morning sun
Level 1 (0 points)

Q: New Terminal Results 4 Spyware / Keylogger Detection Review

For Linc and all knowledgeable,

 

My MBPro webcam was taken over a few months ago and video was recorded of me without my knowledge. At the time I thought it was taken over from a website and was unaware of the potential of spyware that could be installed on my local harddrive. In just the last week I have reason to believe that there maybe a keylogger on my machine recording my writing in MS Word and otherwise. All of this is part of a greater and very serious stalking/harassment/surveilence threat I'm having to face down... So I'm in the process of overhauling my entire internet/Mac security set-up. I am thankful I'm on a Mac at least...

 

I followed the terminal scripts that Linc posted and here is the output I got.

 

Thanks to Linc and all who can respond with constructive help!

 

Step 1

 

  1. com.microsoft.driver.MicrosoftMouse (8.2)
  2. com.microsoft.driver.MicrosoftMouseUSB (8.2)
  3. com.avg.Antivirus.OnAccess.kext (14.0)

 

 

Step 2

 

  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

 

 

Step 3

 

  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

new-host:~ MacBookPro$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.extensis.FMCore
  2. com.avg.Antivirus
  3. com.adobe.CS5ServiceManager
  4. com.adobe.CS4ServiceManager
  5. com.adobe.AdobeCreativeCloud
  6. com.zeobit.MacKeeper.Helper
  7. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
  8. com.adobe.AAM.Scheduler-1.0

 

 

Step 4

 

/Library/Components:

 

/Library/Extensions:

 

/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework

Adobe AIR.framework

  1. AudioMixEngine.framework
  2. EWSMac.framework
  3. ExtensisPlugins.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. TSLicense.framework
  7. iTunesLibrary.framework

 

/Library/Input Methods:

 

/Library/Internet Plug-Ins:

  1. AdobeAAMDetect.plugin
  2. AdobeExManDetect.plugin
  3. AdobePDFViewer.plugin
  4. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

  1. JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. SurveillanceClient.plugin
  5. flashplayer.xpt
  6. iPhotoPhotocast.plugin
  7. npContributeMac.bundle
  8. nsIQTScriptablePlugin.xpt

 

/Library/Keyboard Layouts:

 

/Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.AdobeCreativeCloud.plist
  3. com.adobe.CS4ServiceManager.plist
  4. com.adobe.CS5ServiceManager.plist
  5. com.avg.Antivirus.gui.plist
  6. com.extensis.FMCore.plist

 

/Library/LaunchDaemons:

  1. com.adobe.SwitchBoard.plist
  2. com.adobe.fpsaud.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.microsoft.office.licensing.helper.plist
  6. com.raynersw.nshctldo.plist
  7. com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist

 

/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Microsoft Mouse.prefPane

 

/Library/PrivilegedHelperTools:

  1. com.microsoft.office.licensing.helper
  2. com.raynersw.nshctldo

 

/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iBooksAuthor.qlgenerator
  3. iWork.qlgenerator

 

/Library/QuickTime:

  1. AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

  1. SoundboothScoreCodec.component

 

/Library/ScriptingAdditions:

Adobe Unit Types.osax

 

/Library/Spotlight:

  1. GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter

 

/Library/StartupItems:

 

/etc/mach_init.d:

 

/etc/mach_init_per_login_session.d:

 

/etc/mach_init_per_user.d:

  1. com.adobe.SwitchBoard.monitor.plist

 

Library/Extensis:

Suitcase Fusion

  1. com.extensis.FMCore-LaunchInfo.conf

 

Library/Fonts:

 

Library/Frameworks:

  1. EWSMac.framework

 

Library/Input Methods:

.localized

 

Library/Internet Plug-Ins:

  1. EMusic.plugin

RealPlayer Plugin.plugin

 

Library/Keyboard Layouts:

 

Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  3. com.zeobit.MacKeeper.Helper.plist

 

Library/PreferencePanes:

 

 

Step 5

 

iTunesHelper

Posted on Jun 28, 2014 12:57 PM

Close
morning sun

Q: New Terminal Results 4 Spyware / Keylogger Detection Review

  • All replies
  • Helpful answers

first Previous Page 4 of 4

  • by MadMacs0,

    MadMacs0 MadMacs0 Jul 18, 2014 5:32 PM in response to morning sun
    Level 5 (4,791 points)
    Jul 18, 2014 5:32 PM in response to morning sun

    morning sun wrote:

     

    does anyone know if this is a legit AppleOS process?

