Incognit VPN Switcher used by Hackers?

Question

Level 1

4 points

Incognit VPN Switcher used by Hackers?

In my 2016 hacking, this may be what the hackers were using to get into my system...This came from a Malwarebytes system snapshot I just checked. Also the Ka-Block might have been one of their tools.

Does anyone know how to locate these programs and delete them? Also I believe they were key-logging, would love to make sure that program is gone. Does anyone know what TrafficLight is??

Name: IncognIt VPN Switcher

Path: /Users/kathywingate/Library/Safari/Extensions/IncognIt VPN Switcher.safariextz

Modified: 2016-07-06 17:18:37 +0000

Name: Ka-Block!

Path: /Users/kathywingate/Library/Safari/Extensions/Ka-Block!.safariextz

Modified: 2016-07-06 17:15:07 +0000

Name: TrafficLight

Path: /Users/kathywingate/Library/Safari/Extensions/TrafficLight.safariextz

Modified: 2016-07-06 17:17:16 +0000

MacBook Pro (15-inch 2.53 GHz), Updated to El Capitan 10.11.5

Posted on Jun 29, 2017 1:51 PM

Reply

Answer 1

Old Toad

Level 10

215,454 points

Jul 7, 2017 2:59 PM in response to kthywin

Download and run Etrecheck. Copy and paste the results into your reply. Etrecheck is a diagnostic tool that was developed by one of the most respected users here in the ASC and recommended by Apple Support to provide a snapshot of the system and help identify the more obvious culprits that can adversely affect a Mac's performance.

Reply

Answer 2

Esquared

Level 6

12,415 points

Jun 30, 2017 1:07 AM in response to kthywin

I don't think any of these extensions (all security-related) can be used for hacking or key-logging.

Incognit: IncognIt technologies - IncogniTeam

Ka-Block: https://safari-extensions.apple.com/details/?id=com.kablock.osx-UYW4V22L7E

TrafficLight: https://safari-extensions.apple.com/details/?id=com.BitDefender.TrafficLight-GUN FMW623Y

They all can be located in Safari: Preferences -> Extensions.

Reply

Answer 3

thomas_r.

Level 7

32,031 points

Jul 1, 2017 8:04 AM in response to kthywin

I work for a security company... as such, I know what's possible and what isn't, and wouldn't suggest that Macs are invulnerable. That is not what I'm saying.

However, thus far, you've provided no concrete evidence that your Mac has been hacked. Unless you can provide concrete and detailed descriptions of specific symptoms you believe are due to hacking, without any speculation, we won't be able to draw any conclusions or help you in any way.

The three browser extensions you are concerned about are absolutely, 100% not the result of a hack. A hacker installing those would be like a burglar breaking into your house, then installing stronger locks and a security system on the way out. You, or someone else who has used your computer, installed them.

Regarding the other symptoms you've mentioned:

Receiving phishing e-mails is not a symptom of a hack. Everyone with an e-mail address receives phishing e-mails.
Having "multinational IPs on your network" is not a thing. It's a fake thing that scammers say to scare people into believing they've been hacked. What specifically have you seen that you think means there are multinational IPs on your network? If this is something you have been told by someone, who told you that?
What specific symptoms have you seen that lead you to believe your router has been hacked? (Note that it's very possible for your router to have been hacked remotely, but to know whether this has actually happened, we need to know what you've observed.)

Reply

Answer 4

thomas_r.

Level 7

32,031 points

Jun 30, 2017 7:23 AM in response to kthywin

None of these things are hacker-related.

Incognit VPN is a virtual private network. This is something you can use to secure your network traffic - if, for example, you're connecting from an unencrypted wifi network and don't want everyone else on that network snooping on your network traffic.

This is not something that could be used by a hacker to gain access to your computer. Worst case scenario, if you used an untrustworthy VPN, the people running that VPN would be able to see any data you were sending over the VPN network, but that's a far cry from being able to access your computer. No VPN provides that capability.

I can't say whether Incognit is a good VPN or not, but I can say with extremely high confidence that this is something that you would have installed at some point, not a hacker.

As for Ka-Block and TrafficLight... the former is an ad blocker and the latter is affiliated with the Bitdefender anti-virus software.

Reply

Answer 5

kthywin Author

Level 1

4 points

Jun 30, 2017 8:45 AM in response to Esquared

I was hacked through my router via my cable internets dhcp server. I would know if I had installed these programs. They are foreign to me. These hackers were very sophistocated IT guys.

