s2) /Volumes/Kristen II : 499.76 GB (78.98 GB free)


USB Information: ⓘ

Apple Computer, Inc. IR Receiver

Apple Inc. Built-in iSight

Apple, Inc. Keyboard Hub

Logitech G100s Optical Gaming Mouse

Apple Inc. Apple Keyboard

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM2070 Hub

Apple Inc. Bluetooth USB Host Controller


Configuration files: ⓘ

/etc/hosts - Count: 102


Gatekeeper: ⓘ

Mac App Store and identified developers


Unknown Files: ⓘ

/Library/LaunchDaemons/com.freemacsoft.appcleanerdaemon.plist

One unknown file found. [Check files]


Kernel Extensions: ⓘ

/Applications/Utilities/TechTool Pro 8.app

[not loaded] com.micromat.driver.spdKernel (1 - SDK 10.11) [Support]

[not loaded] com.micromat.driver.spdKernel-10-8 (1 - SDK 10.11) [Support]


/Library/Extensions

[loaded] com.avira.kext.FileAccessControl (1.2.2 - SDK 10.9) [Support]


System Launch Agents: ⓘ

[killed] com.apple.SafariCloudHistoryPushAgent.plist

[loaded] 150 Apple tasks

[running] 85 Apple tasks

one process killed due to insufficient RAM


System Launch Daemons: ⓘ

[killed] com.apple.nsurlsessiond.plist

[killed] com.apple.wdhelper.plist

[loaded] 194 Apple tasks

[running] 92 Apple tasks

2 processes killed due to insufficient RAM


Launch Agents: ⓘ

[loaded] com.avira.antivirus.general.agent.plist [Support]

[loaded] com.avira.antivirus.ipm.ui.plist [Support]

[loaded] com.avira.antivirus.notifications.agent.plist [Support]

[loaded] com.avira.antivirus.odscan.default.plist [Support]

[loaded] com.avira.antivirus.scheduler.agent.plist [Support]

[running] com.avira.antivirus.systray.plist [Support]

[loaded] com.avira.antivirus.telemetry.agent.plist [Support]

[loaded] com.avira.antivirus.update.default.plist [Support]

[running] com.avira.helper.avstats.plist [Support]


Launch Daemons: ⓘ

[loaded] com.adobe.SwitchBoard.plist [Support]

[loaded] com.adobe.fpsaud.plist [Support]

[loaded] com.avira.antivirus.dbcleaner.plist [Support]

[loaded] com.avira.antivirus.ipm.loader.plist [Support]

[running] com.avira.helper.watchdox.plist [Support]

[running] com.freemacsoft.appcleanerdaemon.plist [Support]

[loaded] com.google.keystone.daemon.plist [Support]

[loaded] com.malwarebytes.MBAMHelperTool.plist [Support]

[loaded] com.microsoft.office.licensing.helper.plist [Support]


User Launch Agents: ⓘ

[loaded] com.adobe.ARM.[...].plist [Support]

[failed] com.apple.CSConfigDotMacCert-[...]@me.com-SharedServices.Agent.plist

[running] com.microsoft.LaunchAgent.SyncServicesAgent.plist [Support]

[loaded] com.valvesoftware.steamclean.plist [Support]


User Login Items: ⓘ

Dropbox Application (/Applications/Dropbox.app)


Other Apps: ⓘ

[loaded] com.adobe.Acrobat.Pro.45792

[running] com.apple.xpc.launchd.oneshot.0x1000000f.EtreCheck

[running] com.getdropbox.dropbox.7712

[running] com.microsoft.Excel.70432

[loaded] com.microsoft.SyncServicesAgent.76192

[running] com.microsoft.Word.71392

[running] com.microsoft.autoupdate.fba.19232

[running] com.microsoft.outlook.databasedaemon.72992

[running] org.mozilla.firefox.105632


Internet Plug-ins: ⓘ

npg: Version: 1.0 [Support]

Default Browser: Version: 601 - SDK 10.11

OfficeLiveBrowserPlugin: Version: 12.3.6 [Support]

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Support]

FlashPlayer-10.6: Version: 20.0.0.267 - SDK 10.6 [Support]

AdobePDFViewerNPAPI: Version: 11.0.12 - SDK 10.6 [Support]

Silverlight: Version: 5.1.41105.0 - SDK 10.6 [Support]

QuickTime Plugin: Version: 7.7.3

Flash Player: Version: 20.0.0.267 - SDK 10.6 Outdated! Update

iPhotoPhotocast: Version: 7.0

SharePointBrowserPlugin: Version: 14.5.2 - SDK 10.6 [Support]

AdobePDFViewer: Version: 11.0.12 - SDK 10.6 [Support]

RL Secure Plug-In Layer: Version: Unknown - SDK 10.5 [Support]

