Remote access?

Question

c.valente Author

Level 1

8 points

Remote access?

Hi guys!

In a previous question here, I was told to run EtreCheck and post the report here.

I had a feeling my MBP was being accessed remotely... without my permission.

Am I right?

EtreCheck version: 5.0 (5008)

Report generated: 2018-09-24 00:36:16

Download EtreCheck from https://etrecheck.com

Runtime: 2:05

Performance: Excellent

Sandbox: Enabled

Full drive access: Enabled

Problem: No problem - just checking

Major Issues:

Anything that appears on this list needs immediate attention.

No Time Machine backup- Time Machine backup not found.

Minor Issues: None

Hardware Information:

MacBook Pro (Retina, 13-inch, Mid 2014)

MacBook Pro Model: MacBookPro11,1

1 3 GHz Intel Core i7 (i7-4578U) CPU: 2-core

16 GB RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 405

Video Information:

Intel Iris - VRAM: 1536 MB

Color LCD 2560 x 1600

Drives:

disk0 - APPLE SSD SM0512F 500.28 GB (Solid State - TRIM: Yes)

Internal PCI 5.0 GT/s x2 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 [APFS Container] 500.07 GB

disk1 [APFS Virtual drive] 500.07 GB (Shared by 4 volumes)

disk1s1 - Macintosh HD (APFS) (Shared - 143.58 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

disk1s3 - Recovery (APFS) [Recovery] (Shared)

disk1s4 - VM (APFS) [APFS VM] (Shared - 1.07 GB used)

Mounted Volumes:

disk1s1 - Macintosh HD 500.07 GB (352.54 GB free)

APFS

Mount point: /

Encrypted

disk1s4 - VM [APFS VM] (Shared - 1.07 GB used)

APFS

Mount point: /private/var/vm

Network:

Interface en4: Thunderbolt Ethernet

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

System Software:

macOS High Sierra 10.13.6 (17G65)

Time since boot: Less than an hour

Configuration Profiles:

Information not available

Security:

System	Status
Gatekeeper	Enabled
System Integrity Protection	Enabled

Kernel Extensions:

/Library/Application Support/Malwarebytes/MBAM/Kext

MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.4 - SDK 10.13)

/Library/Extensions

LittleSnitch.kext (Objective Development Software GmbH, 4.2 - SDK 10.11)

System Launch Agents:

[Not Loaded]	9 Apple tasks
[Loaded]	166 Apple tasks
[Running]	118 Apple tasks
[Other]	One Apple task

System Launch Daemons:

[Not Loaded]	37 Apple tasks
[Loaded]	178 Apple tasks
[Running]	120 Apple tasks

Launch Agents:

[Running]	com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2018-09-14)
[Running]	at.obdev.LittleSnitchHelper.plist (Objective Development Software GmbH - installed 2018-09-22)
[Running]	at.obdev.LittleSnitchUIAgent.plist (Objective Development Software GmbH - installed 2018-09-22)

Launch Daemons:

[Running]	com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2018-09-14)
[Running]	com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2018-09-14)
[Running]	at.obdev.littlesnitchd.plist (Objective Development Software GmbH - installed 2018-09-22)

User Login Items:

Dashlane.app (App Store - installed 2018-09-21)

(/Applications/Dashlane.app)

iTunesHelper.app (Apple - installed 2018-09-21)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

P72E3GC48.com.dashlane.DashlaneAgent (App Store - installed 2018-09-21)

(/Applications/Dashlane.app/Contents/Library/LoginItems/P72E3GC48.com.dashlane.D ashlaneAgent.app)

iTunesHelper (Apple - installed 2018-09-21)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app/Contents/MacOS/iTunesH elper)

Internet Plug-ins:

QuickTime Plugin: 7.7.3 (installed 2018-07-04)

Safari Extensions:

Dashlane.safariextz - Dashlane Inc. - http://www.dashlane.com(installed 2018-09-21)

Time Machine:

Time Machine Not Configured!

