1 2 3 4 Previous Next 92 Replies Latest reply: Jul 11, 2014 12:47 PM by lebeaupoete Go to original post
  • 15. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    meltymax Level 1 Level 1 (0 points)

    Thank you, although I have no intention of taking it that far. I do not have the time or the means. Thanks again.

  • 16. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    Linc Davis Level 10 Level 10 (117,990 points)

    I don't know how to determine who installed the spyware.

  • 17. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    inpurehell Level 1 Level 1 (0 points)

    I am having a similar problem. All of the devices in my life have been attacked. passwrods all stolen, accounts impersonated etc.

    I used the directed code below (mentioned above) and have been given error messages:

     

    sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    entire machine has been wiped- three times- and still having issues. post is on the imac forum.

  • 18. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    pittershawn Level 1 Level 1 (0 points)

    I went through the steps. What should I be looking for after each step?

  • 19. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    giovanni272 Level 1 Level 1 (0 points)

    I don't want to bother you but I think I have the same problem. Would you check the output of the procedure you suggested?

  • 20. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    Ski2vail Level 1 Level 1 (0 points)
    • I have followed the steps Linc posted for detecting keylogger spyware on my Mac.  Here are the responses I receive from each step.  Could you please tell me if I have any keylogger ware on my Mac?

     

    Step 1:

    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

     

    Response: 

    com.markspace.driver.RemoteNDIS (438)

     

    Step 2:

    sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

    Response:

    org.samba.smbd

    org.samba.nmbd

    com.sierrawireless.SierraReset.plist

     

    Step 3:

    launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

     

    Response: 

    com.hp.launchurlagent


    Step 4: 

    ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

     

    Response:

    Library/Address Book Plug-Ins:

    1. SkypeABDialer.bundle
    2. SkypeABSMS.bundle

     

    /Library/Components:

     

    /Library/Frameworks:

    .DS_Store

    Adobe AIR.framework

    1. HPDeviceModel.framework
    2. HPPml.framework
    3. HPServicesInterface.framework
    4. HPSmartPrint.framework
    5. HPSmartX.framework
    6. MacFUSE.framework
    7. MissingSyncWM.framework
    8. MissingSyncWMShared.framework
    9. Snapfish.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    AmazonMP3DownloaderPlugin.plugin

    Flash Player.plugin

    1. JavaPluginCocoa.bundle

    NP-PPC-Dir-Shockwave

    • OfficeLiveBrowserPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    QuickTime Plugin.webplugin

    • VerifiedDownloadPlugin.plugin
    1. ebldetect.bundle
    2. flashplayer.xpt
    3. iPhotoPhotocast.plugin
    4. nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    1. com.hp.launchurlagent.plist
    2. com.sony.ReaderLibrary.RunReaderLibrary.plist

     

    /Library/LaunchDaemons:

    1. com.sierrawireless.SWoCTool.plist
    2. com.sierrawireless.SierraReset.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

     

    /Library/QuickLook:

    1. GBQLGenerator.qlgenerator
    2. iWork.qlgenerator

     

    /Library/QuickTime:

    1. AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/Spotlight:

    1. AppleWorks.mdimporter
    2. GBSpotlightImporter.mdimporter

    Microsoft Office.mdimporter

    1. iWeb.mdimporter
    2. iWork.mdimporter

     

    /Library/StartupItems:

    HP IO

    HP Trap Monitor

    MissingSyncListener

     

    /etc/mach_init.d:

    1. dashboardadvisoryd.plist

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Address Book Plug-Ins:

     

    Library/Fonts:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    .DS_Store

    BrowserPlus_2.9.8.plugin

    KickStartPlugIn64.plugin

    fbplugin_1_0_1.plugin

    fbplugin_1_0_3.plugin

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

     

    Library/PreferencePanes:

    1. BrowserPlusPrefs.prefPane

     

    Step 5:

    osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

     

    Response:

    iTunesHelper, AirPort Base Station Agent, Reader Library Launcher


     




  • 21. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    thelisagee Level 1 Level 1 (0 points)

    Dear Linc:

    Can you please let me know if you think I have a keylogger or spyware on my mac?  I followed your steps but I am not sure how to interpret the results. 