From the Incognit site: I did have apparent multi national IPs on my network. Life Lock notified me that my info was sold on a black market site, and I'm still getting phishing emails from all over the world daily.

"The router-anonymizer IncognIt is automatically connected to VPN servers and gets a new IP address in the country of the user’s choice. After this the traffic of all devices connected to the router becomes anonymous.

Security SecurityThe router-anonymizer IncognIt transfers data over open networks along encrypted VPN channels. All your traffic is securely protected against intruders and strangers’ eyes.Unblocking No restrictionsChanging user’s real IP address for an address in another country, router-anonymizer IncognIt opens the websites that used to be inaccessible because of website blockings and geographical restrictions."

Reply

Answer 6

kthywin Author

Level 1

4 points

Jun 30, 2017 8:57 AM in response to thomas_r.

I was hacked through my router via my cable internets dhcp server. I would know if I had installed these programs. They are foreign to me. These hackers were very sophistocated IT guys.

I did have apparent multi national IPs on my network. Life Lock notified me that my info was sold on a black market site, and I'm still getting phishing emails from all over the world daily.From the Incognit site: "The router-anonymizer IncognIt is automatically connected to VPN servers and gets a new IP address in the country of the user’s choice. After this the traffic of all devices connected to the router becomes anonymous.Security: The router-anonymizer IncognIt transfers data over open networks along encrypted VPN channels. All your traffic is securely protected against intruders and strangers’ eyes.Unblocking No restrictionsChanging user’s real IP address for an address in another country, router-anonymizer IncognIt opens the websites that used to be inaccessible because of website blockings and geographical restrictions."

Reply

Answer 7

thomas_r.

Level 7

32,031 points

Jun 30, 2017 9:51 AM in response to kthywin

Multinational IPs on your network? I'm not sure what that means, exactly, but realize that on the internet, many things are multinational. This is normal. The fact that you mention this suggests to me that you may have been scammed by someone who called you, or who tricked you into calling them, and who told you that you were infected with malware and that they could fix it for you, for a price. Pointing to perfectly normal behavior and saying "Wow, look at all these foreign IPs, this is a problem" is exactly the sort of thing these scammers tell people.

If you were scammed, and gave those scammers access to your computer, you'd probably better wipe it clean and reinstall the system from scratch. In such a case, there's no telling what those people might have done while they had access.

Reply

Answer 8

Esquared

Level 6

12,415 points

Jun 30, 2017 10:19 AM in response to kthywin

Life Lock? Is this the LifeLock you are referring to?

https://en.m.wikipedia.org/wiki/LifeLock

"In 2015, it was ordered to pay $100 million to settle Federal Trade Commission contempt charges for failing to protect consumer information and deceptive advertising, the largest monetary award obtained by the Commission for an enforcement action."

Reply

Answer 9

kthywin Author

Level 1

4 points

Jun 30, 2017 6:51 PM in response to thomas_r.

I have not been scammed...and I would not be trying to appear to be from another country....but hackers would.

My Windows computer is totally disabled from WiFi (as we speak) due to a hacker who is using a "Microsoft WiFi Direct Virtual Adapter." I din't know such a thing existed....maybe Apple has a virtual adapter people can use to hack...I don't know, I just know I experienced a horrid hacking last year, and Apple still refuses to admit that a Mac can be hacked. In an Apple article, I read that any computer can be hacked through a router, which mine were. That, in spite of firewalls, anti-virus, anti-malware, all that stuff.

Oh, I didn't know that about LifeLock, my neighbor works for the University Law School, and urged me to get it when I was hacked. However, I believe the information they gave me about my info being sold, because of the phishing scams I still get every day, and report to HomeLand Security, for whatever good that does. Hackers all over the world have paid money to obtain my contact list and info...several times over. They just keep coming. Easy to recognize. Report them all. Thank you, I can see you're a "Never Mac Attack" man, so apparently you've never been hacked. I have.

Reply

Answer 10

KiltedTim

Level 10

225,324 points

Jun 30, 2017 10:19 PM in response to kthywin

Your Mac was not "hacked". Didn't happen. I have no doubt one or more of your on-line accounts was compromised. I'm willing to bet money it's because you responded to a phishing message or fell victim to a similar pop-up scam.

Reply

Answer 11

kthywin Author

Level 1

4 points

Jul 1, 2017 7:19 PM in response to thomas_r.

I'm sorry, I believe I mentioned that my hacking was last year....I had to discontinue my cable Internet service, get rid of the router, did take the computer in to the Apple store, and they brought my computer back to me with a dead hard drive...so, now I have a different hard drive, running El Capitan, and am using a hotspot, which is off most of the time.

