leifromglen ellyn

Q: my mac just got hacked(remote controlled). any ideas how?

Just now I was doing stuff on my macbook pro, and suddenly I lost control of the mouse.  The laptop barely(or even not at all) responds to my control.

Then there was somebody else controlling my mouse, my keyboard works fine however.  The guy hacking me looked at my mailbox, dropped a few things from the dock, made a new folder on the desktop, and I was sitting there stunned.  Then he opened my photo booth and I covered my camera and force shut down my laptop.  During all the time my keyboard works though, I was able to quit safari and mail, but I can't stop this guy changing stuff using mouse. 

Any ideas how he did it and how I can prevent this from happening again?  or even maybe find who did it..?

MacBook Pro, Mac OS X (10.6.8)

Posted on Sep 22, 2011 3:05 PM

Close

Q: my mac just got hacked(remote controlled). any ideas how?

  • All replies
  • Helpful answers

Previous Page 2
  • by MadMacs0,

    MadMacs0 MadMacs0 Oct 17, 2012 4:09 PM in response to lkstevens
    Level 5 (4,791 points)
    Oct 17, 2012 4:09 PM in response to lkstevens

    lkstevens wrote:

     

    Had a similar experience as well.  Not sure what to do at this point either.  Tempted to just format and reinstall everything.

    This topic is over a year old. Lots has changed and most of the participants have moved on to bigger and better things. You would be better served by starting with a new topic and describing what you are experiencing in detail. Unless you allowed somebody physical access to your computer, there's very little chance it was hacked.

  • by h239,

    h239 h239 Aug 7, 2014 7:24 PM in response to Linc Davis
    Level 1 (0 points)
    Aug 7, 2014 7:24 PM in response to Linc Davis

    I really know that this could sound very weird BUT..... I have to ask someone who can advise me what to do. At this moment l am really desperate and don't know what to do anymore. I feel really scared.... And NO, I AM NOT CRAZY!

     

    I have a iMac os x 10.9.4, before my ex owned this mac and when we separated he gave it to me so our daughter can use it for school.

    Since the beginning this mac was very slow, When I try to erase everything, it didn't help at all, everything stayed (almost) the same.

     

    I am also almost sure that someone (I think my ex) automatically takes files out of my system and import this to windows XP or windows 7/8 via a server (and uploads it to dropbox??). I see in the system.log weird actions happening what started by root, system.log actions like SDK Android eclipse, CVMserver, AirplayUIAgent, accountsd, airportd, diskarbitrationd, hid, networkd_priviledged, UserEventAgent.... and more stuff like that, all in the 'root'  etc. etc.

     

    When my mac's getting slow, and making weard souds on the background I instantly turn off my mac, After a couple of hours I startup again but

    And I strongly feel that he also has installed a keylogger, even when I try to delete someting what I did't  (when i loggin on de Rude software to watch on my webcam, does a lot of streaming and cloudprinting is also installed (I didn't do that).


    Do you know how I can check if this all is true?

    Can I find out what is exported and whereto?

    How can I stop this?

  • by MadMacs0,

    MadMacs0 MadMacs0 Aug 7, 2014 9:34 PM in response to h239
    Level 5 (4,791 points)
    Aug 7, 2014 9:34 PM in response to h239

    Link almost never responds to requests and with this being a three year old thread, almost nobody is following it any more. I'm surprised to see that I am.

     

    If you didn't find anything here to help you then you need to start a new discussion topic in order for Linc and other troubleshooters to even notice your question.

     

    That being said, it would be almost impossible for anybody here to help you with this particular problem. It's a law enforcement issue that require the services of a highly trained forensic IT person to tell you for certain what is going on. You should be contacting the police, not discussing it here.

     

    If you don't care about the legal aspects of this issue then simply backup any user files you need, erase the hard drive and re-install the OS and any third party applications you need from original, trusted sources. If the computer has been compromised, there is no other way to be certain to have removed any unwanted processes/applications.