     

    Actually, the first time I ran the steps i followed them too literally and after my password did not work I "skipped the next step," which I took to mean Step 3, and pasted the code for Step 4 and then thought better of it, closed the terminal, re-read your steps, re-opened the terminal, and did it right the second time, but I hope I did not screw it up in doing so.

     

    Thank you in advance for your help, and thank you for the steps in the first place! 

    Lisa

     

    Last login: Fri Jan 11 21:34:04 on console

    L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    L1:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

    Password:

    Sorry, try again.

    Password:

    Sorry, try again.

    Password:

    Sorry, try again.

    sudo: 3 incorrect password attempts

    L1:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    TSLicense.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    AdobePDFViewer.plugin

    AdobePDFViewerNPAPI.plugin

    Flash Player.plugin

    Flip4Mac WMV Plugin.plugin

    JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Silverlight.plugin

    flashplayer.xpt

    googletalkbrowserplugin.plugin

    npgtpo3dautoplugin.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.google.keystone.agent.plist

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.apple.remotepairtool.plist

    com.google.keystone.daemon.plist

    com.microsoft.office.licensing.helper.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

    Flip4Mac WMV.prefPane

     

    /Library/PrivilegedHelperTools:

    com.microsoft.office.licensing.helper

     

    /Library/QuickLook:

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    Flip4Mac WMV Advanced.component

    Flip4Mac WMV Export.component

    Flip4Mac WMV Import.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

    com.adobe.SwitchBoard.monitor.plist

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Fonts:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

    com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D426CCF7-7BE4-4E03-8A20-5CC 59986AF40.plist

     

    Library/Mail/Bundles:

    SpamSieve.mailbundle

     

    Library/PreferencePanes:

    L1:~ myname$

    Last login: Fri Jan 11 22:04:25 on ttys000

    L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    L1:~ myname$

    L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    L1:~ myname$

    L1:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

    Password:

    com.microsoft.office.licensing.helper

    com.google.keystone.daemon

    com.adobe.SwitchBoard

    com.adobe.fpsaud

    L1:~ myname$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    com.google.keystone.system.agent

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

    L1:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    TSLicense.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    AdobePDFViewer.plugin

    AdobePDFViewerNPAPI.plugin

    Flash Player.plugin

    Flip4Mac WMV Plugin.plugin

    JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Silverlight.plugin

    flashplayer.xpt

    googletalkbrowserplugin.plugin

    npgtpo3dautoplugin.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.google.keystone.agent.plist

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.apple.remotepairtool.plist

    com.google.keystone.daemon.plist

    com.microsoft.office.licensing.helper.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

    Flip4Mac WMV.prefPane

     

    /Library/PrivilegedHelperTools:

    com.microsoft.office.licensing.helper

     

    /Library/QuickLook:

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    Flip4Mac WMV Advanced.component

    Flip4Mac WMV Export.component

    Flip4Mac WMV Import.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

    com.adobe.SwitchBoard.monitor.plist

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Fonts:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

    com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D426CCF7-7BE4-4E03-8A20-5CC 59986AF40.plist

     

    Library/Mail/Bundles:

    SpamSieve.mailbundle

     

    Library/PreferencePanes:

    L1:~ myname$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    iTunesHelper, AdobeResourceSynchronizer

    L1:~ myname$

  • 22. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    fathergene Level 1 Level 1 (0 points)

    Linc,

      I need a hand too bud!  My ex is "monitoring" me some how.  I have done a seven pass zero, and a single pass zero before I ran this.  Somehow she is still seeing me.

     

    This was after step 4

     

    Step 4

     

     

    /Library/Components:

     

    /Library/Extensions:

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

     

    /Library/LaunchDaemons:

     

    /Library/PreferencePanes:

     

    /Library/PrivilegedHelperTools:

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iBooksAuthor.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Fonts:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

     

    Library/PreferencePanes:

     

     

    That is the only step that produced any results.  Any help out would be awesome!!!

