Why would root have Bomgar running?

Question

Level 1

11 points

Why would root have Bomgar running?

Hello - Had a problem with creative cloud, called Adobe, had a sreenshare session to correct. In doing so, Bomgar was downloaded and eventually Adobe opened Activity Monitor. There, I saw 2 Bomgar applications running, the current one and one that Root initiated over an hour ago while I wasn't near computer. He couldn't explain and deleted all traces of Adobe and and changed all permissions and deleted both Bomgar sessions and that was that. I found Bomgar software on my iPhone as well so a couple of weeks ago I removed all traces of Bomgar from my new iMac running 10.12.6 - I did have a quick screen share session with Apple over a different matter in-between but didn't download anything. No one has yet to tell my why Bomgar was running without my knowledge. And then KeyChain cannot be found error came up, was accessed and modified while I was away before I came back to post this. WWYouDO?

iMac, 10.12.1

Posted on Oct 3, 2017 7:38 PM

Reply

Answer 1

Eric Root

Level 10

685,251 points

Oct 4, 2017 8:52 AM in response to kwcw

You should erase and reformat your hard drive, then restore your computer from a backup made prior to when you allowed them access. Change your passwords and other critical information also. You don't know what software might have been installed. If you paid them by credit card, contact the credit card company, and close out the credit card.

Reply

Answer 2

Barney-15E

Level 10

122,246 points

Oct 3, 2017 8:06 PM in response to kwcw

Are you sure you actually contacted Adobe and not some scam phone number you got by searching for Adobe support.

Reply

Answer 3

tygb

Level 9

65,010 points

Oct 4, 2017 2:08 AM in response to kwcw

In Mac open activity monitor , select the Bomgar and click on cross sign to force quit the process , and you have written that have removed traces of the application , but they are still in the system library and user library folder and not removed completely from the computer , and can you post the screen shot of keychain error that is permanent and not going away .

Reply

Answer 4

kwcw Author

Level 1

11 points

Nov 25, 2017 12:33 AM in response to PN2

In response to all the replies, I researched and found that it is not only used for screen sharing but developers have it loaded so they don’t have to bother you when they need to go in and tweak, fix or whafever they need to do and I’m not sure I’m OK with that.

Reply

Answer 5

Kappy

Level 10

362,007 points

Oct 3, 2017 7:46 PM in response to kwcw

Contact Adobe tech support for help with their products. Apple does not support them.

Reply

Answer 6

PN2

Level 4

1,052 points

Nov 25, 2017 12:54 AM in response to kwcw

Thanks . I see they can leave remote access enabled, if 'necessary' : Use Jump Clients to Access Unattended Computers

Reply

Answer 7

kwcw Author

Level 1

11 points

Oct 4, 2017 10:06 AM in response to Eric Root

It's creative cloud, 9.99 a month and have been paying for years on auto debit. Just purchased this 3000.00 computer so I could streamline my work and if history repeats it's self, I'd have to reformat in another 6 months. I surrender. But thanks for the advice.

Reply

Answer 8

kwcw Author

Level 1

11 points

Oct 6, 2017 12:41 PM in response to tygb

so this is what I came up with -

kernel IOReturn IOAccelSurface2::surface_unlock_options(enum eLockType, uint32_t): surface is not locked

apsd Failed entitlement check 'com.apple.private.dark-wake-push' for <private>

apsd Failed entitlement check 'com.apple.private.secure-apsclient' for <private>

apsd Failed entitlement check 'com.apple.private.aps-client-cert-access' for <private>

Process: iOSDevice [1

Path: /Users/Shared/bomgar-scc-.app/Contents/Resources/iOSDevice.app/Contents/MacOS/i OSDevice

Identifier: com.bomgar.iOSDevice

Version: 1.0 (1)

Code Type: X86-64 (Native)

Parent Process: ??? [1]

Responsible: iOSDevice [1

User ID: 5

Date/Time: 2017-10

OS Version: Mac OS X 10.13 (17A405)

Report Version: 12

Anonymous UUID: 5DB

Time Awake Since Boot: 9200 seconds

System Integrity Protection: enabled

Crashed Thread: 2 Dispatch queue: com.bomgar.xpc.serial

Exception Type: EXC_BAD_ACCESS (SIGBUS)

Exception Codes: KERN_PROTECTION_FAILURE at 0x

Exception Note: EXC_CORPSE_NOTIFY

Termination Signal: Bus error: 10

Termination Reason: Namespace SIGNAL, Code 0xa

Terminating Process: exc handler [0]

VIRTUAL REGION

REGION TYPE SIZE COUNT (non-coalesced)

=========== ======= =======

Activity Tracing 256K 2

CoreUI image file 168K 3

Kernel Alloc Once 8K 2

MALLOC 56.5M 21

MALLOC guard page 32K 7

Memory Tag 242 12K 2

STACK GUARD 56.0M 5

Stack 9752K 5

VM_ALLOCATE 112K 9

__DATA 22.7M 249

__FONT_DATA 4K 2

__LINKEDIT 189.7M 23

__TEXT 151.2M 253

__UNICODE 556K 2

mapped file 33.8M 7

shared memory 628K 13

=========== ======= =======

TOTAL 521.2M 589

systemmigrationd[297]: (NodeOp) Copy "file:///Volumes/Macintosh%20HD/Library/Keychains/FileVaultMaster.cer" -> "file:///var/foldersxvpxvq6csfxvn_n00000/Cleanup%20At%20Startup/SMSandboxTools- tmp/Library/Keychains/" Final name: "FileVaultMaster.cer" (Flags used: kFSFileOperationDefaultOptions,kFSFileOperationSkipSourcePermissionErrors,kFSFi leOperationCopyExactPermissions,kFSFileOperationSkipPreflight,k_FSFileOperationS uppressConversionCopy)

Reply

Answer 9

PN2

Level 4

1,052 points

Nov 24, 2017 7:07 PM in response to munkymajik

I see it at that location within a High Sierra 10.13 installer, but on 10.12.6 (16G1036) here it's not a standard component :

/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/PrivateFramew orks/CoreLocationProtobuf.framework

I don't think tygb meant that CoreLocationProtobuf.framework was anything to do with Bomgar.

Reply

Answer 10

kwcw Author

Level 1

11 points

Oct 3, 2017 8:01 PM in response to kwcw

Oh, I video taped the screen share session as he had control of my computer and stopped him from hanging up 3 times for an explanation but he his response was to call Apple.

Reply