Very likely mac has been remotely hacked

Question

Very likely mac has been remotely hacked

Hi there

My Mac has almost certainly been hacked (remotely). I have copied the following from my Terminal. Can anyone who knows about these things see anything that looks a bit odd or like a remote hack? I am aware that Hackers change the names of what they place in, to make it seem more normal. But I haven't installed anything out of the ordinary myself. (Also I don't have a BlackBerry, so not sure what that first thing is about). Thanks so much.

FROM TERMINAL

com.rim.driver.BlackBerryUSBDriverInt(0.0.67)

at.obdev.nke.LittleSnitch(4362)

client-093-003:~ UserName$

com.opendns.OpenDNS_Updater.67872

de.novamedia.VodafoneDeviceObserver

at.obdev.LittleSnitchUIAgent

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

com.oracle.java.Java-Updater

net.tunnelblick.tunnelblick.LaunchAtLogin

com.google.keystone.user.agent

client-093-003:~ UserName$

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

BJUSBLoad.kext

CIJUSBLoad.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

LittleSnitch.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NMDeviceObserver.framework

NMGsmKit.framework

NMNetCore.framework

NMNetWorker.framework

NMRegistrationCore.framework

NMStatistics.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

RIM_VSP.framework

gsm_device_tools.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

Disabled Plug-Ins

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

flashplayer.xpt

/Library/LaunchAgents:

at.obdev.LittleSnitchUIAgent.plist

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist

com.oracle.java.Java-Updater.plist

de.novamedia.VodafoneDeviceObserver.plist

/Library/LaunchDaemons:

at.obdev.littlesnitchd.plist

com.adobe.ARMDC.Communicator.plist

com.adobe.ARMDC.SMJobBlessHelper.plist

com.adobe.fpsaud.plist

com.cyberghostsrl.CyberghostPrivilegedHelper.plist

com.oracle.java.Helper-Tool.plist

net.tunnelblick.tunnelblick.tunnelblickd.plist

org.wireshark.ChmodBPF.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

/Library/PrivilegedHelperTools:

com.adobe.ARMDC.Communicator

com.adobe.ARMDC.SMJobBlessHelper

com.cyberghostsrl.CyberghostPrivilegedHelper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/StartupItems:

Library/Address Book Plug-Ins:

SkypeABCaller.bundle

SkypeABChatter.bundle

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

com.google.keystone.agent.plist

net.tunnelblick.tunnelblick.LaunchAtLogin.plist

Library/PreferencePanes:

client-093-003:~ UserName$

Library/PreferencePanes:

client-093-003:~ UserName$ ps -cx

PID TTY TIME CMD

247 ?? 0:04.81 UserEventAgent

249 ?? 0:04.24 distnoted

251 ?? 0:05.31 cfprefsd

252 ?? 0:02.58 CommCenter

253 ?? 0:02.23 lsd

255 ?? 0:06.13 Dock

256 ?? 0:07.16 Little Snitch Agent

258 ?? 0:09.41 SystemUIServer

259 ?? 0:08.58 Finder

263 ?? 0:03.59 identityservicesd

264 ?? 0:03.50 secd

266 ?? 0:19.80 CalendarAgent

267 ?? 0:00.44 mapspushd

268 ?? 0:02.10 gamed

269 ?? 0:00.86 cloudphotosd

270 ?? 0:04.19 tccd

273 ?? 0:00.48 secinitd

274 ?? 0:00.70 com.apple.AddressBook.ContactsAccountsService

275 ?? 0:20.51 accountsd

277 ?? 0:04.89 SafariCloudHistoryPushAgent

278 ?? 0:00.23 CallHistorySyncHelper

279 ?? 0:00.29 fmfd

281 ?? 0:03.01 akd

282 ?? 0:00.09 askpermissiond

284 ?? 0:00.77 bird

285 ?? 0:20.72 nsurlstoraged

286 ?? 0:01.81 usernoted

287 ?? 0:01.14 CalNCService

288 ?? 0:20.12 cloudd

289 ?? 0:01.02 nsurlsessiond

290 ?? 0:03.34 suggestd

292 ?? 0:02.22 storeaccountd

297 ?? 0:01.84 callservicesd

298 ?? 0:00.02 pboard

299 ?? 0:07.71 fontd

300 ?? 0:00.36 sharedfilelistd

301 ?? 0:05.88 sharingd

302 ?? 0:02.56 pkd

307 ?? 0:07.73 Spotlight

309 ?? 0:00.37 com.apple.CloudPhotosConfiguration

310 ?? 0:00.32 NML2NDeviceObserver

311 ?? 0:00.10 FolderActionsDispatcher

313 ?? 0:00.02 spindump_agent

315 ?? 0:00.11 SocialPushAgent

317 ?? 0:00.14 Keychain Circle Notification

320 ?? 0:02.25 NotificationCenter

322 ?? 0:00.14 icdd

323 ?? 0:00.23 iconservicesagent

324 ?? 0:00.90 AppleIDAuthAgent

327 ?? 0:00.37 AirPlayUIAgent

328 ?? 0:00.93 imagent

329 ?? 0:03.20 cloudpaird

332 ?? 0:00.91 WiFiAgent

333 ?? 0:00.67 diagnostics_agent

336 ?? 0:01.87 soagent

338 ?? 0:04.33 useractivityd

339 ?? 0:00.31 com.apple.dock.extra

343 ?? 0:00.38 WiFiProxy

348 ?? 0:00.08 iTunesHelper

349 ?? 0:01.89 OpenDNS Updater

352 ?? 0:00.59 IMDPersistenceAgent

354 ?? 0:04.84 storeassetd

366 ?? 0:00.09 CallHistoryPluginHelper

379 ?? 0:00.42 CloudKeychainProxy

380 ?? 0:02.19 com.apple.geod

381 ?? 0:00.38 IMRemoteURLConnectionAgent

384 ?? 0:00.19 IMRemoteURLConnectionAgent

388 ?? 0:06.63 SpotlightNetHelper

391 ?? 0:00.07 pbs

394 ?? 0:02.32 AppleSpell

400 ?? 0:01.39 com.apple.CommerceKit.TransactionService

402 ?? 0:00.15 ContainerMetadataExtractor

411 ?? 0:00.16 com.apple.InputMethodKit.TextReplacementService

412 ?? 0:00.87 photolibraryd

421 ?? 0:00.08 ScopedBookmarkAgent

423 ?? 0:00.05 mdflagwriter

424 ?? 0:00.06 storelegacy

426 ?? 0:00.13 LaterAgent

427 ?? 0:00.09 storedownloadd

436 ?? 0:06.96 com.apple.Safari.SafeBrowsing.Service

446 ?? 0:00.06 com.apple.CommerceKit.TransactionService

447 ?? 0:00.12 com.apple.photomoments

450 ?? 0:00.25 AssetCacheLocatorService

530 ?? 0:00.14 EscrowSecurityAlert

532 ?? 0:01.97 com.apple.sbd

533 ?? 0:00.47 com.apple.lakitu

627 ?? 0:00.04 USBAgent

796 ?? 0:00.53 nbagent

910 ?? 0:00.27 CMFSyncAgent

913 ?? 0:00.18 DataDetectorsDynamicData

915 ?? 0:09.32 recentsd

1028 ?? 0:00.03 com.apple.tonelibraryd

1031 ?? 0:00.04 com.apple.CharacterPicker.FileService

1386 ?? 0:00.48 ViewBridgeAuxiliary

1414 ?? 0:00.32 CoreServicesUIAgent

1471 ?? 0:02.17 com.apple.Safari.History

1474 ?? 0:00.04 com.apple.SafariServices

1476 ?? 0:00.11 com.apple.WebKit.Networking

1748 ?? 0:00.02 DiskUnmountWatcher

2035 ?? 0:00.06 cdpd

2036 ?? 0:00.02 followupd

2038 ?? 0:00.06 com.apple.AddressBook.InternetAccountsBridge

2157 ?? 0:00.02 com.apple.hiservices-xpcservice

2571 ?? 1:19.07 Safari

2572 ?? 0:18.75 com.apple.WebKit.Networking

2600 ?? 0:00.93 com.apple.Safari.SearchHelper

2682 ?? 0:00.05 swcd

2683 ?? 2:30.80 Console

2803 ?? 0:00.11 com.apple.Safari.ImageDecoder

2812 ?? 0:21.87 com.apple.WebKit.WebContent

2818 ?? 0:00.13 com.apple.iCloudHelper

2842 ?? 0:06.54 Terminal

2849 ?? 0:00.06 mdworker

2850 ?? 0:00.07 mdworker

2851 ?? 0:00.07 mdworker

2858 ?? 0:09.62 Notes

2860 ?? 0:00.12 mdworker

2862 ?? 0:00.09 mdworker

2863 ?? 0:00.14 mdworker

2864 ?? 0:00.11 mdworker

2865 ?? 0:00.12 mdworker

2866 ?? 0:00.22 mdworker

2867 ?? 0:00.12 mdworker

2843 ttys000 0:00.11 login

2844 ttys000 0:00.05 -bash

2941 ttys000 0:00.01 ps

client-093-003:~ UserName$

client-093-003:~ UserName$ ps ax

PID TT STAT TIME COMMAND

1 ?? Us 0:26.82 /sbin/launchd

43 ?? Ss 0:05.35 /usr/libexec/UserEventAgent (System)

44 ?? Ss 0:15.09 /usr/sbin/syslogd

46 ?? Ss 0:06.18 /usr/libexec/kextd

47 ?? Ss 0:05.10 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvent s

51 ?? Ss 0:06.98 /usr/libexec/configd

52 ?? Ss 0:00.36 /System/Library/CoreServices/appleeventsd --server

53 ?? Ss 0:02.32 /System/Library/CoreServices/powerd.bundle/powerd

60 ?? Ss 0:09.79 /usr/libexec/airportd

62 ?? SNs 0:00.41 /usr/libexec/warmd

63 ?? Us 0:10.15 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

67 ?? Ss 0:00.05 /System/Library/CoreServices/iconservicesd

68 ?? Ss 0:00.03 /System/Library/CoreServices/iconservicesagent

69 ?? Ss 0:00.52 /usr/libexec/diskarbitrationd

70 ?? Ss 0:11.66 /Library/Little Snitch/Little Snitch Daemon.bundle/Contents/MacOS/Little Snitch

72 ?? Ss 0:05.98 /usr/libexec/coreduetd

73 ?? Ss 0:00.03 /usr/libexec/wdhelper

75 ?? Ss 0:01.15 /System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmfs --tcp --res

