Why did the Malwarebytes scan on my MAC take only 2 seconds?

My friend fell victim just now to a scam.  He connected to a website in order to live-stream a hockey game.  Then a pop-up appeared, telling him that his Mac was infected and he should call a certain number, which he did ... Innocently, he allowed these guys to remote in to his Mac and "do a scan".  Then later on he was worried and called me.
I connected to his Mac (using Teamviewer) and installed Malwarebytes, and ran it.  It took only two seconds or so to scan, and reported no threats.
Unconvinced, I went to housecall.trendmicro.com and downloaded their scanner.  It also took only two seconds.
I am not experienced with Macs.  Is it possible that those two products could finish a scan of his system regardless of how much stuff he had on it, in such a short time?
Or is the malware software that I'm sure these guys installed somehow short-circuiting the malware scanning software?
Dwight BaerStudentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
I am not experienced worn MACs either,  but a scan cannot take so sorry a time. I hope he has Time Machine turned on,  because he should go back to a time previous to this incident immediately.

Do not connect this machine top the Internet.  For wireless laptops,  MACs can easily turn off wifi using the icon in the top bar. What type of MAC, running what OS?
Suggest your friend cold boot holding down the shift key to boot into safe mode, then run Malwarebytes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dwight BaerStudentAuthor Commented:
My friend has gone to bed for the night and unplugged his computer.  It's only less than 2 years old.

I'll get back to you tomorrow with the exact model of machine, and the OS version.

I had him change all the passwords to his email and bank accounts.  But now I'm wondering if there could be some keystroke-logging software installed that now knows all his new passwords.

Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Your friend should really report this to the police. It is possible that when they logged into his computer they retrieved all the information they needed and left no malware behind on the computer. They could, for instance, have copied the keychain file which stores all his passwords (including banking passwords) back to their own computer.
Dwight BaerStudentAuthor Commented:
Will have him call the police.  Thanks.  I'll leave this open for now and update with further info tomorrow.
Dwight BaerStudentAuthor Commented:
He is using Macbook Air OS X 10.9.5

Unfortunately, he didn't have Time Machine on.
Tom BeckCommented:
The police?? All they can do is file a report. They are not equipped to handle cybercrime. What he should do is contact credit reporting agencies and put a flag on his credit reports. The agencies will be extra diligent in looking for suspicious activity. Also call the banks and credit card companies.

There are many things the criminals could do when they remote in, some already mentioned. The current scam is installing a program that encrypts all of your personal documents then asks for a ransom to get them restored. Perhaps the reason that the MalwareBytes scan was so quick was because it cannot scan encrypted and locked files. Just a thought.

This person needs professional help. If I had it in front of me I would remove the hard drive, hook it up to another computer with a USB adapter, and see if I could recover the user files. Then I would format the drive, put it back in the computer and load OS X from scratch.
You should call the police anyway.  If every victim calls about cyber crime, then notes get taken.  Eventually, there will be a need for police to handle this type of crime when it become prevalent enough.

I suggest a system restore to reinstall the OS.  Don't bother scanning.  The majority of Mac scanners still scan for Windows viruses.  Those won't run on Mac anyway.  The types of things that would run on a mac are rootkit trojans that work similarly to Linux trojans and those need a rootkit scanner.

He should boot into safe mode to backup data 1st, but a system restore should not delete user data.  Just don't start disk utility to delete and format the partition.  The system restore should remove anything that was installed as root.

Once installed, he should probably also boot into safe mode and check for login items that shouldn't belong and create a 2nd account to avoid using the current account, because they could have installed other items that are "hidden" from an average user in the command line scripts.  Use the new account.

If he had a backup to a time machine, I would have suggested a full wipe and restore from a previous time machine copy to be sure.

Have your friend install adblock on all their browsers.  Adblock is now becoming an important an integral part of keeping any computer secure from malware.  It's now the 1st line of defense, because viruses and trojans actually can't get installed on systems easily without a user installing them.  Also, turn off popups or install a popup blocker.  Malware tends to show up in those.

Finally, teach your friend to never click on browser popups and never trust random web popups.  They're increasingly vectors for malware.
In the U.S., cyber crimes should be reported to the FBI here:  http://www.ic3.gov/default.aspx
Most likely, the scammers copied files from the computer and set up a backdoor to access your friend's mac.

If you were knowledgeable about a Mac's unix internals, I would suggest other things to try on the command line.  It works just like linux/unix and you can run commands to find any rootkits yourself and check.  You'd still need to understand what programs are supposed to run on a Mac so you can see what you needed to find.

If you know the dates, you can also look through the log files with the console.app or via command line to see if there was anything suspicious there as well.  You should do all this via safe mode or single user mode.
Dwight BaerStudentAuthor Commented:
Thanks everyone, you/we were very very helpful to a student in a crisis situation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mac OS X

From novice to tech pro — start learning today.