If I can find any history on my time machine backup I will send it to you, but I've got to create a new larger Time Machine backup drive, this one is old, and running out of space. One thing I remember, would this Macbook update the Chinese language on its own, when I am not using the computer? Or use Face Time, or iMessage? iTunes? I remember that these programs were used last July 4th weekend while my daughter was here, and I made a point not to pick up my computer while she was visiting...not to mention, I have never used any of those programs, ever. That's all the info I can provide for now, since I have a new hard drive, and am not sure the evidence would be stored anywhere in the computer. Thanks.

Reply

Answer 12

thomas_r.

Level 7

32,031 points

Jul 2, 2017 7:19 AM in response to kthywin

I'm not looking for you to locate any files in your backups and provide them to me. In fact, if some stranger on the internet were to ask you to do that, you should refuse to do so. Further, that will not help. If you actually had some kind of infection at that time, a forensic analysis professional would need to examine the files personally in order to draw any firm conclusions.

What I need from you is not files or speculation, it's a very clear description of the problems you have seen that you believe are due to malware or hacking. I do not understand what you mean when you ask if the computer would "update the Chinese language on its own," for example... that is not a description of a symptom. Does this mean that you saw the modification date on a Chinese language file change? Does it mean your system suddenly started displaying text in Chinese? Does it mean something else completely?

Similarly, you mention "using" FaceTime, Messages and iTunes. What does this mean? What specific symptom have you seen that you believe shows these programs were used by someone?

Reply

Answer 13

kthywin Author

Level 1

4 points

Jul 7, 2017 2:42 PM in response to thomas_r.

It was showing up in System Logs.

Today, I am having trouble booting again, and am in safe mode now, looking to see if I can make sense of anything.

Does any of this look normal to you? I am not familiar with watchdog, and don't have an icloud account set up.

From System logs:

Jul 7, 2017, 5:17:13 PM kernel[0]: IO80211ScanManager::startScan: Initiating scan.

Jul 7, 2017, 5:17:14 PM kernel[0]: IO80211ScanManager::getScanResult: All scan results returned for 'airportd' (pid 70).

Jul 7, 2017, 5:17:14 PM kernel[0]: IO80211ScanManager::startScan: Broadcast scan request received from 'airportd' (pid 70) ().

Jul 7, 2017, 5:17:14 PM kernel[0]: IO80211ScanManager::startScan: Initiating scan.

Jul 7, 2017, 5:17:15 PM watchdogd[487]: [watchdog_daemon] @( wd_watchdog_open) - IOIteratorNext failed (kr=0)

Jul 7, 2017, 5:17:15 PM watchdogd[487]: [watchdog_daemon] @( wd_daemon_init) - could not open connection with the kernel watchdog

Jul 7, 2017, 5:17:15 PM watchdogd[487]: [watchdog_daemon] @( main) - cannot initialize the watchdog service

Jul 7, 2017, 5:17:15 PM com.apple.xpc.launchd[1]: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Jul 7, 2017, 5:17:15 PM kernel[0]: IO80211ScanManager::getScanResult: All scan results returned for 'airportd' (pid 70).

Jul 7, 2017, 5:17:15 PM kernel[0]: IO80211ScanManager::startScan: Broadcast scan request received from 'airportd' (pid 70) ().

Jul 7, 2017, 5:17:15 PM kernel[0]: IO80211ScanManager::startScan: Initiating scan.

Jul 7, 2017, 5:17:15 PM kernel[0]: IO80211ScanManager::getScanResult: All scan results returned for 'airportd' (pid 70).

Reply

Answer 14

kthywin Author

Level 1

4 points

Jul 7, 2017 3:19 PM in response to kthywin

Here is more odd looking stuff:

Application firewall log:

Source: /var/log/appfirewall.log

Size: 96 KB (96,090 bytes)

Last Modified: 7/7/17, 5:16 PM

Recent Contents: ...