76 ?? Ss 0:08.21 /usr/libexec/opendirectoryd

77 ?? Ss 0:03.38 /usr/sbin/wirelessproxd

79 ?? Ss 0:06.75 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd

80 ?? Us 0:08.54 /System/Library/CoreServices/launchservicesd

81 ?? Ss 0:00.11 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/u s

82 ?? Ss 0:07.66 /usr/sbin/securityd -i

84 ?? Ss 0:02.15 /usr/libexec/locationd

86 ?? Ss 0:00.06 /usr/libexec/displaypolicyd

87 ?? Ss 0:13.45 /usr/sbin/blued

88 ?? Ss 0:00.02 autofsd

92 ?? Ss 0:24.04 /usr/sbin/mDNSResponder

94 ?? Ss 0:00.12 /System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Supp o

95 ?? Ss 0:00.01 /usr/sbin/KernelEventAgent

96 ?? Ss 0:06.74 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console

97 ?? Ss 0:00.05 /System/Library/CoreServices/logind

100 ?? Ss 3:26.09 /usr/libexec/hidd

101 ?? Ss 0:01.63 /usr/libexec/AirPlayXPCHelper

102 ?? Ss 0:04.94 /usr/sbin/notifyd

111 ?? Ss 0:00.46 /usr/sbin/distnoted daemon

128 ?? Ss 0:00.13 aslmanager

129 ?? Ss 0:00.53 /usr/libexec/diagnosticd

131 ?? Ss 0:00.31 /usr/libexec/amfid

133 ?? Ss 0:01.13 /usr/libexec/sandboxd

135 ?? Ss 0:03.66 /usr/sbin/cfprefsd daemon

137 ?? Ss 0:00.48 /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/ C

146 ?? Ss 0:01.29 /System/Library/CoreServices/coreservicesd

155 ?? Ss 0:00.02 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkp c

156 ?? Ss 0:00.02 /System/Library/Frameworks/CryptoTokenKit.framework/ctkd -s

159 ?? Ss 0:00.08 /usr/libexec/secinitd

164 ?? Ss 0:02.99 /usr/sbin/coreaudiod

171 ?? Ss 0:00.08 /System/Library/Frameworks/CoreAudio.framework/Versions/A/XPCServices/com.apple .

172 ?? Ss 0:02.23 /usr/libexec/lsd runAsRoot

183 ?? Ss 0:07.72 /usr/libexec/networkd

184 ?? Ss 0:00.58 /usr/libexec/findmydeviced

185 ?? Ss 0:00.07 /usr/libexec/networkd_privileged

187 ?? Ss 0:00.44 /System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd

188 ?? Us 13:18.32 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphic s

189 ?? Us 0:00.28 /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple. C

190 ?? Ss 0:00.02 /System/Library/PrivateFrameworks/FindMyMac.framework/Resources/FindMyMacd

191 ?? Ss 0:00.11 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolication d

192 ?? Ss 0:00.11 /usr/libexec/diskmanagementd

193 ?? Ss 0:00.01 /usr/libexec/smd

194 ?? Ss 0:00.16 /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper -l

195 ?? Ss 0:04.63 /System/Library/CoreServices/backupd.bundle/Contents/Resources/mtmd

196 ?? Ss 0:00.07 /usr/libexec/nsurlsessiond --privileged

197 ?? Ss 0:00.17 /usr/libexec/nehelper

198 ?? Ss 0:01.18 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /

199 ?? Ss 0:00.65 /usr/sbin/cupsd -l

200 ?? Ss 0:00.20 /usr/libexec/corestoraged

202 ?? Ss 0:02.37 /usr/libexec/usbd

204 ?? Ss 0:00.03 /System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.app l

205 ?? Ss 0:13.08 /usr/libexec/ApplicationFirewall/socketfilterfw

207 ?? Ss 0:00.04 /usr/libexec/thermald

209 ?? Us 0:11.54 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

210 ?? Ss 0:00.25 /System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServic e

211 ?? Ss 0:11.19 /usr/libexec/symptomsd

218 ?? Ss 0:00.22 /System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

222 ?? Us 0:00.12 /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/CVMServer

238 ?? Us 0:00.04 /System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple .

245 ?? Ss 0:20.06 /usr/libexec/securityd_service

247 ?? S 0:04.91 /usr/libexec/UserEventAgent (Aqua)

249 ?? S 0:04.32 /usr/sbin/distnoted agent

251 ?? S 0:05.36 /usr/sbin/cfprefsd agent

252 ?? S 0:02.61 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter

253 ?? S 0:02.88 /usr/libexec/lsd

255 ?? S 0:06.36 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock

256 ?? S 0:07.27 /Library/Little Snitch/Little Snitch Agent.app/Contents/MacOS/Little Snitch Agen

258 ?? S 0:09.50 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer

259 ?? S 0:08.59 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

261 ?? Ss 0:00.34 /usr/sbin/WirelessRadioManagerd

263 ?? S 0:03.65 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/ M

264 ?? S 0:03.53 /usr/libexec/secd

266 ?? S 0:19.81 /System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarA g

267 ?? S 0:00.45 /System/Library/CoreServices/mapspushd

268 ?? U 0:02.19 /System/Library/PrivateFrameworks/GameCenterFoundation.framework/Versions/A/gam e

269 ?? S 0:00.86 /System/Library/CoreServices/cloudphotosd.app/Contents/MacOS/cloudphotosd

270 ?? U 0:04.47 /System/Library/PrivateFrameworks/TCC.framework/Resources/tccd

273 ?? S 0:00.48 /usr/libexec/secinitd

274 ?? S 0:00.70 /System/Library/Frameworks/AddressBook.framework/Versions/A/XPCServices/com.app l