JavaAppletPlugin: Version: 15.0.1 - SDK 10.7 Check version


User internet Plug-ins: ⓘ

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Support]


3rd Party Preference Panes: ⓘ

Flash Player [Support]


Time Machine: ⓘ

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

Kristen I: Disk size: 479.24 GB Disk used: 274.23 GB

Destinations:

Susi Seagate 1 [Local]

Total size: 999.86 GB

Total number of backups: 14

Oldest backup: 10/13/15, 1:48 PM

Last backup: 2/5/16, 1:26 PM

Size of backup disk: Adequate

Backup size 999.86 GB > (Disk used 274.23 GB X 3)


Top Processes by CPU: ⓘ

32% kernel_task

14% firefox

6% WindowServer

3% savapi

2% Finder


Top Processes by Memory: ⓘ

796 MB kernel_task

795 MB firefox

279 MB WindowServer

205 MB mdworker(11)

164 MB mds_stores


Virtual Memory Information: ⓘ

1.50 GB Free RAM

6.50 GB Used RAM (1.87 GB Cached)

143 MB Swap Used


Diagnostics Information: ⓘ

Feb 6, 2016, 10:11:16 PM /Library/Logs/DiagnosticReports/firefox_2016-02-06-221116_[redacted].cpu_resour ce.diag [Details]

/Applications/Firefox.app/Contents/MacOS/firefox

Feb 6, 2016, 09:16:57 PM /Library/Logs/DiagnosticReports/Photos_2016-02-06-211657_[redacted].cpu_resourc e.diag [Details]

/Applications/Photos.app/Contents/MacOS/Photos

Feb 6, 2016, 08:55:12 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-06-205512_[redacted ].cpu_resource.diag [Details]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTEnco derXPCService.xpc/Contents/MacOS/VTEncoderXPCService

Feb 6, 2016, 08:38:17 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-06-203817_[redacted ].cpu_resource.diag [Details]

Feb 4, 2016, 05:08:47 PM /Library/Logs/DiagnosticReports/VTEncoderXPCService_2016-02-04-170847_[redacted ].cpu_resource.diag [Details]

Feb 4, 2016, 05:03:32 PM /Library/Logs/DiagnosticReports/PTPCamera_2016-02-04-170332_[redacted].cpu_reso urce.diag [Details]

/System/Library/Image Capture/Devices/PTPCamera.app/Contents/MacOS/PTPCamera

Feb 4, 2016, 04:24:32 PM /Library/Logs/DiagnosticReports/Photos_2016-02-04-162432_[redacted].cpu_resourc e.diag [Details]

Feb 4, 2016, 03:30:47 PM ~/Library/Logs/DiagnosticReports/AdobeAcrobat_2016-02-04-153047_[redacted].cras h

com.adobe.Acrobat.Pro - /Applications/Adobe Acrobat XI Pro/Adobe Acrobat Pro.app/Contents/MacOS/AdobeAcrobat

Feb 4, 2016, 03:28:13 PM ~/Library/Logs/DiagnosticReports/AdobeAcrobat_2016-02-04-152813_[redacted].cras h

Feb 4, 2016, 02:19:18 PM Self test - passed

MacBook Pro (17-inch Mid 2010), OS X El Capitan (10.11.3)

Posted on Feb 7, 2016 3:46 AM

Reply
3 replies
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Feb 7, 2016 4:55 AM in response to KittyXPryde

If you believe that someone with physical access to your Mac has compromised it, there's really only one course of action that you should take.


1) Make a "clone" backup of your system onto another hard drive, using a tool like Carbon Copy Cloner or SuperDuper.

2) Erase the system hard drive.

3) Reinstall OS X from scratch

4) Using the clone backup, manually copy documents - no settings, apps, etc - to the new, clean system. DO NOT use Time Machine or Migration Assistant to restore data, as that will restore too much.

5) Secure the new system by enabling FileVault (in System Preferences -> Security & Privacy -> FileVault) and enabling a firmware password. This should prevent any access to the system, and thus should prevent any future software hacks.

6) Even with all these precautions, you should still do everything you can to keep the machine out of the hands of anyone untrusted. Do not leave it unattended while someone untrusted is present.

Reply
User profile for user: etresoft
etresoft
User level: Level 8
46,098 points

Feb 7, 2016 9:33 AM in response to KittyXPryde

Hello Kitty,

There is nothing out of the ordinary on your EtreCheck report. EtreCheck does not report the status of any sharing services. If you are concerned, make sure all of your sharing services are turned off. The memory errors are nothing to worry about. They just mean that you have been running a lot of software lately and ran out of RAM at some point. There may be a performance issue to worry about, but not a security problem.

Reply

Trying To Figure Out If Someone Has Remote Access With Physical Access To My Comp.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up