Level 1

13 points

remote sharing/hacked

Trying to track down how my computer is hacked and my screen is being remotely shared. All of my screen sharing settings have always been off, and my firewall is always set to the highest level of security.

I ran ps -A | grep Remote in terminal and here are the results:

Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds

MacBook-Air:~ time$ sudo ps -A | grep Remote

7236 ?? 0:03.64 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted

7934 ?? 0:00.18 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoteagen t

10061 ?? 0:00.03 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR LConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent

14665 ttys000 0:00.01 grep Remote

MacBook-Air:~ time$

sh-3.2# ps -A | grep Remote

69 ?? 0:00.20 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted

384 ?? 0:00.10 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR LConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent

386 ?? 0:00.03 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR LConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent

387 ?? 0:00.10 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR LConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent

572 ?? 0:00.43 /System/Library/PrivateFrameworks/LocalAuthenticationUI.framework/Versions/A/XP CServices/localAuthenticationRemoteService.xpc/Contents/MacOS/localAuthenticati o nRemoteService

699 ttys000 0:00.01 grep Remote

also, as additional information, when checking screen sharing in terminal

MacBook-Air:~ time$ [[ -f /etc/com.apple.screensharing.agent.launchd ]] && echo 'enabled' || echo 'disabled'

The reply is that screensharing is enabled

MacBook Air, macOS High Sierra (10.13.3)

Posted on Feb 9, 2018 1:46 PM

Top-ranking reply

sflawton81 Author

Level 1

13 points

Posted on Feb 9, 2018 5:01 PM

Thanks Kurt, here's my EtreCheck report.

EtreCheck version: 3.4.6 (460)

Report generated 2018-02-09 16:59:31

Download EtreCheck from https://etrecheck.com

Runtime: 7:05

Performance: Below Average

Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Problem: Other problem

Hardware Information: ⓘ

MacBook Air (13-inch, Early 2015)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir7,2

1 1.6 GHz Intel Core i5 (i5-5250U) CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Handoff/Airdrop2: supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 211

Video Information: ⓘ

Intel HD Graphics 6000 - VRAM: 1536 MB

Color LCD 1440 x 900

Disk Information: ⓘ

APPLE SSD SM0256G disk0: (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [APFS Container]: 250.79 GB

USB Information: ⓘ

USB30Bus

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus

Virtual disks: ⓘ

Macintosh HD (disk1s1 - APFS) / [Startup]: 250.79 GB (57.56 GB free)

Physical disk: disk0s2 250.79 GB (57.56 GB free)

(disk1s2) <not mounted> [Preboot]: 250.79 GB

Physical disk: disk0s2 250.79 GB

(disk1s3) <not mounted> [Recovery]: 250.79 GB

Physical disk: disk0s2 250.79 GB

(disk1s4) /private/var/vm [VM]: 250.79 GB

Physical disk: disk0s2 250.79 GB

System Software: ⓘ

macOS High Sierra 10.13.3 (17D47) - Time since boot: about one hour

Gatekeeper: ⓘ

Mac App Store and identified developers

Kernel Extensions: ⓘ

/Library/Extensions

[loaded] at.obdev.nke.LittleSnitch (4.0.2 - SDK 10.11) [Lookup]

[loaded] com.comodo.kext.FileAccessFilter (1.0.2 - SDK 10.10) [Lookup]

System Launch Agents: ⓘ

[not loaded] 9 Apple tasks

[loaded] 178 Apple tasks

[running] 83 Apple tasks

[killed] 20 Apple tasks

20 processes killed due to insufficient RAM

System Launch Daemons: ⓘ

[not loaded] 38 Apple tasks

[loaded] 186 Apple tasks

[running] 87 Apple tasks

[killed] 21 Apple tasks

21 processes killed due to insufficient RAM

Launch Agents: ⓘ

[running] at.obdev.LittleSnitchHelper.plist (Objective Development Software GmbH - installed 2017-08-30) [Lookup]

[running] at.obdev.LittleSnitchUIAgent.plist (Objective Development Software GmbH - installed 2017-08-30) [Lookup]