  • 23. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    Friend 2 Apple Level 1 Level 1 (0 points)

    Hi Linc,

     

    One more please? My soon to be ex knows things he could only get from accessing my Mac (or maybe my iPhone?) Since moving out I've repeatedly changed passwords to very difficult ones. If he hasn't installed anything on my Mac, could he access it from the parking lot of my apartment with his Mac? My wireless is locked, but my Mac seems to want to occasionally join some stupid unlocked LinkSys nearby. I can't figure it out, but he is pretty sophisticated with surveillence equipment like cameras in the house, recording devices, a tracking device on my vehicle, etc. He hasn't been in this apartment, though.

     

    Anyway, here are my results:

     

    Last login: Tue Feb 12 21:29:11 on ttys000

    myname-MacBook-Pro:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    myname-MacBook-Pro:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

    Password:

    1. com.microsoft.office.licensing.helper
    2. com.google.keystone.daemon
    3. com.adobe.fpsaud

    myname-MacBook-Pro:~ myname$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    1. com.google.keystone.system.agent
    2. com.spotify.webhelper
    3. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

    myname-MacBook-Pro:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

     

    /Library/Frameworks:

    1. AEProfiling.framework
    2. AERegistration.framework
    3. AudioMixEngine.framework
    4. EWSMac.framework
    5. EpsonInformationService.framework
    6. NyxAudioAnalysis.framework
    7. PluginManager.framework
    8. TSLicense.framework
    9. iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    1. AdobePDFViewer.plugin
    2. AdobePDFViewerNPAPI.plugin

    Flash Player.plugin

    Flip4Mac WMV Plugin.plugin

    1. JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    1. SharePointBrowserPlugin.plugin
    2. SharePointWebKitPlugin.webplugin
    3. Silverlight.plugin
    4. flashplayer.xpt
    5. googletalkbrowserplugin.plugin

    npgtpo3dautoplugin.plugin

    1. nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    1. com.google.keystone.agent.plist

     

    /Library/LaunchDaemons:

    1. com.adobe.fpsaud.plist
    2. com.apple.remotepairtool.plist
    3. com.google.keystone.daemon.plist
    4. com.microsoft.office.licensing.helper.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

    Flip4Mac WMV.prefPane

    1. JavaControlPanel.prefpane

     

    /Library/PrivilegedHelperTools:

    Google Drive Icon Helper

    1. com.microsoft.office.licensing.helper

     

    /Library/QuickLook:

    1. iWork.qlgenerator

     

    /Library/QuickTime:

    1. AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    Flip4Mac WMV Advanced.component

    Flip4Mac WMV Export.component

    Flip4Mac WMV Import.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    1. iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Address Book Plug-Ins:

    1. SkypeABDialer.bundle
    2. SkypeABSMS.bundle

     

    Library/Fonts:

     

    Library/Frameworks:

    1. EWSMac.framework

     

    Library/LaunchAgents:

    1. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
    2. com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.17702FE6-AA35-416A-8C82-FAC 5124BE8A8.plist
    3. com.spotify.webhelper.plist

     

    Library/Services:

    myname-MacBook-Pro:~ myname$ sascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    myname-MacBook-Pro:~ myname$

  • 24. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    MsLeeSatchell Level 1 Level 1 (5 points)

    Hi there,

    Thank you for posting these instructions. Have previously found software such as Jumi-cam on my PC laptop and another similar app on my Ipad which my ex installed to remotely access my webcam and desktop. I am just concerned that my Mac may have a keylogger as my email accounts and facebook (which I have now deleted) have been logged into by someone who knew my password even tho I had changed my password twice.

    I appreciate you taking the time to look at these results if you can,

    Thank you in advance!

     

     

    Last login: Wed Feb 20 09:25:12 on ttys000

    MyName-MacBook-Pro-15:~ MyName$ sh

    sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    sh-3.2$

    sh-3.2$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

    Password:

    Sorry, try again.