275 ?? S 0:20.99 /System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

277 ?? S 0:05.01 /usr/libexec/SafariCloudHistoryPushAgent

278 ?? S 0:00.23 /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySync H

279 ?? S 0:00.29 /usr/libexec/fmfd

281 ?? S 0:03.10 /System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

282 ?? S 0:00.09 /System/Library/PrivateFrameworks/AskPermission.framework/Versions/A/Resources/ a

284 ?? S 0:00.84 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/ b

285 ?? S 0:21.73 /usr/libexec/nsurlstoraged

286 ?? S 0:01.81 /usr/sbin/usernoted

287 ?? Ss 0:01.14 /System/Library/PrivateFrameworks/CalendarAgent.framework/Versions/A/XPCService s

288 ?? S 0:20.79 /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd

289 ?? S 0:01.02 /usr/libexec/nsurlsessiond

290 ?? S 0:03.35 /System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/ s

292 ?? S 0:02.22 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st o

295 ?? Ss 0:00.18 /usr/sbin/systemsoundserverd

296 ?? Ss 0:00.05 /System/Library/PrivateFrameworks/TCC.framework/Resources/tccd system

297 ?? S 0:01.84 /System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd

298 ?? S 0:00.02 /usr/sbin/pboard

299 ?? S 0:07.72 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framewo r

300 ?? S 0:00.37 /System/Library/CoreServices/sharedfilelistd

301 ?? S 0:06.02 /usr/libexec/sharingd

302 ?? S 0:02.57 /usr/libexec/pkd

307 ?? S 0:08.18 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight

308 ?? Ss 0:00.08 /System/Library/CoreServices/sharedfilelistd --enable-legacy-services

309 ?? S 0:00.37 /System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/Frame w

310 ?? S 0:00.32 /Library/Application Support/Vodafone/NML2NDeviceObserver.app/Contents/MacOS/NML

311 ?? S 0:00.10 /System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderA c

313 ?? S 0:00.02 /usr/libexec/spindump_agent

315 ?? S 0:00.11 /System/Library/CoreServices/SocialPushAgent.app/Contents/MacOS/SocialPushAgent

317 ?? S 0:00.14 /System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Key

320 ?? S 0:02.25 /System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/Notification C

322 ?? S 0:00.14 /System/Library/Image Capture/Support/icdd

323 ?? S 0:00.26 /System/Library/CoreServices/iconservicesagent

324 ?? S 0:00.90 /System/Library/CoreServices/AppleIDAuthAgent

327 ?? S 0:00.37 /System/Library/CoreServices/AirPlayUIAgent.app/Contents/MacOS/AirPlayUIAgent --

328 ?? S 0:00.94 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/i m

329 ?? S 0:03.26 /System/Library/CoreServices/cloudpaird

332 ?? S 0:00.91 /System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent

333 ?? S 0:00.68 /System/Library/CoreServices/diagnostics_agent

336 ?? S 0:01.87 /System/Library/PrivateFrameworks/MessagesKit.framework/Resources/soagent.app/C o

338 ?? S 0:04.45 /System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd

339 ?? Ss 0:00.31 /System/Library/CoreServices/Dock.app/Contents/XPCServices/com.apple.dock.extra .

341 ?? Ss 0:00.09 /usr/libexec/taskgated -s

343 ?? Ss 0:00.38 /System/Library/PrivateFrameworks/CoreWLANKit.framework/Versions/A/XPCServices/ W

344 ?? Ss 0:00.18 /usr/libexec/watchdogd

348 ?? S 0:00.08 /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app/Contents/MacOS/iTunesH e

349 ?? S 0:01.90 /Applications/OpenDNS Updater.app/Contents/MacOS/OpenDNS Updater

350 ?? Ss 0:00.28 /usr/sbin/filecoordinationd

352 ?? S 0:00.59 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersi s

354 ?? S 0:04.84 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st o

366 ?? S 0:00.09 /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistoryPlug i

376 ?? Ss 0:00.10 /System/Library/PrivateFrameworks/CacheDelete.framework/deleted

377 ?? Ss 0:00.03 /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

378 ?? Ss 0:00.05 /System/Library/CoreServices/backupd.bundle/Contents/Resources/TMCacheDelete

379 ?? S 0:00.42 /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychai n

380 ?? S 0:02.19 /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/ c

381 ?? Ss 0:00.39 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR L

384 ?? Ss 0:00.19 /System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteUR L

388 ?? S 0:07.04 /System/Library/PrivateFrameworks/ParsecUI.framework/Versions/A/Support/Spotlig h

391 ?? S 0:00.07 /System/Library/CoreServices/pbs

394 ?? S 0:02.81 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_106

400 ?? Ss 0:01.40 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/XPCServices/ c

402 ?? Ss 0:00.17 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/XPCServices/Contain e

409 ?? Ss 0:00.03 /System/Library/CoreServices/CrashReporterSupportHelper server-init

411 ?? S 0:00.16 /System/Library/Frameworks/InputMethodKit.framework/Versions/A/XPCServices/com. a

412 ?? S 0:00.87 /System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Supp o

417 ?? Ss 0:03.10 /System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupda

418 ?? Ss 0:00.04 /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Resources/suhelperd

419 ?? Ss 0:30.81 /System/Library/CoreServices/SubmitDiagInfo server-init

421 ?? S 0:00.08 /System/Library/CoreServices/ScopedBookmarkAgent

423 ?? S 0:00.05 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

424 ?? S 0:00.06 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st o

425 ?? Ss 0:00.03 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st o

426 ?? S 0:00.14 /System/Library/PrivateFrameworks/CommerceKit.framework/Resources/LaterAgent.ap p

427 ?? S 0:00.09 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st o

433 ?? Us 0:00.07 /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCS e

435 ?? Ss 0:00.54 /usr/sbin/spindump

436 ?? S 0:06.96 /System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari .

446 ?? Ss 0:00.06 /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/XPCServices/ c

447 ?? Ss 0:00.12 /System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Fram e

450 ?? S 0:00.25 /System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/Asse t

484 ?? Ss 0:01.10 /usr/libexec/systemstatsd

525 ?? Ss 0:01.48 sysmond

530 ?? S 0:00.14 /System/Library/CoreServices/EscrowSecurityAlert.app/Contents/MacOS/EscrowSecur i

532 ?? S 0:01.97 /System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/XPCService s

533 ?? S 0:00.47 /System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Frameworks /

627 ?? S 0:00.04 /usr/libexec/USBAgent

728 ?? Ss 0:00.04 /usr/libexec/nsurlstoraged

790 ?? Ss 0:00.07 /usr/libexec/syspolicyd

793 ?? SNs 0:00.01 /usr/libexec/periodic-wrapper daily

794 ?? SNs 0:00.01 /usr/libexec/periodic-wrapper weekly

796 ?? S 0:00.54 /System/Library/PrivateFrameworks/Noticeboard.framework/Versions/A/Resources/nb a

873 ?? S 0:00.01 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

910 ?? S 0:00.27 /System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.a p

913 ?? S 0:00.18 /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/XPCSer v

915 ?? S 0:09.32 /System/Library/PrivateFrameworks/CoreRecents.framework/Versions/A/Support/rece n

1028 ?? S 0:00.03 /System/Library/PrivateFrameworks/ToneLibrary.framework/Versions/A/XPCServices/ c

1029 ?? Ss 0:00.01 /System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.S a

1031 ?? S 0:00.04 /System/Library/PrivateFrameworks/CharacterPicker.framework/Versions/A/XPCServi c

1355 ?? Ss 0:01.07 /usr/sbin/ocspd

1386 ?? S 0:00.51 /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/V i

1398 ?? Ss 0:00.03 /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/wr i

1403 ?? Ss 0:00.06 corestoragehelperd

1414 ?? S 0:00.32 /System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreService s

1421 ?? Ss 0:00.14 /usr/sbin/systemstats --xpc

1471 ?? Ss 0:02.76 /System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices /

1474 ?? Ss 0:00.04 /System/Library/PrivateFrameworks/SafariServices.framework/Versions/A/XPCServic e

1476 ?? Ss 0:00.12 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.We b

1748 ?? S 0:00.02 /System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher

2035 ?? S 0:00.06 /System/Library/PrivateFrameworks/CoreCDP.framework/Versions/A/Resources/cdpd

2036 ?? S 0:00.02 /System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Support/fol l

2038 ?? Ss 0:00.06 /System/Library/Frameworks/AddressBook.framework/Versions/A/XPCServices/com.app l

2157 ?? S 0:00.02 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ H

2445 ?? S 0:00.06 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2565 ?? SNs 0:00.04 /usr/sbin/netbiosd

2571 ?? S 1:28.58 /Applications/Safari.app/Contents/MacOS/Safari

2572 ?? Ss 0:21.46 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.We b

2600 ?? Ss 0:00.94 /System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices /

2682 ?? S 0:00.05 /usr/libexec/swcd

2683 ?? S 2:30.87 /Applications/Utilities/Console.app/Contents/MacOS/Console

2803 ?? Us 0:00.11 /System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices /

2812 ?? Ss 0:30.74 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.We b

2842 ?? R 0:10.18 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

2849 ?? S 0:00.06 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2850 ?? S 0:00.07 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2851 ?? S 0:00.09 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2858 ?? S 0:20.00 /Applications/Notes.app/Contents/MacOS/Notes

2860 ?? S 0:00.12 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2862 ?? S 0:00.09 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2863 ?? S 0:00.14 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2864 ?? S 0:00.11 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2865 ?? S 0:00.12 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2866 ?? S 0:00.29 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2867 ?? S 0:00.12 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework /

2974 ?? S 0:00.05 /System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Content s

2975 ?? Ss 0:00.03 /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd. a

2977 ?? S 0:02.78 /Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor

2843 s000 Ss 0:00.11 login -pf UserName

2844 s000 S 0:00.05 -bash

2990 s000 R+ 0:00.01 ps ax

client-093-003:~ UserName$

Posted on Jun 13, 2016 6:21 PM

Reply

Answer 1

Top-ranking reply

etresoft

Level 9

51,412 points

Jun 13, 2016 11:32 PM in response to it's silver and pretty

I don't know. What commands did you run? I mean exactly - down to the last letter. With Terminal commands, one letter may be all that separates success from an erased hard drive. And no, I am not kidding about that.

There is no need to uninstall Little Snitch. It is a fine program. If you inadvertently allowed something you didn't want, you can always rest it to default settings.

In all honesty, commands you ran probably didn't do any harm. But being random Terminal commands you ran form the Internet, any result that still has your Mac running should be considered successful. Just don't do it again.