  • by h239,

    h239 h239 Aug 8, 2014 2:13 AM in response to MadMacs0
    Level 1 (0 points)
    Aug 8, 2014 2:13 AM in response to MadMacs0

    Ok thank you!

    I do care about the legal aspects, so I'll go to the police. that's the best thing I can do....

  • by Macfool-1,

    Macfool-1 Macfool-1 Sep 22, 2014 11:32 AM in response to Linc Davis
    Level 1 (8 points)
    Mac App Store
    Sep 22, 2014 11:32 AM in response to Linc Davis

    how to delete it if there was one .. knowing that my Mac os x is down and im just using safari from the utilities pan ????

  • by Macfool-1,

    Macfool-1 Macfool-1 Sep 22, 2014 11:43 AM in response to Macfool-1
    Level 1 (8 points)
    Mac App Store
    Sep 22, 2014 11:43 AM in response to Macfool-1

    what is it was a corrupted****** who works in the police who is doing that ???

     

    <Edited by Host>

  • by HackedUser123,

    HackedUser123 HackedUser123 Mar 19, 2015 7:16 PM in response to Linc Davis
    Level 1 (0 points)
    Mar 19, 2015 7:16 PM in response to Linc Davis

    This is what my computer says

     

    mv: rename /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component to  /Users/YourName/Desktop: No such file or directory

    Tylers-MacBook-Pro:~ jdub$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    com.trendmicro.kext.filehook(1.5.0)

    com.trendmicro.kext.KERedirect(1.0.0)

    Tylers-MacBook-Pro:~ jdub$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

    com.trendmicro.tmsm.plugin

    com.trendmicro.icore.wp

    com.trendmicro.icore.main

    com.trendmicro.icore.av

    com.trendmicro.tmsm.launcher

    Tylers-MacBook-Pro:~ jdub$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

    com.trendmicro.TM.TmLoginMgr.16788

    Tylers-MacBook-Pro:~ jdub$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    TMAppCommon.framework

    TMAppCore.framework

    TMGUIUtil.framework

    iCoreClient.framework

    iCoreClientPb.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    nsIQTScriptablePlugin.xpt

     

    /Library/LaunchAgents:

     

    /Library/LaunchDaemons:

    com.trendmicro.icore.av.plist

    com.trendmicro.icore.main.plist

    com.trendmicro.icore.wp.plist

    com.trendmicro.tmsm.launcher.plist

    com.trendmicro.tmsm.plugin.plist

     

    /Library/PreferencePanes:

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/StartupItems:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/LanguageModeling:

    en-dynamic.lm

    es-dynamic.lm

    nl-dynamic.lm

     

    Library/PreferencePanes:

    Tylers-MacBook-Pro:~ jdub$

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 19, 2015 10:05 PM in response to HackedUser123
    Level 5 (4,791 points)
    Mar 19, 2015 10:05 PM in response to HackedUser123

    I guess you didn't read my earlier post to this more than three year old topic, but you are wasting your time with this posting. We don't even know what your problem is, nor do we understand most of what your posting means! I'd also have to guess that I may be the only person still readying this discussion and I'm certainly not sure why I didn't unfollow a long time ago.

     

    If you can't find the information you need already posted to this topic, then you need to start a new discussion item with a detailed description of your situation, starting with what makes you believe you have been hacked. That way you will attract many more troubleshooters faster. That's just the way this forum works.

  • by psiguy,

    psiguy psiguy May 24, 2015 3:20 PM in response to Linc Davis
    Level 1 (0 points)
    May 24, 2015 3:20 PM in response to Linc Davis

    I have definitely been "hacked" -- the perp had physical access to my machine (for a few min), installed some remote Windows software, and is supremely capable.

    Here is the output from the commands you recommended. Any help would be greatly appreciated. Thnx.



    Last login: Sun May 24 18:08:43 on console

    [Qbit:torrey  W] -> kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    org.virtualbox.kext.VBoxDrv(4.3.28)

    org.virtualbox.kext.VBoxUSB(4.3.28)

    org.virtualbox.kext.VBoxNetFlt(4.3.28)

    org.virtualbox.kext.VBoxNetAdp(4.3.28)

    [Qbit:torrey  W] -> sudo launchctl list | sed 1d | awk ' !/0x|apple|com

    \.vix|edu\.|org\./ { print $3 } '

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

    Password:

    Sorry, try again.