    Password:

    com.leapfrog.connect.shell

    com.adobe.SwitchBoard

    com.adobe.fpsaud

    sh-3.2$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    com.adobe.CS5ServiceManager

    com.google.keystone.user.agent

    com.adobe.AAM.Scheduler-1.0

    sh-3.2$

    sh-3.2$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

     

    /Library/Extensions:

     

     

    /Library/Frameworks:

    Adobe AIR.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

     

    /Library/Input Methods:

     

     

    /Library/Internet Plug-Ins:

    Flash Player.plugin

    JavaAppletPlugin.plugin

    NP-PPC-Dir-Shockwave

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    Silverlight.plugin

    flashplayer.xpt

    iPhotoPhotocast.plugin

    npContributeMac.bundle

    nsIQTScriptablePlugin.xpt

     

     

    /Library/Internet Plug-Ins (Disabled):

    Flash Player.plugin

     

     

    /Library/Keyboard Layouts:

     

     

    /Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.adobe.CS5ServiceManager.plist

     

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.leapfrog.connect.shell.plist

     

     

    /Library/PreferencePanes:

    Flash Player.prefPane

    Growl.prefPane

     

     

    /Library/PrivilegedHelperTools:

    com.leapfrog.connect.shell

     

     

    /Library/QuickLook:

    iWork.qlgenerator

     

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    SoundboothScoreCodec.component

     

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

     

     

    /Library/Spotlight:

    AppleWorks.mdimporter

    Microsoft Office.mdimporter

    iWork.mdimporter

     

     

    /Library/StartupItems:

     

     

    /etc/mach_init.d:

    dashboardadvisoryd.plist

     

     

    /etc/mach_init_per_login_session.d:

     

     

    /etc/mach_init_per_user.d:

    com.adobe.SwitchBoard.monitor.plist

     

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

     

    Library/Fonts:

    DamaskDings1.ttf

    Sanford-0103_demo.ttf

     

     

    Library/Input Methods:

    .localized

     

     

    Library/Internet Plug-Ins:

     

     

    Library/Keyboard Layouts:

     

     

    Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.google.keystone.agent.plist

     

     

    Library/PreferencePanes:

    sh-3.2$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    iTunesHelper, Monitor

    sh-3.2$

    sh-3.2$

  • 25. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    Sams33 Level 1 Level 1 (0 points)

    Hi rrahimi - since you were able to spot the spyware for meltymax, I was wondering - do you see anything obviously amiss with my output? I also have reason to believe someone installed monitoring software on my computer:

     

    com.anchorfree.tun (1.0.1)

     

    net.sourceforge.MonolingualHelper

    net.openvpn.client

    com.anchorfree.ajaxserver

    com.adobe.fpsaud

     

    com.spotify.webhelper

    com.google.keystone.user.agent

     

    /Library/Components:

     

    /Library/Extensions:

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    PrivateTunnel.framework

    Python.framework

    iLifeFaceRecognition.framework

    iLifeKit.framework

    iLifePageLayout.framework

    iLifeSQLAccess.framework

    iLifeSlideshow.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Flash Player.plugin

    JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    flashplayer.xpt

    iPhotoPhotocast.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/Internet Plug-Ins (Disabled):

    Flash Player.plugin

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

     

    /Library/LaunchDaemons:

    com.adobe.fpsaud.plist

    com.anchorfree.ajaxserver.plist

    com.apple.remotepairtool.plist

    net.openvpn.client.plist

    net.sourceforge.MonolingualHelper.plist

    org.eyebeam.SelfControl.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

     

    /Library/PrivilegedHelperTools:

    net.sourceforge.MonolingualHelper

    org.eyebeam.SelfControl

    scheckup

     

    /Library/QuickLook:

    GBQLGenerator.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    GBSpotlightImporter.mdimporter

    LogicPro.mdimporter

    Microsoft Office.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Fonts:

     

    Library/Frameworks:

    EWSMac.framework

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    Google Earth Web Plug-in.plugin

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

    com.apple.AddressBook.ScheduledSync.ABExchangeSource.DE24DC9B-61F5-4662-9845-F58 A03391D21.plist

    com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.8F5677FC-4A57-4F58-A519-803 3306E4127.plist

    com.google.keystone.agent.plist

    com.spotify.webhelper.plist

     

    Dropbox, PrivateTunnel Tray, Hotspot Shield

  • 26. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    MsLeeSatchell Level 1 Level 1 (5 points)

    Hi there,

    Have posted the results from the instructions you gave to determine any keyloggers or spyware on my Mac. Would really appreciate any feedback as I am growing more and more concerned for my safety as my ex seems to know where I'll be and when and turns up at places and times he couldn't possibly have found out through any other means.