Performance:

System Load: 1.88 (1 min ago) 1.95 (5 min ago) 2.26 (15 min ago)

Nominal I/O speed: 4.04 MB/s

File system: 46.87 seconds

Write speed: 667 MB/s

Read speed: 769 MB/s

CPU Usage:

Type	Overall	Individual cores
System	3 %	6 %	1 %	4 %	1 %
User	6 %	11 %	3 %	9 %	3 %
Idle	91 %	83 %	96 %	87 %	96 %

Top Processes by CPU:

Process (count)	Source	CPU	Location
EtreCheck	App Store	17.26 %
Other processes	?	14.75 %
nsurlsessiond	Apple	2.06 %
cloudd	Apple	1.49 %
P72E3GC48.com.dashlane.DashlaneAgent.app	App Store	0.62 %

Top Processes by Memory:

Process (count)	Source	RAM usage	Location
Safari	Apple	989 MB
EtreCheck	App Store	500 MB
com.apple.WebKit.WebContent	Apple	355 MB
Little Snitch Network Monitor	Objective Development Software GmbH	243 MB
media-indexer	Apple	167 MB

Top Processes by Network Use:

Process	Source	Input	Output	Location
nsurlsessiond	Apple	10 MB	7 KB
cloudd	Apple	34 KB	139 KB
mDNSResponder	Apple	62 KB	39 KB
parsecd	Apple	12 KB	7 KB
apsd	Apple	6 KB	5 KB

Virtual Memory Information:

Available RAM	9.27 GB
Free RAM	4.49 GB
Used RAM	6.73 GB
Cached files	4.78 GB
Swap Used	0 B

Software Installs (past 30 days):

Name	Version	Install Date
MRTConfigData	1.35	2018-09-21
Gatekeeper Configuration Data	154	2018-09-21
Safari	12.0	2018-09-21
iTunes	12.8	2018-09-21
Malwarebytes for Mac	1.0	2018-09-21
Dashlane	6.2.2	2018-09-21
Speedtest	1.5	2018-09-21
Amphetamine	3.0.2	2018-09-21
Evernote	7.5	2018-09-21
Magnet	2.4	2018-09-22
EtreCheck	5.0	2018-09-22
Novabench	4.0.1	2018-09-22

Diagnostics Information (past 7 days):

2018-09-23 06:00:37 Lightworks.app CPU

/Applications/Lightworks.app

2018-09-22 20:45:46 Safari.app CPU

/Applications/Safari.app

End of report

Thanks a lot!

MacBook Pro (Retina, 13-inch, Mid 2014), macOS High Sierra (10.13.6)

Posted on Sep 23, 2018 8:47 PM

Reply

Answer 1

Best reply

Cunnla

Level 6

8,257 points

Sep 23, 2018 11:12 PM in response to c.valente

You should steer clear of torrents. They are a sure way to import malware. You should not click on any link or button in a dubious website. You don't have a virus, as there are currently none that affect Macs. But you may have malware. You can try the free version of Malwarebytes and run it. You can uninstall it afterwards.

Here's a shot of the Activity Moniter window.

Reply

Answer 2

Cunnla

Level 6

8,257 points

Sep 24, 2018 12:04 AM in response to c.valente

You seem to be OK right now.

For future reference you might find this user tip useful. Effective defenses against malware and other threats.

You can keep a check on what nsurlsessiond is doing in Activity Monitor / Network.

Happy computing.🙂

Reply

Answer 3

Cunnla

Level 6

8,257 points

Sep 23, 2018 10:21 PM in response to c.valente

There is nothing in that report to indicate you computer is being accessed remotely.

To help you feel safer, in System Preferences / Sharing, make sure Remote Login and Remote Management are unchecked. You can check them if you want to do sharing with computers on your network.

Also, in System Prefs / Security & Privacy, enable Firewall and perhaps File Vault.

Some people have reported problems with Little Snitch, so think about whether you need it or not.

Reply

Answer 4

c.valente Author

Level 1

8 points

Sep 23, 2018 10:21 PM in response to Cunnla

Thank you Cunnla!

Every items in Sharing are unchecked. Firewall and File Vault both enabled.

I've installed Little Snitch to maybe be able to identify unwanted process running...

Is there any evidence to look for in the activity monitor?

Reply

Answer 5

Cunnla

Level 6

8,257 points

Sep 23, 2018 10:57 PM in response to c.valente

You're welcome!

What makes you think your computer is being accessed?

