dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2002

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

[rant] friend scammed by mac keeper / Indian call centre software

A friend is dropping off a mac book with Yosemite installed. Unbeknownst to me, after streaming better call saul from some less than salubrious site or other, they had to do some actual work and found their mac 'getting slower and slower'. Then they got an alert "from Safari" saying that (paraphrase) "Safari has blocked more downloads because your computer is getting slow, please call this number"

They called the number, and got sold a product for $200, using a US credit card a relative in the US provided them because their own credit card wouldn't allow the charge (perhaps their own bank is smarter than usual). They let this place do remote viewing and so on and "called back a few times since" because whatever solution was provided of course didn't last long. They said it was an indian call centre and the background noise was of hundred such conversations going on.

Now they're being offered another product for a discounted price but FINALLY felt suspicious and thought they'd ask me what is going on.

Now I don't actually have all the details straight, I'm not sure if the $200 was just for mac keeper, or this place is bundling mac keeper with screwing around with your computer.

But the whole thing makes me really sad and annoyed and I can't believe in 2015 this crap is not hunted down and killed by some authority with actual teeth.

BellBoy
Steven Paul Jobs 1955-2011
Premium Member
join:2001-02-20
Los Angeles, CA

BellBoy

Premium Member

Here's some info on MacKeeper. They are a pain in the ass, but I doubt they are the ones behind this attempt (or success) to defraud.

There are other sites that trick people into calling by using pop ups or other such chicanery. Best thing to do at this point is to make sure their data is backed up as much as possible and head to an Apple Store. They will more than likely need to wipe the hard drive and reinstall everything. If they have somehow given them root access there may be more at stake--like if a firmware password was entered by the thieves. There are ways around that and a good genius bar can help you with.

Good luck.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

She has her files backed up and/or i can back them up. Usual thing; iphoto, docs and music
cant i just burn yosemite to a dvd and reinstall?

BellBoy
Steven Paul Jobs 1955-2011
Premium Member
join:2001-02-20
Los Angeles, CA

BellBoy

Premium Member

As long as you have control of the computer it shouldn't be a problem. Since you're running Yosemite, you can boot into the recovery partition (Cmd + R). That will allow you to reinstall the OS.

If they have somehow put a firmware password on the computer--or they enabled FileVault and secured it with a password--that won't be possible. You'll have to take it to an Apple Store.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

I'll try.

I told her to dispute the credit card charge. Any chances of that succeeding?

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to BellBoy

MVM,

to BellBoy
I doubt the software is very sophisticated, but its generally not a good idea to reinstall from a potentially compromised disk (at least from a Windows malware viewpoint). Safer to download Yosemite on another Mac and install from DVD/USB drive. Or you can force the Mac to use Internet Recovery instead of local recovery by using Command + Option + R, IIRC.

BellBoy
Steven Paul Jobs 1955-2011
Premium Member
join:2001-02-20
Los Angeles, CA

BellBoy

Premium Member

Actually the recovery partition can't be modified unless they know what they're doing. You should be ok to reinstall the OS from the recovery partition. I would still recommend erasing the compromised partition though.
BellBoy

BellBoy to justin

Premium Member

to justin
said by justin:

I told her to dispute the credit card charge. Any chances of that succeeding?

It's always possible if they present the problem to them honestly--try it and see.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to BellBoy

MVM,

to BellBoy
The recovery partition can easily be manipulated from the main OS, without the user ever knowing. Whether they actually bother to modify it or not is another question (re: my guess that it's not really that sophisticated). But it's still a possibility.

In this case, don't see any reason why you wouldn't just use Internet Recovery if available. "Better safe than sorry" and all that.

BellBoy
Steven Paul Jobs 1955-2011
Premium Member
join:2001-02-20
Los Angeles, CA

BellBoy

Premium Member

said by Thinkdiff:

Whether they actually bother to modify it or not is another question (re: my guess that its not really that sophisticated). But it's still a possibility.

Agreed
said by Thinkdiff:

In this case, don't see any reason why you wouldn't just use Internet Recovery if available. "Better safe than sorry" and all that.

Also agreed, but IR might not be available on their computer: »support.apple.com/en-us/HT202313

P.S.--IR can be slow as hell if you have crappy internet speeds at home.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

I just got a pop-up in Yosemite's Safari telling me that the last website I visited put a virus on my Mac and I need to click to start the repair process. It came from macupdate.me (Montenegro).