Jun 30 20:58:13 Kathys-MBP-2 socketfilterfw[200] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jun 30 21:08:13 Kathys-MBP-2 socketfilterfw[200] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 1 21:18:31 Kathys-MacBook-Pro-2 socketfilterfw[197] <Info>: cupsd: Allow TCP LISTEN (in:0 out:2)

Jul 1 21:21:00 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:18 out:0)

Jul 1 21:21:06 Kathys-MBP-2 socketfilterfw[197] <Info>: Stealth Mode connection attempt to UDP 1 time

Jul 1 21:23:30 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 1 21:47:43 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:3 out:0)

Jul 1 21:48:06 Kathys-MBP-2 socketfilterfw[197] <Info>: Stealth Mode connection attempt to UDP 1 time

Jul 1 21:48:13 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:15 out:0)

Jul 1 22:10:13 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 1 22:20:13 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 1 22:30:13 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 2 00:20:39 Kathys-MBP-2 socketfilterfw[197] <Info>: Stealth Mode connection attempt to UDP 1 time

Jul 2 01:04:28 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jul 2 15:11:08 Kathys-MBP-2 socketfilterfw[197] <Info>: netbiosd: Deny UDP CONNECT (in:18 out:0)

Reply

Answer 15

kthywin Author

Level 1

4 points

Jul 7, 2017 4:23 PM in response to Old Toad

Ok, I did Etrecheck I AM IN SAFE MODE, PROBABLY WHY MANY PROGRAMS SAY "NOT LOADED"

Safari Extensions: ⓘ

[not loaded] Ka-Block! - David Graham & Josh Peek - http://kablock.com (installed 2016-07-06)

[not loaded] TrafficLight - Bitdefender SRL - http://trafficlight.bitdefender.com/ (installed 2016-07-06)

[not loaded] IncognIt VPN Switcher - IncogniTeam Ltd. - http://www.incogniteam.com (installed 2016-07-06)

OK, if the above were installed, it would have been during the time I was hacked, and not online.

REPORT IN IT'S ENTIRETY

EtreCheck version: 3.4 (420)

Report generated 2017-07-07 18:58:15

Download EtreCheck from https://etrecheck.com

Runtime: 2:54

Performance: Excellent

Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Problem: Other problem

Description:

Will not boot

Hardware Information: ⓘ

MacBook Pro (15-inch, 2.53GHz, Mid 2009)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro5,4

1 2.53 GHz Intel Core 2 Duo (Duo) CPU: 2-core

8 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1333 MHz ok

BANK 1/DIMM0

4 GB DDR3 1333 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 49

Video Information: ⓘ

NVIDIA GeForce 9400M - VRAM: 256 MB

Disk Information: ⓘ

HGST HTS721010A9E630 disk0: (1 TB) (Rotational)

[Show SMART report]

(disk0s1) <not mounted> [EFI]: 210 MB

Mass Storage (disk0s2 - Journaled HFS+) / [Startup]: 999.21 GB (837.35 GB free)

(disk0s3) <not mounted> [Recovery]: 650 MB

MATSHITADVD-R UJ-868 ()

USB Information: ⓘ

USB20Bus

Apple Inc. Built-in iSight

USB20Bus 250.06 GB

Apple Card Reader

JMicron JMicron 250.06 GB

USBBus

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Computer, Inc. IR Receiver

USBBus

Apple Inc. BRCM2046 Hub

Apple Inc. Bluetooth USB Host Controller

Virtual disks: ⓘ

Time Machine Backup (disk1s2 - Journaled HFS+) /Volumes/Time Machine Backup : 249.20 GB (52.51 GB free)

Physical disk: (null) 249.20 GB (52.51 GB free)

System Software: ⓘ

OS X El Capitan 10.11.6 (15G1510) - Time since boot: about one hour

Gatekeeper: ⓘ

Mac App Store and identified developers

Kernel Extensions: ⓘ

/System/Library/Extensions

[not loaded] com.jft.driver.PdaNetDrv (1.0.64) [Lookup]

[not loaded] com.seagate.driver.PowSecDriverCore (5.0.1) [Lookup]

/System/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

[not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.0.1) [Lookup]

[not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.0.1) [Lookup]

[not loaded] com.seagate.driver.SeagateDriveIcons (5.0.1) [Lookup]

System Launch Agents: ⓘ

[not loaded] 8 Apple tasks

[loaded] 162 Apple tasks

[running] 68 Apple tasks

System Launch Daemons: ⓘ

[failed] com.apple.ucupdate.plist (Apple, Inc. - installed 2016-07-08)

[failed] com.apple.watchdogd.plist (Apple, Inc. - installed 2017-04-18)

[not loaded] 46 Apple tasks

[loaded] 161 Apple tasks

[running] 82 Apple tasks

Launch Agents: ⓘ

[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-07-15) [Lookup]

[not loaded] com.oracle.java.Java-Updater.plist (? 4fb73709 be93c7fb - installed 2017-05-01) [Lookup]