Activity Monitor can tell you how much data is being sent in the last 30 days. In the Cache tab. You could keep a record of it to watch out for unusual activity.

Another thing you could do is strengthen your Wi-fi network password and your login password.

Reply

Answer 6

c.valente Author

Level 1

8 points

Sep 23, 2018 10:57 PM in response to Cunnla

Well, a while ago, I ended up installing uTorrent and qBittorrent, and opening their ports in the router.

While searching for files in different websites, I think I've clicked in a "fake"link, and Safari opened a window <apple.com-macbook> saying there was a virus in my Mac.

I clicked the X (close) button, but right after clicking I noticed the mouse cursor was a pointing a link (hand).

Since than, I could identify some weird things, like Users in file information (there's only one user in my Users/Groups settings), strange folders in Finder...

In the Activity Monitor, I don't see the Cache Tab, how to find it?

Reply

Answer 7

c.valente Author

Level 1

8 points

Sep 23, 2018 11:35 PM in response to Cunnla

Yeah, since it all started, I've uninstalled the torrent clients.

Malwarebytes was the first App installed after formatting the Mac.

Thank you again for your time, so I'll assume there's nothing wrong going on...

The Cache tab was'n showing up because the Content Cache was disabled in the Sharing settings.

Could this be the reason nsurlsessiond process is on 100GB (Down) and 500MB (Up) on Little Snitcher?

Reply

Answer 8

Sep 24, 2018 7:01 AM in response to c.valente

How did you decide to use Dashlane over the Built-in password manager in the Mac, or over OnePassword?

I have no reason to be suspicious of Dashlane. But if it was chosen while someone else was influencing you, you may want change to something else. You could get a paper book, write down the passwords, and switch to a different password manager.

Reply

Answer 9

c.valente Author

Level 1

8 points

Sep 25, 2018 4:22 PM in response to Grant Bennet-Alder

Hey Grant!

I wasn't feeling very safe with the Built-in ... than looked around in a few forums, sites, etc...

No one influenced me...

Do you believe the Mac PSW MNGR is really safe and enough for regular home use?

By the way, this is my first Mac, so the previous experiences with Windows kind of contribute to my feeling of vulnerability .

I'd appreciate if you could tell me a bit more.

And sorry for the English! Greetings from Brazil!

Reply

Answer 10

Sep 25, 2018 7:06 PM in response to c.valente

I was ONLY concerned that if you had recently left a relationship, and feared that your ex- was the source of intrusions, that the password manager you installed while under that influence might now be a source of leaks.

I have NO evidence to support any of that. I am just thinking in a divergent way.

Reply

Answer 11

c.valente Author

Level 1

8 points

Oct 2, 2018 3:17 PM in response to Grant Bennet-Alder

That surely isn't the problem.

I've been having different kinds of issues...

The newest one, I'm not able to send any email, both through my MBP, in Apple account, gmail, yahoo, none...

Also in my iPhone. They seem not to be able to reach the SMTP server...

I even already contacted Apple support, and the case is being analyzed by their engineering team.

The other, regarding the stability of the Internet Connection, very weird... it starts well, but after a while, I'm not able to access some websites... In Safari, I get the message that the server didn't respond, or the connection timed out, in Vivaldi Browser, I get the ERR_TIMED_OUT...

Reseting both the router and modem doesn't help... only (I guess) restarting the MBP.

In resume, it's been difficult.

At least, the Ex girlfriend is not the reason.

Reply

Answer 12

Oct 2, 2018 3:43 PM in response to c.valente

for Mail problems, you choose:

Mail > Window > connection Doctor.

if there are nay red lights, you click on one to be taken directly to the settings for that sending or receiving Server.

if the settings appear correct, you may need to verify that your passwords are correct. To do that, go to your Browser, enter the website corresponding to that mail account, and log in (and possibly choose Webmail) to view your mail.

Reply

Answer 13

Oct 2, 2018 3:46 PM in response to c.valente

Packets going to the Internet are sent to the TopMost, Working interface shown in the left pane of

System preferences > Networks.

To preferentially use Ethernet if available, you may need to choose "Set Service Order" using the gear Icon, then drag the interface into the order you prefer.

Move Ethernet to the very top. When working, it will be used. Otherwise, you will try to use Wi-Fi or whatever is next in line.

Reply