[running] com.comodo.Agent.plist (? ad1f90d6 c39330b3 - installed 2018-01-14) [Lookup]

[running] com.comodo.TrayMenu.plist (? eb04919d 2a09a6d5 - installed 2018-01-14) [Lookup]

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-10-04) [Lookup]

Launch Daemons: ⓘ

[running] at.obdev.littlesnitchd.plist (Objective Development Software GmbH - installed 2017-08-30) [Lookup]

[loaded] com.apple.installer.osmessagetracing.plist (Apple, Inc. - installed 2018-01-19)

[running] com.comodo.fileaccessdaemon.plist (COMODO Security Solutions, Inc - installed 2016-06-22) [Lookup]

[loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2017-10-12) [Lookup]

[running] com.objectiveSee.blockblock.plist (Objective-See, LLC - installed 2018-01-31) [Lookup]

[loaded] com.xujiwei.PortsMonitor.Helper.plist (Jiwei Xu - installed 2017-08-23) [Lookup]

User Launch Agents: ⓘ

[running] com.objectiveSee.blockblock.plist (Objective-See, LLC - installed 2018-01-31) [Lookup]

[running] com.spotify.webhelper.plist (Spotify - installed 2018-02-09) [Lookup]

User Login Items: ⓘ

OverSight Helper Application (Objective-See, LLC - installed 2017-09-24)

(/Applications/OverSight.app/Contents/Library/LoginItems/OverSight Helper.app)

Wondershare Helper Compact Application

(~/Library/Application Support/Helper/Wondershare Helper Compact.app)

Internet Plug-ins: ⓘ

o1dbrowserplugin: 5.41.3.0 (installed 2017-10-04) [Lookup]

googletalkbrowserplugin: 5.41.3.0 (installed 2015-12-11) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2018-02-09)

Safari Extensions: ⓘ

None

3rd Party Preference Panes: ⓘ

None

Time Machine: ⓘ

Time Machine not configured!

Top Processes by CPU: ⓘ

30% diagnosticd

29% Xcode

23% Console

11% mdworker

10% mdworker

Top Processes by Memory: ⓘ

610 MB kernel_task

142 MB com.apple.WebKit.WebContent

115 MB Finder

110 MB Safari

96 MB Console

Top Processes by Network Use: ⓘ

Input Output Process name

2 MB 207 KB Spotify

26 KB 23 KB mDNSResponder

5 KB 7 KB apsd

5 KB 558 B netbiosd

0 B 64 B SystemUIServer

Top Processes by Energy Use: ⓘ

5.32 diagnosticd

5.20 coreaudiod

4.06 Console

3.96 Activity Monitor

2.60 com.apple.WebKit.WebContent

Virtual Memory Information: ⓘ

1.12 GB Available RAM

255 MB Free RAM

2.88 GB Used RAM

891 MB Cached files

60 MB Swap Used

Software installs (last 30 days): ⓘ

Comodo-AV-Installer: (installed 2018-01-14)

Slack: 3.0.5 (installed 2018-01-20)

Wireshark 2.5.0 Intel 64: (installed 2018-02-06)

ReimageCleanerApp: (installed 2018-02-09)

ReimageCleaner: (installed 2018-02-09)

Install information may not be complete.

Diagnostics Events (last 3 days for minor events): ⓘ

2018-02-09 15:08:42 Last shutdown cause: 3 - Hard shutdown

2018-02-09 14:57:16 RansomWhere High CPU use [Open] [Details]

2018-02-08 09:45:37 com.apple.WebKit.Networking High CPU use [Open] [Details]

2018-02-06 23:43:45 Wireshark.app Crash [Open]

2018-02-06 22:44:02 Where.app Crash [Open]

Files deleted by EtreCheck: ⓘ

2018-02-09 16:13:31 - ~/Library/LaunchAgents/com.dropbox.DropboxMacUpdate.agent.plist - Unknown

2018-02-09 16:13:31 - ~/Library/LaunchAgents/com.wondershare.TunesGoHelper.plist - Unknown

2018-02-09 16:34:30 - /Library/LaunchDaemons/com.reimage.cleaner.plist - Unknown

View in context

remote sharing/hacked

Similar questions