Jump to content

Laptop is being accessed remotely, need to scrub system


Recommended Posts

Hello Malwarebytes forum,

Yesterday while watching a streaming movie on my laptop, the mouse started to move on it's own and someone began remotely looking through my open programs. I immediately shut my computer down via the power switch and after 10 minutes, started my computer back up. I did not enter my password in the login screen and noticed that my trackpad was very unresponsive, after a few minutes, the mouse began to move on it's own again and I shut down the computer. I unplugged my home wireless router and started my computer up for a second time, this time the trackpad was responsive and I logged in (with my house wifi router off) and disabled my wifi on my computer and turned off blue tooth. 

Settings that were active when the remote access occurred (I forgot to click them off when I left the office):

  • System Pref>Sharing File Sharing ON, Web Sharing ON, Printer Sharing ON (These are all turned off now) 
  • Firewall OFF (Turned this back on)
  • Wifi and Bluetooth on (These are off)

I do not have a wireless keyboard or mouse. 

After looking through the activity log, I found the following program "Sepialine" trying to gain access over and over again-I've attached a screen shot of the activity log. It looks like it gained access, shut McAffee down and then the person started to look through my diagnostics. I found the Sepialine program in an e-mail from 2009, it must be connected to a printer driver or photo uploading service I used 7 years ago. I deleted the program (which you could not see in my application folder, only by searching for it) and two files associated with it. 

When I went to turn my firewall on, I received a message (2nd screenshot attached) which reads " Do you want the application "" to accept incoming network connections?". I am not familiar with this program and can't find anything when I search for it. 

I am running OSX 10.6.8. Unfortunately, I can't run the Malwarebytes software because my operating system is too old and can't support it. 

I need to connect my computer to the internet to do work, but am weary that a program may reconnect to an outside network once my computer has an internet connection. Any help is much appreciated! 

 

Screen shot 2016-09-06 at 10.36.33 AM.png

Screen shot 2016-09-06 at 10.31.31 AM.png

Link to post
Share on other sites

  • Staff

Stephanie,

There are many possible reasons for your mouse to start moving around that don't involve a hack. If it seemed 100% purposeful, turn your computer back on. If the mouse starts moving again, immediately disconnect from the network (either by turning off wifi, or by disconnecting the cable if you're connected to the network by Ethernet wiring). If the mouse stops moving by itself immediately, leave the machine disconnected for a a few minutes and try to use it as you normally would (albeit without internet).

If the mouse doesn't move by itself while disconnected from the internet, but connect to the internet again. If the mouse starts moving again, it may be a hack. In this case, with such an old system, the best thing to do will be to wipe the drive and start over from scratch. See the instructions here:

How to reinstall Mac OS X from scratch

If the mouse moves by itself again while the network is disconnected, one possibility is that a wireless mouse has gotten paired with your computer somehow. Try turning off Bluetooth (in System Preferences -> Bluetooth).

If Bluetooth was already off, or the mouse continues moving with both no internet and no Bluetooth, then something is wrong with your computer or your mouse. Could be a wide variety of issues, from hardware defect to software glitch.

Regarding your screenshots... Sepialine is a print driver from the company of the same name, and hasplmd is part of Sentinel HASP, a licensing protection program. Neither is malicious.

Link to post
Share on other sites

Hello Thomas,

Thank you for your response. Since there was no bluetooth keyboard and no mouse within range (as written) there is no possibility that this was an accidental connection. I addition, as written in my original post, I did all of the directives you suggested. As written, my mouse has not moved while my computer has been disconnected from the internet

In terms of malicious intent (as written) if you look at the first 2 lines of my activity log I provided, you can see that a program Sepialine, a print driver I downloaded in 2009, was attempting to access my system every 10 seconds. I did not provide the pages of activity log that document this behavior for over 24 hours previous to this emote access. In addition, again if you study the activity log, you can see that this program also shut down my anti-virus software. 

Based on my experience, watching the actions of the mouse and looking at the activity log, this was in no way accidental and I have posted here to seek advice on how to look for unknown programs in my current system without wiping my computer. I would like to proceed as if an unknown person who temporarily gained access to my computer could have planted a program that would activate upon an active network connection. 

Is there any additional advice you can offer in opposition to wiping my entire computer? If not, is there another admin who may be able to provide advice? 

Thank you for your time-

 

Link to post
Share on other sites

  • Staff

I generally advise against looking at the logs in the Console unless you're a developer or otherwise have specific knowledge on how to read them. You are misinterpreting those logs. There is nothing in those logs to suggest that Sepialine shut down your anti-virus software. As for the "throttling respawn" messages, that simply means that the Sepialine process has been repeatedly terminating or failing to start, and the system is throttling it rather than trying to re-launch it over and over constantly. It looks like both your Sepialine and McAfee installations are damaged, and are not functioning properly, but that's unlikely to be due to any kind of malware or remote access.

As to the issue of the mouse moving around, I've seen this sort of thing many times. Most of the time, it's not caused by remote access. There are many other possibilities that can cause the mouse to move around, and that can appear to be purposeful.

Of course, sometimes it's actually due to remote access, usually because someone has had remote access software installed on their computer by someone else who has physical access to the machine. So, the very first thing you should do is look for something like that - LogMeIn, TeamViewer, etc. You should also check System Preferences -> Sharing and make sure screen sharing is not on. (Of course, I'm using modern terminology... I can't recall whether OS X 10.6 used a different name for "screen sharing" at this point.)

(If you had a newer system, I'd advise checking your Back to My Mac settings and consider the possibility of your iCloud account being compromised. However, 10.6.8 is too old for that.)

The issue, though, is that if someone has had physical access to the machine, and you can't scan it with any modern anti-virus software (as in the case of OS X 10.6), you have no way of knowing what else might have been done. And even the best anti-virus software can't detect things like settings changes or legit apps, both of which could be misused to gain access.

Plus, there's the issue of OS X 10.6 being so far beyond any support by Apple that it should no longer be considered to be a secure system.

These are reasons why I recommended reinstalling the system from scratch.

If you do choose to do that, I'd point out that McAfee's current system requirements are OS X 10.8 or later. Whatever version of McAfee you're running probably isn't getting signature updates anymore, and thus isn't really protecting you at this point. Plus, you've got some issues with your system causing processes to either crash or fail to start up. These issues would be solved by a clean reinstall, followed by installation of only the apps you actually need.

Then I'd recommend keeping that machine offline as much as possible. Putting such an old system on the internet is like putting a duck in a pond full of crocodiles.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.