OS 10.6.8 Today I tried to download an old movie but a window appeared saying I had suspicious activity and to dial an 800 number which showed "GoToAssist.customer" which resulted in someone purporting to be from apple that everything on my computer was out of commission and that he would run diagnostics. After a few minutes he said that he would extend my warranty for $249 up to $999.00. At that point I knew this guy was phoney but it took me a few minutes to get control because Safari would not accept force quit at first. Has anyone else had this experience? How can you detect a phoney right off the bat? jaybass

You didn't give that guy access to your Mac to run his "diagnostics", did you?


I'd take that as immediate confirmation that it was phony.

artie, Unfortunately I did give him access. I emailed my bank and gave instructions to stop any transfers or withdrawals so hopefully that should prevent anything disastrous from happening. I have just ran ClamXav and there are no problems.
What else might I do? jaybass

There are other posters with far more expertise in this matter than I've got, and I hope some of them will kick in, but my advice is that you run Legacy Download – Little Snitch if you're not already running it.

LS is best described as a reverse firewall, i.e. it prevents calls OUT of your Mac without your permission, and that's effective medicine against a lot of malware. It's got a bit of a learning curve in that you've got to understand what your allowing or denying every time you click on "Allow" or "Deny", but once you've established your basic rules you can coast.

It's a bit pricey, but I imagine that it still allows a trial that, when I used it, necessitated restarting it every two hours.

artie, I will check out L/S and see if I can understand it. Thanks. I'll let you know. jaybass

I hope it all works out OK for you. (I wonder if calling your bank [your only financial institution?] would be a better idea than relying on e-mail?)

Another thought... Have you taken a look in /Applications, /Applications/Utilities, and any other places with which you're familiar to see if anything looks like it maybe doesn't belong?

Trust nothing that pops up and advises that your computer has a problem — it's almost certainly a scam. That can be extrapolated to virtually any scenario, including email and telephone calls.
If somebody identifies himself as an Apple rep, then disconnect and call Apple directly to verify and report the intrusion.
Any suggestion that the caller/intruder is "your friend" and is here "to help you" warrants skepticism and very close examination.
"Trust but verify" in the online world is invalid — "Distrust and verify" is the only sound practice.

You are so right. My son told me to hold the power button until the computer shuts down if someone has locked your browser. It will not happen again. Thanks grelber. jaybass

artie, I have checked apps...utilities and there nothing there that doesn't belong and as I said, I ran the latest ClamXav (2.8.1) with no infected files. jaybass

You might also monitor certain folders as described in this MacIssues article.

ClamX AV, or any other anti-virus or anti-malware for that matter, is useless in this situation. The only viruses it can detect are those that have "signatures" it recognizes and the only "signatures" available to detect are for Windows malware that cannot infect your Mac. Be aware that some malware can lie dormant in your system for months until triggered by an outside signal, so just because there is no immediate indication of infection does not mean you are not infected.

Assuming you are using Time Machine consider booting from the recovery drive, erasing the hard drive, and then restoring from a Time Machine image taken at a point in time PRIOR TO the takeover incident. If you were infected that should get you back to a clean system. Clones that were mounted when the incident occurred could easily have been infected too and I would consider them suspect.

By-the-way your son gave you excellent advice.

You can in fact automate that monitoring with the CIRCL automatic launch object detection utility, as mentioned in THE CYBER-SECURITY THREAD about a month ago.

alternaut, I installed CIRCL-ALOD at your suggestion so I guess that will give me some protection. Unfortunately, I superdupered my HD after the hacking which wasn't too bright. I imagine I will have to wait and see what might happen down the road. Thank you. jaybass

Why not do another clone of the now good setup and completely replace the "superdupered" version? Don't wait to see what might happen down the road.

jaybass's current setup isn't necessarily good, because it's merely protected from what we know might have happened, not necessarily from what actually did happen.

A restore from a pre-event clone would really be the best alternative...a nuke and pave, second best.

Edit: As things stand, I wouldn't be running without Little Snitch.

Ira, Cloning what I have now wouldn't necessarily help because I don't know if what I have now is malware free. I have spoken to my financial institutions and all passwords have been changed. Reading your post again, how do I know I have a "good setup"? BTW, is there any software available that will detect dormant malware? I'm not too optimistic about that. jaybass

Just be aware that if you've been stuck with a keystroke logger, your new passwords are not protecting you.

artie, Forgive my ignorance, what is a keystroke logger and how if necessary, can I change it? jaybass

A keystroke logger is one of the malware apps that logs every keystroke you enter; obviously it's most useful for delimited strings, such as passwords.
There are many versions of the malware; some are easily available and often used for parental surveillance — which doesn't make it "legitimate".
There's a fair bit of info online; just Google it.

You have to find it (if indeed it's lurking on your machine) in order to remove it.

Perhaps the safest thing to do all around is to follow the advice posted above: restore everything from a (Time Machine?) backup that was prior to your problem.

What he (and joemikeb and artie) said.

Unfortunately as the OP said earlier, he does not have a time machine backup instead relying on a clone which he updated after the incident and would therefore be infected too.

Where did jaybass say he didn't have a backup (Time Machine or otherwise)? All I got is that he "superdupered" (whatever that is) his hard drive and that was no help (after potential contamination).

SuperDuper is used for cloning. If jaybass had cloned his system after the damage was done, the clone is just as contaminated.