IP address has been hacked. Banker Trojan found. Username, Passwords and banking are not safe.tcp4

Remember, there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac.  This documents describe what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community and Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support.  

There are no known viruses, i.e. self propagating, for Macs.  There are, however, adware and malware which require the user to install although unwittingly most of the time thru sneaky links, etc.   

Anti Virus developers try to group all types as viruses into their ad campaigns of fear.  They do a poor job of the detecting and isolating the adware and malware.  Since there are no viruses these apps use up a lot of system resources searching for what is non-existent and adversely affect system and app performance.

There is one app, Malwarebytes, which was developed by a long time contributor to these forums and a highly respected member of the computer security community, that is designed solely to seek out adware and known malware and remove it.  The free version is more than adequate for most users.  

That includes any and all McAfee software.

Disconnect from the internet.

Back up all his data.

Wipe the machine

Reinstall the OS and your apps from original sources.

Change all his passwords.

Never let anyone unknown log into your computer from outside. Do all this not because of any alleged trojan but because he allowed someone to log into his computer.

That doesn't sound legitimate at all. It sounds more like he wasn't talking to McAfee, he was talking to scammers. An IP Address doesn't get "hacked". The terminology is all wrong.

Googling the phrase reveals this is most likely the work of those trickster scammers who convince people they are infected and to pay them money when there is nothing wrong at all.

Are you sure it was 866-622-3911

https://www.mcafee.com/support/?page=shell&shell=contact-support

McAfee: How to recognize an online scam

https://www.mcafee.com/blogs/internet-security/how-to-recognise-an-online-scam/

That is not the macOS netstat command. Likely a command the scammers put on the Mac.

type which netstat in Terminal to list the location of the netstat binary.

Should found in /usr/sbin/netstat

The output is similar but different.

The offending foreign IP is actually Cloudflare a legit provider. 172.66.41.9

Now I am wondering if they put a script first in the path so typing in netstat would run the script instead of the actual netstat command. There should be a few more screenfuls of output with more data.

Also, the 'netstat' command will not identify a bank trojan like that....

The scammers always try to convince their victims they are infected or hacked. On Windows, they take the user through confusing logs and the like trying to convince them that standard warnings and errors mean they have been hacked. The key point is when the topic of money comes up. If they pull the use a gift card it's most certainly a scam but others have wired money via their bank or revealed their banking details to the scammers, etc. They use high pressure tactics and fear to take advantage of people.

Still don't believe he was talking with McAfee...

Follow the suggestions posted by Yer_Man.

Also, there is no need to install third party apps that claim to protect, clean, boost performance, manage, etc. These third party apps use system resources while providing no benefit, and they may cause problems. McAfee is one such app.