    Thank you in advance

  • 27. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    pittershawn Level 1 Level 1 (0 points)

    If you have time, please review my outuput.

     

    Step 1

    After  command: 

    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

     

     

    at.obdev.nke.LittleSnitch (3894)

    com.intego.Family-Protector.safe-boot (1145)

    com.globaldelight.driver.BoomDevice (1.1)

    com.Cycling74.driver.Soundflower (1.5.1)

    com.radiosilenceapp.nke.filter (1)

    com.radiosilenceapp.nke.PrivateEye (1)

    com.intego.netbarrier.kext.monitor (480)

    com.intego.netbarrier.kext.process (480)

    com.intego.netbarrier.kext.network (480)

    com.intego.virusbarrier.kext.realtime (476)

    com.intego.Family-Protector.extension (1145)

    foo.tun (1.0)

    foo.tap (1.0)

    com.zeobit.kext.Firewall (2.3.1)

     

     

    Step 2

    After  command:

    sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

     

    com.intego.virusbarrier.daemon.realtime

    org.macosforge.xquartz.privileged_startx

    net.openvpn.client

    net.conceited.RubbernetDaemon

    com.zeobit.MacKeeper.AntiVirus

    com.stclairsoft.AppTamerAgent

    com.radiosilenceapp.nke.PrivateEye

    com.radiosilenceapp.nke

    com.oracle.java.Helper-Tool

    com.microsoft.office.licensing.helper

    com.intego.washingmachine.daemon

    com.intego.virusbarrier.daemon.scanner

    com.intego.virusbarrier.daemon

    com.intego.virusbarrier.daemon.logger

    com.intego.PersonalBackup.daemon

    com.intego.netupdate.daemon

    com.intego.netbarrier.daemon

    com.intego.netbarrier.daemon.monitor

    com.intego.netbarrier.daemon.logger

    com.intego.Family-Protector.daemon

    com.intego.commonservices.metrics.kschecker

    com.intego.commonservices.icalserver

    com.intego.commonservices.daemon.taskmanager

    com.intego.commonservices.daemon.integod

    com.delantis.TCPBlock

    com.chungwasoft.shimo.helper

    com.barebones.authd

    com.adobe.SwitchBoard

    com.adobe.fpsaud

    at.obdev.littlesnitchd

     

     

    Step 3

    After command:

    launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

     

     

    com.c-command.SpamSieve.LaunchAgent

    com.dayoneapp.dayone-agent

    J8RPQ294UB.com.skitch.SkitchHelper

    org.macosforge.xquartz.startx

    org.gpgtools.Libmacgpg.xpc

    com.oracle.java.Java-Updater

    com.maintain.SystemEvents

    com.intego.virusbarrier.alert

    com.intego.personalbackup.agent

    com.intego.netupdate.agent

    com.intego.netbarrier.alert

    com.intego.Family-Protector.agent

    com.intego.commonservices.uninstaller

    com.intego.commonservices.taskmanager

    com.intego.commonservices.integomenu

    at.obdev.LittleSnitchUIAgent

    com.zeobit.MacKeeper.Helper

    com.macpaw.CleanMyMac.volumeWatcher

    com.macpaw.CleanMyMac.trashSizeWatcher

    com.macpaw.CleanMyMac.helperTool

    com.erikhinterbichler.HeraldLaunchAgent

    com.divx.agent.postinstall

    com.adobe.ARM.df0ab5bbe6f698196fcc21e3c1e66dcb758bd911f4d637272d9d8109

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

    ca.madefresh.BodegaAgent

    ca.indev.MailTagsHelper

     

     

    Step 4

    After command: 

    ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

     

     

    /Library/Components:

    XiphQT.component

     