The mini-window had no exit option, so I just quit Safari. If I had selected the repair option, bad things probably would have happened. I have Sophos Anti-Virus installed, but it might not have been able to protect me from the changes these people wanted to make; best to not take a chance.
daveinpoway

daveinpoway

Premium Member

I am guessing that selecting the repair option would have required my entering the administrative password; once that is authenticated, antivirus probably provides little protection.

Hackers never sleep.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Updates. Anyone got any ideas?

I've removed MacKeeper (trial) which took some time - the launch startup and /Library and Home/Library items. Rebooted, applied latest OSX patches.

Now everything is clean in terms of activity monitor: little cpu use, average memory pressure, no network use, little disk activity. Sounds good right?

BUT, the whole macbook is slow. Much slower than my macbook air. Doing anything much takes quite a while, and often the spinning beachball appears. While this appears, activity monitor does not show much.

When I time dd, writing to the disk (Toshiba 500gb) it writes about 40-50 mb/sec, not great, but not the explanation.

Putting one App in the Trash took about 30 seconds. The trash is empty. Removing 2000 items from the trash using the command line (rm -rf) took about a second.

Before I removed Mac Keeper, the owner of the macbook said when they tried to delete everything in the trash the progress bar estimated it would take several hours. As I mentioned, removing everything using command line was nearly instant.

They said these problems started BEFORE they got scammed into calling this $200 / we fix your Mac place. It basically started after upgrade to Yosemite.

What can I look at? it looks to me like some kind of driver / OSX issue at the GUI level that makes the whole mac appear to be in treacle but this slowness does not extend to the command line, file system type operations.

Right now it is doing a Verify Disk on the HDD, and while I know that can make the mac slow, immediately nothing works: spinning beachball for anything you want to do. It is just doing a fsck, basically, so it shouldn't be that bad.

When it is done I'll start looking in the system logs etc. Unless there is a new form of osx malware that hides in the process list, and makes your mac slow without showing any cpu disk or network activity, I do not believe it is 'infected'. I think the upgrade to Yosemite is the clue. Just don't know where to look at this point.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

Sounds somewhat normal if you're used to SSD-based Macs. You don't realize how slow hard disks are until you've used an SSD for an extended period of time.

I'd still do a clean install just to rule anything nefarious out though.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

nah its really crawling, unusable nearly.
i turned off icloud stuff and things got better
now running etrecheck
justin

justin

Mod

treCheck version: 2.1.8 (121)
Report generated 19 April 2015 1:30:33 pm AEST
Download EtreCheck from »etresoft.com/etrecheck

Click the [Click for support] links for help with non-Apple products.
Click the [Click for details] links for more information about that line.

Hardware Information:
MacBook Pro (17-inch, Mid 2010) (Technical Specifications)
MacBook Pro - model: MacBookPro6,1
1 2.53 GHz Intel Core i5 CPU: 2-core
4 GB RAM Upgradeable
BANK 0/DIMM0
2 GB DDR3 1067 MHz ok
BANK 1/DIMM0
2 GB DDR3 1067 MHz ok
Bluetooth: Old - Handoff/Airdrop2 not supported
Wireless: en1: 802.11 a/b/g/n
Battery Health: Check Battery - Cycle count 782

Video Information:
Intel HD Graphics
Color LCD 1920 x 1200
NVIDIA GeForce GT 330M - VRAM: 512 MB

System Software:
OS X 10.10.3 (14D136) - Time since boot: 1:13:16

Disk Information:
TOSHIBA MK5055GSXF disk0 : (500.11 GB)
EFI (disk0s1) : 210 MB
Macintosh HD (disk0s2) / : 499.25 GB (186.01 GB free)
Recovery HD (disk0s3) [Recovery]: 650 MB

HL-DT-ST DVDRW GS23N

USB Information:
Apple Inc. BRCM2070 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Inc. Apple Internal Keyboard / Trackpad
Apple Inc. Built-in iSight
Apple Computer, Inc. IR Receiver

Gatekeeper:
Mac App Store and identified developers

Kernel Extensions:
/System/Library/Extensions
[not loaded] com.ZTE.driver.ZTEUSBCDCACMControl (1.2.4) [Click for support]
[not loaded] com.ZTE.driver.ZTEUSBCDCACMData (1.2.4) [Click for support]