I wrote a little diagnostic program to help show what software is running in the background. Download EtreCheck from http://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID.

Now, you might ask yourself (or someone else might help you 😉), if running a Terminal command could be dangerous, wouldn't running some random program be dangerous too? The answer is, yes and no. First of all, many Terminal commands you find on the internet include super-user permissions. You should be very wary of handing over your password to random strangers on the Internet, especially when they demand you do so. EtreCheck would only ask for your password to remove adware, and really doesn't even ask for it then - it has the Finder do that instead. Plus, EtreCheck is signed with an Apple Developer ID so that gives Apple a kill switch if it is ever proven to be malicious. You are free to do your own research and make that determination for yourself. If you want instructions on how to do all of this forensic work manually, just ask. People would be happy to help. There is no way to tell if they really know how to do that or if you know how to interpret the results. It is a bit of a catch-22, isn't it?

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

Reply

Answer 2

cdhw

Level 4

3,588 points

Jun 14, 2016 2:54 AM in response to it's silver and pretty

It seems that you believe that a third party has had access to your machine, e.g. because you fell for a support scam or ignored basic safe practice and installed malware or let someone untrustworthy have access to your hardware, etc.

If this is the case there is only one choice: you need to make two independent backups and then 'erase and reinstall' your computer from scratch:

How to reinstall OS X on your Mac - Apple Support

Install only applications you need to use your computer and that come either from the Apple App Store or reputable developers' own website. Restore only your data (documents, photos, music, etc.) from your backups not software or system files.

Pursuing any other path will simply waste a lot of your time and you'll never be sure that you found all the malware and backdoors that have been installed.

If you believe that a crime has been committed you should consult a lawyer or the police. In principle, depending on the nature of the intrusion they may want the disk preserved as evidence. In practice they probably won't be interested.

C.

Reply

Answer 3

Jun 13, 2016 7:54 PM in response to Community User

Thanks for your reply. It's long and complicated, but basically someone had information that only could have been gained through seeing my into computer. Also importantly, the screen sharing icon appeared in the upper right corner a week or so ago. I checked my settings and they were off, leading me to believe some stealth-ware had been installed. It has since disappeared. This is my personal computer and not a work computer, so I do not expect anyone to be legitimately looking at it. I am trying to get evidence of it before going to the authorities, otherwise they don't help you properly (in my country anyway). My Facebook was hacked a few months ago so I shut it down and don't use FB now. But now I am worried they have got into my computer. It's kind of terrifying. 😐 So any help with what people can see, would be greatly appreciated.

Reply

Answer 4

Sep 22, 2017 6:12 PM in response to etresoft

I've been meaning to give EtreCheck a try. Now might be a good time...a couple things have shown up here on my MBA that I'm slightly concerned about.

1. When I logged out yesterday, I got a message saying that if I log out now I will be logging out other users...something to that effect. I'm the only user on my network and the only thing attached is my MBA.

2. The below message I saw after reading through this, I wanted to double check my Security Settings and I see the below (look towards the bottom, the part about "Some other users...:

Any ideas what this is all about?

Reply

Answer 5

Jun 14, 2016 12:52 AM in response to etresoft

OK I ran EtreCheck as you suggested. But I have no idea what the output means. It is here;

EtreCheck version: 2.9.12 (265)

Report generated 2016-06-14 19:48:26

Download EtreCheck from https://etrecheck.com

Runtime 2:00

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Problem: Other problem

Description:

possible hack

Hardware Information: ⓘ

MacBook Air (13-inch, Early 2015)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir7,2

1 1.6 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 89

Video Information: ⓘ

Intel HD Graphics 6000

Color LCD 1440 x 900

System Software: ⓘ

OS X El Capitan 10.11.5 (15F34) - Time since boot: about 3 days

Disk Information: ⓘ

APPLE SSD SM0256G disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / : 249.78 GB (132.63 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 250.14 GB Online

USB Information: ⓘ

Apple Card Reader

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper: ⓘ

Anywhere

Kernel Extensions: ⓘ

/Library/Extensions

[loaded] at.obdev.nke.LittleSnitch (3.6.3 - SDK 10.8 - 2016-06-11) [Support]

/System/Library/Extensions

[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMControl (v3.0.13 (001) - 2016-06-11) [Support]

[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMData (v3.0.13 (001) - 2016-06-11) [Support]

[not loaded] com.ZTE.driver.ZTEUSBCDCACMData (ZTEDriver_MacV1.3.8 - 2016-06-11) [Support]

[not loaded] com.ZTE.driver.ZTEUSBMassStorageFilter (ZTEDriver_MacV1.3.8 - 2016-06-11) [Support]

[not loaded] com.novamedia.driver.IceraUSB_MSD_Bypass (NM Icera bypass V1.0 - 2016-06-11) [Support]

[not loaded] com.novatelwireless.driver.3G (v3.0.13 (001) - 2016-06-11) [Support]

[not loaded] com.novatelwireless.driver.DisableAutoInstall (v3.0.13 (001) - 2016-06-11) [Support]

[not loaded] com.option.driver.Option72 (2.15.0 - 2016-06-11) [Support]

[not loaded] com.option.driver.OptionHS (3.26.0 - 2016-06-11) [Support]

[not loaded] com.option.driver.OptionMSD (1.21.0 - 2016-06-11) [Support]

[not loaded] com.option.driver.OptionQC (1.11.0 - 2016-06-11) [Support]