    /Library/Extensions:

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AquaticPrime.framework

    AudioMixEngine.framework

    DivX Toolkit.framework

    EWSMac.framework

    IntegoiCalFramework.framework

    NetUpdateShared.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    PrivateTunnel.framework

    XSKey.framework

    iLifeFaceRecognition.framework

    iLifeSQLAccess.framework

    iLifeSlideshow.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/InputManagers:

    Ecamm

     

    /Library/Intego:

    .contentbarrier_info

    .isb6_info

    Family Protector.bundle

    IM_ObjectiveMetrics.framework

    Intego Uninstaller.app

    IntegoiCalServer

    TaskManager

    commonservices.bundle

    im_helper_tool

    im_ks_tool

    integod

    netbarrier.bundle

    netupdated.bundle

    personalbackupd.bundle

    virusbarrier.bundle

    washingmachined.bundle

     

    /Library/Internet Plug-Ins:

    AdobePDFViewer.plugin

    AdobePDFViewerNPAPI.plugin

    DivXBrowserPlugin.plugin

    Flash Player.plugin

    JavaAppletPlugin.plugin

    MeetingJoinPlugin.plugin

    OVSHelper.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Silverlight.plugin

    flashplayer.xpt

    googletalkbrowserplugin.plugin

    huludesktop.webplugin

    npgtpo3dautoplugin.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    at.obdev.LittleSnitchUIAgent.plist

    com.adobe.AAM.Updater-1.0.plist

    com.intego.Family-Protector.agent.plist

    com.intego.commonservices.integomenu.plist

    com.intego.commonservices.taskmanager.plist

    com.intego.commonservices.uninstaller.plist

    com.intego.netbarrier.alert.plist

    com.intego.netupdate.agent.plist

    com.intego.personalbackup.agent.plist

    com.intego.virusbarrier.alert.plist

    com.maintain.PurgeInactiveMemory.plist

    com.maintain.SystemEvents.plist

    com.oracle.java.Java-Updater.plist

    org.gpgtools.Libmacgpg.xpc.plist

    org.macosforge.xquartz.startx.plist

     

    /Library/LaunchDaemons:

    at.obdev.littlesnitchd.plist

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.apple.aelwriter.plist

    com.barebones.authd.plist

    com.chungwasoft.shimo.helper.plist

    com.delantis.TCPBlock.plist

    com.intego.Family-Protector.daemon.plist

    com.intego.PersonalBackup.daemon.plist

    com.intego.commonservices.daemon.integod.plist

    com.intego.commonservices.daemon.taskmanager.plist

    com.intego.commonservices.icalserver.plist

    com.intego.commonservices.metrics.kschecker.plist

    com.intego.netbarrier.daemon.logger.plist

    com.intego.netbarrier.daemon.monitor.plist

    com.intego.netbarrier.daemon.plist

    com.intego.netupdate.daemon.plist

    com.intego.virusbarrier.daemon.logger.plist

    com.intego.virusbarrier.daemon.plist

    com.intego.virusbarrier.daemon.scanner.plist

    com.intego.washingmachine.daemon.plist

    com.maintain.CocktailScheduler.plist

    com.microsoft.office.licensing.helper.plist

    com.oracle.java.Helper-Tool.plist

    com.radiosilenceapp.nke.PrivateEye.plist

    com.radiosilenceapp.nke.plist

    com.stclairsoft.AppTamerAgent.plist

    com.zeobit.MacKeeper.AntiVirus.plist

    net.conceited.RubbernetDaemon.plist

    net.openvpn.client.plist

    org.macosforge.xquartz.privileged_startx.plist

     

    /Library/Mail/Bundles:

    GPGMail.mailbundle

     

    /Library/PreferencePanes:

    Flash Player.prefPane

    Hosts.prefPane

    JavaControlPanel.prefPane

    LinkLiar.prefPane

    MultiBrowser.prefPane

    Perian.prefPane

     

    /Library/PrivilegedHelperTools:

    NetUpdateAgent.app

    com.barebones.authd

    com.chungwasoft.shimo.helper

    com.delantis.TCPBlock

    com.intego.washingmachine

    com.microsoft.office.licensing.helper

    com.stclairsoft.AppTamerAgent

    net.conceited.RubbernetDaemon

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AC3MovieImport.component

    AppleAVCIntraCodec.component

    AppleHDVCodec.component

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    AppleProResCodec.component

    DVCPROHDCodec.component

    DivX Decoder.component

    DivX Encoder.component

    FCP Uncompressed 422.component

    IMXCodec.component

    OggVorbis.component

    Perian.component

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

    BartenderHelper.osax

    TotalFinder.osax

    TotalSpaces.osax

     

    /Library/Services:

    GPGServices.service

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iBooksAuthor.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

    com.adobe.SwitchBoard.monitor.plist

     

    Library/Address Book Plug-Ins:

    AdiumAddressBookAction_AIM.scpt

    AdiumAddressBookAction_ICQ.scpt

    AdiumAddressBookAction_Jabber.scpt

    AdiumAddressBookAction_MSN.scpt

    AdiumAddressBookAction_SMS.scpt

    AdiumAddressBookAction_Yahoo.scpt

    SkypeABDialer.bundle

    SkypeABSMS.bundle

    YMsgrCallABPlugin.bundle

    YMsgrMsnABPlugin.bundle

    YMsgrSmsABPlugin.bundle

    YMsgrYimABPlugin.bundle

     

    Library/Fonts:

    [redacted by me given that the list is very long]

     

    Library/Frameworks:

    EWSMac-GC.framework

    EWSMac.framework

     

    Library/Input Methods:

    .localized

     

    Library/Internet Accounts:

    V1

     

    Library/Internet Plug-Ins:

    RealPlayer Plugin.plugin

     

    Library/Keyboard Layouts:

     

    Library/LaunchAgents:

    ca.indev.MailTagsHelper.agent.plist

    ca.madefresh.BodegaAgent.plist

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

    com.adobe.ARM.df0ab5bbe6f698196fcc21e3c1e66dcb758bd911f4d637272d9d8109.plist

    com.apple.AddressBook.ScheduledSync.ABExchangeSource.3DB3EB15-8390-4287-BF79-85D 8F15074D7.plist

    com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.66DBA429-98A8-421A-8C9C-8F1 6E294AF66.plist

    com.c-command.SpamSieve.LaunchAgent.plist

    com.divx.agent.postinstall.plist

    com.erikhinterbichler.HeraldLaunchAgent.plist

    com.macpaw.CleanMyMac.helperTool.plist

    com.macpaw.CleanMyMac.trashSizeWatcher.plist

    com.macpaw.CleanMyMac.volumeWatcher.plist

    com.zeobit.MacKeeper.Helper.plist

     

    Library/Mail/Bundles:

    .DS_Store

    Herald.mailbundle

    MailTags.mailbundle

    SpamSieve.mailbundle

     

    Library/PreferencePanes:

    Archives.prefPane

     

    Library/Services:

    ENService.app

     

    Library/Spotlight:

    EndNote.mdimporter

     

     

    Step 5

    After command:

    osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

     

     

    Flux, iTunesHelper, iCleanMemory, Bartender, App Tamer, Clyppan, eXtra Voice Recorder, Overflow, PrivateTunnel Tray, Sparrow, TotalFinder, Cookie, OpenDNS Updater, Time Sink

  • 28. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    pittershawn Level 1 Level 1 (0 points)

    I don't mean to alarm you, but, if your ex is still finding you, also consider the possibility that he could have tapped your phone or your home. But before you consider those possibilities, try staying offline for a few days (about a week if possible) and see if he still seems to know where you are. If he does, then he hasn't only tapped into your computer. Of course, this is after removing any keyloggers. If after removing them he continues to discover your whereabouts, then try staying offline for a while as a test. Best of luck.

  • 29. Re: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
    MsLeeSatchell Level 1 Level 1 (5 points)

    Thanks, I have a new mobile phone and no house phone but hadn't considered the house being tapped. Did you get a reply about your output? Noone has got back to me. Maybe we should start a new thread?

1 2 3 4 Previous Next