Startup Items:
WDBMService: Path: /Library/StartupItems/WDBMService
Startup items are obsolete in OS X Yosemite

Launch Agents:
[failed] cn.com.zte.usbswapper.plist [Click for support] [Click for details]
[not loaded] SwapperUFi.plist [Click for support]

Launch Daemons:
[loaded] com.adobe.fpsaud.plist [Click for support]
[not loaded] com.mackeeper.MacKeeper.plugin.AntiTheft.daemon.plist.bad [Click for support]
[loaded] com.microsoft.office.licensing.helper.plist [Click for support]
[not loaded] PPPMonitord.plist [Click for support]

User Launch Agents:
[loaded] com.google.keystone.agent.plist [Click for support]
[failed] com.mackeeper.MacKeeper.Helper.plist [Click for support] [Click for details]

User Login Items:
TomTomHOMERunner Application (/Users/[redacted]/Library/Application Support/TomTom HOME/TomTomHOMERunner.app)
iTunesHelper UNKNOWN (missing value)

Internet Plug-ins:
JavaAppletPlugin: Version: 15.0.0 - SDK 10.10 Check version
FlashPlayer-10.6: Version: 17.0.0.169 - SDK 10.6 [Click for support]
Default Browser: Version: 600 - SDK 10.10
Flash Player: Version: 17.0.0.169 - SDK 10.6 [Click for support]
QuickTime Plugin: Version: 7.7.3
DivXBrowserPlugin: Version: 2.0 [Click for support]
OfficeLiveBrowserPlugin: Version: 12.2.8 [Click for support]
Google Earth Web Plug-in: Version: 7.1 [Click for support]
RealPlayer Plugin: Version: Unknown
SharePointBrowserPlugin: Version: 14.3.2 - SDK 10.6 [Click for support]
iPhotoPhotocast: Version: 7.0 - SDK 10.7

3rd Party Preference Panes:
BigPond Broadband Cable Login Preferences
DivX [Click for support]
Flash Player [Click for support]

Time Machine:
Skip System Files: NO
Auto backup: YES
Volumes being backed up:
Macintosh HD: Disk size: 499.25 GB Disk used: 313.24 GB
Destinations:
LaCie [Local]
Total size: 0 B
Total number of backups: 8
Oldest backup: 2012-06-26 07:08:56 +0000
Last backup: 2015-03-10 04:27:16 +0000
Size of backup disk: Too small
Backup size 0 B (Disk used 313.24 GB X 3)

Top Processes by CPU:
4% WindowServer
0% AppleSpell
0% fontd
0% taskgated
0% askpermissiond

Top Processes by Memory:
408 MB softwareupdated
172 MB mds_stores
133 MB com.apple.WebKit.WebContent
112 MB WindowServer
99 MB Safari

Virtual Memory Information:
107 MB Free RAM
1.59 GB Active RAM
1.50 GB Inactive RAM
851 MB Wired RAM
2.50 GB Page-ins
3 MB Page-outs

Diagnostics Information:
Apr 19, 2015, 12:15:11 PM Self test - passed

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

Looks like you didn't quite get rid of everything related to Mac Keeper, even though it apparently failed to load regardless.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

yeah, but, it is a fatal wound - doesn't start anything.

breadman
Premium Member
join:2001-01-30
00000

1 recommendation

breadman to justin

Premium Member

to justin
»www.adwaremedic.com/index.php

Install that and see if it cleans anything up.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

1 edit

justin

Mod

regarding the call center / $200 charge etc. I got some more details.

So she noticed that mac keeper trial ALWAYS reports the same number of problems (some number over 2000), and the call center (ktplonlinesolutions.com) sold their services by saying that less than 1000, the service is free, but over 1000, costs the $200 and this was 2 years of unlimited call-in support. So she twigged, after the fact, that the number of "problems" was just set somewhere, and not real. And of course it was over the "free" limit.

She used them a few times, call in, they'd connect, they'd noodle around a bit with the Trash and verify permissions and then say they were done.

Then they put on the hard sell for more money and 5 year plan. Meanwhile mac keeper is also nagging and running.

When she called the bank, to ask for the charge reversal, the bank said that "because the company had a website and phone number they could not reverse the charge".
justin

justin

Mod

Click for full size
Click for full size
Click for full size
Some screenshots.