[not loaded] com.seagate.SeagateStorageGauge.plist (? 502453cc 362bd442 - installed 2013-10-19) [Lookup]

Launch Daemons: ⓘ

[not loaded] com.adobe.SwitchBoard.plist (? 68cad67 0 - installed 2013-10-19) [Lookup]

[not loaded] com.adobe.fpsaud.plist (? 2afb3af7 a0305b84 - installed 2017-06-14) [Lookup]

[loaded] com.apple.installer.osmessagetracing.plist (Apple, Inc. - installed 2017-04-18)

[not loaded] com.bombich.ccchelper.plist (Bombich Software, Inc. - installed 2017-06-21) [Lookup]

[not loaded] com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-05-13) [Lookup]

[not loaded] com.memeo.Memeod.plist (? 8ed6db66 bbb35ad2 - installed 2010-04-20) [Lookup]

[not loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2017-03-15) [Lookup]

[not loaded] com.symantec.nis.uninstall.English.plist (Shell Script cb147988 - installed 2017-04-30)

User Launch Agents: ⓘ

[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-07-15) [Lookup]

[not loaded] com.adobe.ARM.[...].plist (? 5c76f5f6 1c9bb8a9 - installed 2015-11-24) [Lookup]

Internet Plug-ins: ⓘ

AdobeAAMDetect: AdobeAAMDetect 1.0.0.0 (installed 2016-07-15) [Lookup]

FlashPlayer-10.6: 26.0.0.131 (installed 2017-06-19) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-06-23)

AdobePDFViewerNPAPI: 10.1.8 (installed 2013-10-19) [Lookup]

AdobePDFViewer: 10.1.8 (installed 2013-10-19) [Lookup]

Flash Player: 26.0.0.131 (installed 2017-06-19) [Lookup]

Default Browser: 601 (installed 2016-07-08)

JavaAppletPlugin: Java 8 Update 131 build 11 (installed 2017-05-01) Check version

Silverlight: 4.0.60531.0 (installed 2017-07-06) [Lookup]

iPhotoPhotocast: 7.0 (installed 2013-10-19)

Safari Extensions: ⓘ

[not loaded] Ka-Block! - David Graham & Josh Peek - http://kablock.com (installed 2016-07-06)

[not loaded] TrafficLight - Bitdefender SRL - http://trafficlight.bitdefender.com/ (installed 2016-07-06)

[not loaded] IncognIt VPN Switcher - IncogniTeam Ltd. - http://www.incogniteam.com (installed 2016-07-06)

3rd Party Preference Panes: ⓘ

Flash Player (installed 2017-06-14) [Lookup]

Growl (installed 2013-10-19) [Lookup]

Java (installed 2017-05-01) [Lookup]

Time Machine: ⓘ

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

Mass Storage: Disk size: 999.21 GB Disk used: 161.86 GB

Time Machine Backup: Disk size: 249.20 GB Disk used: 196.69 GB

Destinations:

Boot Disk [Local]

Total size: 814.56 GB

Total number of backups: 3

Oldest backup: 6/21/17, 1:19 AM

Last backup: 6/21/17, 3:17 PM

Size of backup disk: Too small

Backup size 814.56 GB < (Disk used 358.55 GB X 3)

Time Machine Backup [Local]

Total size: 249.20 GB

Total number of backups: 1

Oldest backup: 7/2/17, 10:21 PM

Last backup: 7/2/17, 10:21 PM

Size of backup disk: Too small

Backup size 249.20 GB < (Disk used 358.55 GB X 3)

Top Processes by CPU: ⓘ

19% AddressBookSourceSync

3% ps

1% WindowServer

1% kernel_task

0% fontd

Top Processes by Memory: ⓘ

973 MB firefox

523 MB kernel_task

135 MB System Information

122 MB Spotlight

121 MB Finder

Top Processes by Energy Use: ⓘ

2.16 WindowServer

2.08 firefox

0.70 mds

0.24 launchservicesd

Virtual Memory Information: ⓘ

2.55 GB Available RAM

63 MB Free RAM

5.45 GB Used RAM

2.49 GB Cached files

0 B Swap Used

Software installs: ⓘ

Adobe Flash Player: (installed 2017-06-19)

Microsoft® Silverlight™ Browser Plug-In: (installed 2017-07-04)

Install information may not be complete.

Diagnostics Information: ⓘ

2017-07-07 17:49:42 Firefox.app High CPU use [Open] [Details]

2017-07-07 17:05:55 Last shutdown cause: -128 - Unknown

Reply