    Yes, it is a CoreService of OS X, at least in Mavericks.

  • by drzaritsky,

    drzaritsky drzaritsky Jul 18, 2014 7:35 PM in response to MadMacs0
    Level 1 (0 points)
    Jul 18, 2014 7:35 PM in response to MadMacs0

    RESULT OF KEYLOGGING =  gaining the ability to take over my machine

    take over control of the WebCam on my Mac air —  I know about this because a recording Was recovered using software from Stella.

    at the time I was inside a large university library to get help to

    erase my Mac air and reinstalling OS X  – – worked  done by the technology support staff

     

    Complete control includes what’s been happening with my machine, here is a issue items from my  large  and frightening list:


    Prevented me from listing an RV for sale:

    by  degrading  pictures  of the RV--> solved by reverting to original photos in iPhoto

    Deleting pictures out of my iPhoto library

    Reading emails

    ---> block mail  some sending to interested  buyers

  • by MadMacs0,

    MadMacs0 MadMacs0 Jul 18, 2014 7:42 PM in response to drzaritsky
    Level 5 (4,791 points)
    Jul 18, 2014 7:42 PM in response to drzaritsky

    That sounds like more than just keyloging. I'd have to guess it sounds like a Remote Access Tool was installed or screen/file sharing was left on.

  • by GreenMamba,

    GreenMamba GreenMamba Jan 17, 2016 7:33 PM in response to thomas_r.
    Level 1 (13 points)
    Desktops
    Jan 17, 2016 7:33 PM in response to thomas_r.

    Little Snitch is a great product and I use it, however it does make people who don't know how to use their terminal or are familiar with OS X processes a little paranoid. It even made me paranoid my first few times using it. But mainly everything Little Snitch asks for if it is in a format like that, its ok. It's just random IP's you need to look out for. By the way most of these connections (if they were malicious) are most likely using your computer to try and infect a windows machine. Unless you have all firewall/firevault/protections turned off they they can ssh in and maybe gain root access to your mac if you don't have a strong password. Just my 2 cents.

     

    -xo

  • by Drew Reece,

    Drew Reece Drew Reece Jan 17, 2016 9:21 PM in response to GreenMamba
    Level 5 (7,679 points)
    Notebooks
    Jan 17, 2016 9:21 PM in response to GreenMamba

    GreenMamba wrote:

    But mainly everything Little Snitch asks for if it is in a format like that, its ok. It's just random IP's you need to look out for. By the way most of these connections (if they were malicious) are most likely using your computer to try and infect a windows machine. Unless you have all firewall/firevault/protections turned off they they can ssh in and maybe gain root access to your mac if you don't have a strong password. Just my 2 cents.

     

    You may want to read up on the OS X firewall. Applications like iTunes can open up network access (for Home sharing etc), if you enable those features.

    The Apple firewall will allow ports for services you enable. The same is true for other services like file sharing, screen sharing etc.

    ssh is off by default so no one can just 'ssh in' to anything on your Mac unless an admin enables it, I doubt you can 'get root' via ssh on a default 10.11 install either (I have not tried). Some services will even request ports are opened on the gateway (UPnP, NAT/PMP), which can make them visible to all outside the network (like game servers, bittorrent clients etc).

     

    Firewalls can be confusing because they are also used to protect networks as well as machines.

     

    Filevault also offers no protection against malicious software, it will still run if you opt to install malware. It just requires you to decrypt the disk to install it, which is how the Mac runs all the time when logged in. Filevault only protects data 'at rest' (when shutdown).

     

    I'm not sure how you filter out 'random IP's' either, are you real managing every request that the Mac makes? I suspect you end up making wide exceptions to Little Snitch just to make the OS work, the trouble is that IP addresses & DNS names change hands all day long, so much is hidden behind huge networks you real can't really tell who owns what.

first Previous Page 4 of 4