In her apple mail, a banking phish.
A screenshot of them using team viewer.
Some teamviewer logs with their claim to be "Apple Customer Support".

clevere1
Premium Member
join:2002-01-06
Vancouver, WA

clevere1 to justin

Premium Member

to justin
Justin,

I had a similar slowness with my sisters Macbook. It was just a random thing, the computer worked fine one day and then all the sudden was incredibly slow.

I reinstalled the OS and the machine worked fine for a little while, only for her to complain it was slow again.... This was with Mavericks and Yosemite...

We ended up putting in a Samsung SSD and extra ram. Perked the old Macbook right up.

I would recommend reinstalling the OS. You could:

1. Download Yosemite via the App store (on your (if you have a mac) or her computer)
2. Boot into single user mode (»support.apple.com/en-us/HT201573)
3. Then make a Yosemite bootable thumb drive to reinstall the OS (you will need to boot from the thumb drive, eraser the internal drive with disk utility and then proceed with the install) (»support.apple.com/en-us/HT201372)

osxdaily.com/2014/10/16/ ··· l-drive/)

You could also boot into safe mode. This will not load any of the drivers and see how
the machine runs. (»support.apple.com/en-us/HT201262)'

Back in the old days of Mac OS X, you used to be able to delete the old system caches and this would help with speed (sometimes), but it's been ages since I've done it and couldn't find any reference on the internet... but the file was

com.apple.kext.caches

10.10.3 it's in /System/Library/Caches

Last but not least, there is a chance that Spotlight is stuck building it's database. If that's the case, it could case the system to be slow.

mdutil -as 2>&- | pbcopy - To rebuild the database(»discussions.apple.com/th ··· /6694316)

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Click for full size
There are definite problems.
It is still as slow as a dog. Login, empty desktop, beachball opening Finder. Beachball opening preferences. Beachballs everywhere.

And I've done the safe mode .. reset SMC .. reset PRAM thing.

A whole lot of crap in the console too, in the first minute of an empty desktop.

Adware Medic scan took literally 5 seconds and came up with nothing.
justin

justin

Mod

Click for full size
Oh I think I found the source of the issue.

Although -- hmm - if the errors happened at 1907 hours, are they causing problems now?

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

3 recommendations

pcdebb to justin

Premium Member

to justin
said by justin:

When she called the bank, to ask for the charge reversal, the bank said that "because the company had a website and phone number they could not reverse the charge".

Tell her to RUN to another bank. Immediately.

BellBoy
Steven Paul Jobs 1955-2011
Premium Member
join:2001-02-20
Los Angeles, CA

BellBoy to justin

Premium Member

to justin
Jeez. Those emails are looking better every day. If they would ever learn how to speak English they would catch bigger fish more often.

If there's an Apple Store nearby I would head there. Looks like your hard drive is failing and that would be a main reason as to why it's running so slow. They can replace the drive if it's under warranty and reinstall the OS. Even if it's not in warranty they can do it, but it would cost around $200 with labor. You can do it yourself if your so inclined, but if you haven't done it before I would let the pros have at it.

clevere1
Premium Member
join:2002-01-06
Vancouver, WA

clevere1 to justin

Premium Member

to justin
if the drive is going to be replaced, I go with an SSD.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

it would be fair to say that the disk or hardware has a problem if when you boot into recovery mode, pick "disk utility" and the beachball appears, while it takes 10 seconds to find and list the hdd on the left panel?

My understanding of the beachball is it shows up when there is unexpected delays. From recovery partition with nothing running, I dont think there is much excuse for such unexpected delays? other than disk or hardware issues?

and when doing "verify permissions" it says "estimated time 1 minute" for a period of 10 minutes?

I guess she is going to be buying a 500gb ssd shortly.

Mike
Mod
join:2000-09-17
Pittsburgh, PA
·Verizon FiOS

Mike to justin

Mod

to justin
quote:
But the whole thing makes me really sad and annoyed and I can't believe in 2015 this crap is not hunted down and killed by some authority with actual teeth.
It's 2015. No one still knows how computers work.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

1 recommendation

justin

Mod

The odd thing is the remote mac fix site that she used / paid / and called, has absolutely no mentions on google positive or negative. And their website doesn't mention they do this as a service yet the call center was clearly busy with lots of people all talking to "customers". I'm wondering if they are in cahoots with mac-keeper somehow. Perhaps mac keeper runs this operation and are using these small sites as fronts.