[loaded] com.rim.driver.BlackBerryUSBDriverInt (0.0.67 - 2016-06-11) [Support]

[not loaded] com.rim.driver.BlackBerryUSBDriverVSP (0.0.67 - 2016-06-11) [Support]

[not loaded] com.vodafone.driver (v3.0.9 (017) - 2016-06-11) [Support]

[not loaded] com.zte.driver.cdc_ecm_qmi (1.0.1 - 2016-06-11) [Support]

[not loaded] com.zte.driver.cdc_usb_bus (1.0.1 - 2016-06-11) [Support]

[not loaded] de.novamedia.driver.NMSamsung (0.0.2 - 2016-06-11) [Support]

[not loaded] de.novamedia.driver.NMSmartplugSCSIDevice (1.0.1 - 2016-06-11) [Support]

[not loaded] de.novamedia.oem.vodafone.vtp.huawei.cdc (0.0.2 - 2016-06-11) [Support]

/System/Library/Extensions/NMHuaweiPhonesVTPCDC_106.kext/Contents/PlugIns

[not loaded] de.novamedia.driver.NMUSBCDCACMControl (3.2.12 - 2011-09-02) [Support]

/System/Library/Extensions/NMSamsungDriver_106.kext/Contents/PlugIns

[not loaded] de.novamedia.driver.NMUSBCDCACMData (3.2.12 - 2011-09-02) [Support]

/System/Library/Extensions/NovatelWireless3G.kext/Contents/PlugIns

[not loaded] com.novatelwireless.driver.3GData (v3.0.13 (001) - 2011-09-02) [Support]

/System/Library/Extensions/Vodafone.kext/Contents/PlugIns

[not loaded] com.vodafone.driver.Data (v3.0.9 (017) - 2011-09-02) [Support]

System Launch Agents: ⓘ

[not loaded] 7 Apple tasks

[loaded] 148 Apple tasks

[running] 82 Apple tasks

[killed] One Apple task

one process killed due to insufficient RAM

System Launch Daemons: ⓘ

[failed] de.novamedia.nmnetmgrd.plist (2011-09-02) [Support]

[not loaded] 45 Apple tasks

[loaded] 147 Apple tasks

[running] 94 Apple tasks

[killed] 4 Apple tasks

4 processes killed due to insufficient RAM

Launch Agents: ⓘ

[running] at.obdev.LittleSnitchUIAgent.plist (2016-03-26) [Support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist (2016-05-14) [Support]

[not loaded] com.oracle.java.Java-Updater.plist [Support]

[running] de.novamedia.VodafoneDeviceObserver.plist (2011-09-02) [Support]

Launch Daemons: ⓘ

[running] at.obdev.littlesnitchd.plist (2016-03-26) [Support]

[loaded] com.adobe.ARMDC.Communicator.plist (2016-05-14) [Support]

[loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (2016-05-14) [Support]

[loaded] com.adobe.fpsaud.plist (2016-05-10) [Support]

[loaded] com.apple.installer.osmessagetracing.plist

[loaded] com.cyberghostsrl.CyberghostPrivilegedHelper.plist (2016-02-11) [Support]

[loaded] com.malwarebytes.MBAMHelperTool.plist (2016-06-11) [Support]

[not loaded] com.oracle.java.Helper-Tool.plist [Support]

[loaded] net.tunnelblick.tunnelblick.tunnelblickd.plist (2016-05-29) [Support]

[loaded] org.wireshark.ChmodBPF.plist (2016-03-30) [Support]

User Launch Agents: ⓘ

[loaded] com.google.keystone.agent.plist (2016-03-04) [Support]

[failed] net.tunnelblick.tunnelblick.LaunchAtLogin.plist (2016-05-04) [Support]

User Login Items: ⓘ

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

OpenDNS Updater Application Hidden (/Applications/OpenDNS Updater.app)

Other Apps: ⓘ

[running] com.opendns.OpenDNS_Updater.67872

[running] jp.co.canon.cijscannerregister.63072

[loaded] 376 Apple tasks

[running] 215 Apple tasks

[killed] 4 Apple tasks

Internet Plug-ins: ⓘ

AdobePDFViewerNPAPI: 15.016.20045 - SDK 10.11 (2016-06-02) [Support]

FlashPlayer-10.6: 21.0.0.242 - SDK 10.6 (2016-05-13) [Support]

AdobePDFViewer: 15.016.20045 - SDK 10.11 (2016-06-02) [Support]

QuickTime Plugin: 7.7.3 (2016-05-05)

Flash Player: 21.0.0.242 - SDK 10.6 (2016-05-13) [Support]

Default Browser: 601 - SDK 10.11 (2016-05-05)

Safari Extensions: ⓘ

AdBlock - BetaFish, Inc. - https://getadblock.com (2016-05-22)

Pin It Button - Pinterest, Inc. - http://www.pinterest.com/ (2016-04-08)

3rd Party Preference Panes: ⓘ

Flash Player (2016-05-10) [Support]

Time Machine: ⓘ

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 249.78 GB Disk used: 117.15 GB

Destinations:

My passport WD backup [Local]

Total size: 2.00 TB

Total number of backups: 5

Oldest backup: 9/02/16, 4:01 PM

Last backup: 11/06/16, 8:02 PM

Size of backup disk: Excellent

Backup size 2.00 TB > (Disk size 249.78 GB X 3)

Top Processes by CPU: ⓘ

4% WindowServer

3% kernel_task

2% fontd

0% DashboardClient

0% CIJScannerRegister

Top Processes by Memory: ⓘ

738 MB kernel_task

520 MB com.apple.WebKit.WebContent(9)

229 MB Safari

156 MB mdworker(15)

37 MB Pages

Virtual Memory Information: ⓘ

61 MB Free RAM

3.94 GB Used RAM (630 MB Cached)

250 MB Swap Used

Diagnostics Information: ⓘ

Jun 13, 2016, 05:44:54 PM /Library/Logs/DiagnosticReports/thunderbird_2016-06-13-174454_[redacted].hang

/Applications/Thunderbird.app/Contents/MacOS/thunderbird

Jun 11, 2016, 10:57:17 PM Self test - passed

Reply

Answer 6

Jun 14, 2016 12:12 AM in response to etresoft

Thank you for your reply. I gave Terminal the following commands, the output of which is printed above;

________________________________________________________________________________ ___

kextstat -kl | awk ' !/apple/ { print $6 $7 } '

sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

T

launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

ps -cx
ps ax

________________________________________________________________________________ ___

I will also take a look at EtreCheck, thank you for making me aware of it.

Reply

Answer 7

appreciate

Level 4

1,278 points

Jun 13, 2016 9:47 PM in response to it's silver and pretty

Hacking in macs is next to impossible unless the user gives permission .

If you are in doubts do a factory reset for ISP modem & air port express . change passwords them .

Also change passwords for web mail , apple id & iCloud id .

Please do some settings in the system go to system preferences > sharing > open the pad lock by entering user name & password uncheck all the options on left side i.e. screen sharing , remote login etc . set as only for these users .

And the best solution is enable file vault + set a firmware password .

Reply

Answer 8

Jun 13, 2016 10:26 PM in response to appreciate

Thank you for your reply.

>unless the user gives permission

What kind of permission? I have Little Snitch working and fear I may have just clicked through permission. In which case Little Snitch would have done more harm than good.

Reply

Answer 9

etresoft

Level 9

51,412 points

Jun 13, 2016 10:26 PM in response to it's silver and pretty

Hello it's silver and pretty,

Where did you get all of this Terminal text from? Did you run some command you saw posted on the Internet? Do you know what that command really does? If you weren't hacked before, you might be now.

Reply

Answer 10

appreciate

Level 4

1,278 points

Jun 13, 2016 11:04 PM in response to it's silver and pretty

Permissions in the the sense if user has never enabled password for air port express , ISP modem & its all open the system welcomes the attackers .

And also please disable little snitch .

Please do correct settings for your modem and air port router & enable file vault . these are the first basic setting every user must do .

And secondly settings in security & privacy : in general set require password immediately , enable firewall and more better settings is enable stealth mode + block all incoming connections .

As you stated in the post if someone is viewing remotely two very small windows will be observed slightly overlapping each other on top menu bar .

Reply

Answer 11

etresoft

Level 9

51,412 points

Jun 14, 2016 2:34 PM in response to it's silver and pretty

YYes, those commands could have done virtually anything to your machine or any of your data.

EtreCheck doesn't show any hacking, but it does show you have left the door wide open to such hacking, Go to System Preferences > Security and Privacy and change the "Allow apps downloaded from" back to "Mac App Store and identified developers" and never change that setting again.

Reply

Answer 12

etresoft

Level 9

51,412 points

Sep 22, 2017 6:44 PM in response to versenumber2

Hello versenumber2,

Without having any more information to go on, my first guess would be that you have some adware installed. Some types of adware work by creating, and running under, new local users on your machine.

Reply

Answer 13

Sep 23, 2017 12:42 PM in response to etresoft

Ok, this may make me look like an idiot but I actually do have two users; an admin and standard account (I use the standard account only for security purposes).

So three questions:

1. Would this be the reason I'm seeing this message?

2. Does this mean my File Vault is not encrypted for that user?

3. Am I doing myself any favors by setting it up this way (that comes from being a Windows user for most of my life where it is emphasized to create a second [standard user]...the reason being if someone hacks you it makes it easier for them to do whatever they want if you are already in a privileged state [using the admin account])?

Reply

Answer 14

etresoft

Level 9

51,412 points

Sep 23, 2017 5:14 PM in response to versenumber2

Hello again versenumber2,

You are definitely not an idiot for having an admin and a standard user account. However, it would have been helpful if you had mentioned that before. 🙂 It is very good security practice to use only a standard user, and only use admin when absolutely necessary, but it isn't very common.

1) That could be the reason for that message. You can always click "enable users" to make sure that all users on your machine can unlock the disk. If there are any users in the list you don't recognize, then those probably are malicious users.

2) It definitely means that some users on your machine cannot unlock the disk. If you have a standard user for everyday use and an admin for administrative tasks, then both need to be able to unlock the disk.

3) There are some restrictions on standard users that makes them more difficult to hack. They aren't a lot more difficult, but anytime you make your configuration a little bit non-standard, you run the risk that some software, both legitimate and malicious, is going to break. Considering the kinds of low-level hacks that malicious software does, it is more likely to be negatively impacted. And since Apple makes it really easy to just supply an admin username and password whenever your standard user is not sufficient, there is very little price to pay for using a standard user. This is always the way I setup my machines.

Reply

Answer 15

Jun 13, 2016 6:53 PM in response to it's silver and pretty

What makes you believe your mac is hacked? You do have vpn software installed. Could that make you believe something is wrong?

Reply