    Password:

    Sorry, try again.

    Password:

    torrey is not in the sudoers file.  This incident will be reported.

    [Qbit:torrey  W] -> launchctl list | sed 1d | awk ' !/0x|apple|edu\.|or

    g\./ { print $3 } '

    com.google.Chrome.46608

    com.oracle.java.Java-Updater

    com.google.keystone.user.agent

    [Qbit:torrey  W] -> ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu

    ,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AquaTerm.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    JavaAppletPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    nsIQTScriptablePlugin.xpt

     

    /Library/LaunchAgents:

    com.oracle.java.Java-Updater.plist

    org.macosforge.xquartz.startx.plist

     

    /Library/LaunchDaemons:

    com.apple.spirecorder.plist

    com.macromates.auth_server.plist

    com.microsoft.office.licensing.helper.plist

    com.oracle.java.Helper-Tool.plist

    org.macosforge.xquartz.privileged_startx.plist

    org.virtualbox.startup.plist

     

    /Library/PreferencePanes:

    JavaControlPanel.prefPane

    TeXDistPrefPane.prefPane

     

    /Library/PrivilegedHelperTools:

    com.macromates.auth_server

    com.microsoft.office.licensing.helper

    com.microsoft.office.licensingV2.helper

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/StartupItems:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/LanguageModeling:

    da-dynamic.lm

    en-dynamic.lm

     

    Library/LaunchAgents:

    com.google.keystone.agent.plist

     

    Library/PreferencePanes:

    [Qbit:torrey  W] -> ps -cx

      PID TTY           TIME CMD

      197 ??         0:07.04 distnoted

      225 ??         0:01.19 tccd

      226 ??         0:01.10 pkd

      229 ??         0:00.22 secd

      259 ??         0:00.13 IMDPersistenceAgent

      271 ??         0:00.05 CloudKeychainProxy

      272 ??         0:04.58 secinitd

      282 ??         0:00.13 com.apple.InputMethodKit.UserDictionary

      310 ??         0:00.35 mdflagwriter

      388 ??         0:00.17 mdworker

      520 ??         0:00.34 com.apple.CloudPhotosConfiguration

      564 ??         0:00.20 com.apple.CoreSimulator.CoreSimulatorService

      608 ??         0:00.36 com.apple.speech.speechsynthesisd

    6826 ??         0:00.04 DataDetectorsDynamicData

    7865 ??         0:00.04 com.apple.appstore.PluginXPCService

    7875 ??         0:05.28 mdworker

    7876 ??         0:05.87 mdworker

    7878 ??         0:05.83 mdworker

    7880 ??         0:06.05 mdworker

    7908 ??         0:00.04 com.apple.BKAgentService

    8105 ??         0:02.91 cfprefsd

    8800 ??         0:00.04 com.apple.sbd

    9407 ??         0:00.39 UserEventAgent

    9411 ??         0:00.84 Dock

    9412 ??         0:00.94 SystemUIServer

    9413 ??         0:00.41 Finder

    9415 ??         0:00.01 pboard

    9418 ??         0:00.19 cloudd

    9419 ??         0:00.03 nsurlsessiond

    9420 ??         0:00.52 Spotlight

    9421 ??         0:00.47 fontd

    9423 ??         0:00.06 bird

    9424 ??         0:00.06 accountsd

    9425 ??         0:00.27 usernoted

    9426 ??         0:00.03 com.apple.wifi.proxy

    9427 ??         0:00.21 sharingd

    9431 ??         0:00.58 identityservicesd

    9432 ??         0:01.37 SpotlightNetHelper

    9433 ??         0:00.02 iconservicesagent

    9434 ??         0:00.01 spindump_agent

    9436 ??         0:00.03 SocialPushAgent

    9438 ??         0:00.10 Keychain Circle Notification

    9441 ??         0:00.71 NotificationCenter

    9443 ??         0:00.17 AppleIDAuthAgent

    9445 ??         0:00.41 CalendarAgent

    9447 ??         0:00.04 askpermissiond

    9448 ??         0:00.11 imagent

    9449 ??         0:00.06 cloudpaird

    9450 ??         0:00.02 helpd

    9452 ??         0:00.08 WiFiAgent

    9453 ??         0:00.07 diagnostics_agent

    9455 ??         0:00.18 soagent

    9459 ??         0:00.04 iTunesHelper

    9460 ??         0:00.08 lsuseractivityd

    9461 ??         0:00.19 com.apple.dock.extra

    9462 ??         0:00.55 nsurlstoraged

    9463 ??         0:00.06 CallHistorySyncHelper

    9464 ??         0:00.04 mapspushd

    9465 ??         0:00.10 fmfd

    9466 ??         0:00.30 storeaccountd

    9467 ??         0:00.08 com.apple.iCloudHelper

    9468 ??         0:00.04 CallHistoryPluginHelper

    9469 ??         0:00.17 CalNCService

    9471 ??         0:00.21 callservicesd

    9476 ??         0:00.04 pbs

    9477 ??         0:00.02 AppleSpell

    9487 ??         0:00.03 storelegacy

    9488 ??         0:00.26 storeassetd

    9489 ??         0:00.06 LaterAgent

    9490 ??         0:00.09 CoreServicesUIAgent

    9491 ??         0:00.04 storedownloadd

    9493 ??         0:18.18 Google Chrome

    9496 ??         0:00.01 crashpad_handler

    9498 ??         0:05.75 Google Chrome Helper

    9500 ??         0:00.02 VTDecoderXPCService

    9502 ??         0:00.63 Google Chrome Helper

    9509 ??         0:00.63 mdworker

    9511 ??         0:14.76 Google Chrome Helper

    9515 ??         0:01.99 Terminal

    9537 ??         0:00.15 cloudphotosd

    9538 ??         0:00.03 photolibraryd

    9517 ttys000    0:00.02 login

    9518 ttys000    0:00.02 -bash

    9543 ttys000    0:00.00 ps

    [Qbit:torrey  W] ->

  • by MadMacs0,

    MadMacs0 MadMacs0 May 24, 2015 3:38 PM in response to psiguy
    Level 5 (4,791 points)
    May 24, 2015 3:38 PM in response to psiguy

    Please read my post immediately above yours. Nobody else seems to be following this over 3-½ year old topic and I can't properly interpret what you posted.

     

    Start a new discussion topic with only the description of what you know and have observed for yourself. I'm sure the diagnostics Linc gave have changed after all this time and you need to be logged in as admin in order to properly run them.

     

    That being said, if you plan on pursuing this from a legal standpoint then you need to take your computer to the authorities in your area and have it forensically examined by a qualified law enforcement tech. Once you allowed physical access, most anything could have been done to it and it probably won't be obvious to any of us.

  • by chef_ack,

    chef_ack chef_ack Jan 1, 2016 3:26 AM in response to lkstevens
    Level 1 (0 points)
    Jan 1, 2016 3:26 AM in response to lkstevens

    Last login: Fri Jan  1 18:12:42 on console

    alvins-iMac:~ alvinchuakwan$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    com.logmein.driver.LogMeInSoundDriver(1.0.3)

    alvins-iMac:~ alvinchuakwan$

    alvins-iMac:~ alvinchuakwan$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

    Password:

    Sorry, try again.

    Password:

    com.tvmobili.tvmobilisvcd

    com.microsoft.office.licensing.helper

    com.google.keystone.daemon

    com.oracle.java.Helper-Tool

    com.adobe.SwitchBoard

    com.logmein.raupdate

    com.adobe.fpsaud

    alvins-iMac:~ alvinchuakwan$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

    com.fiplab.converto.82272

    com.cherpake.Remote-for-Mac-Server.22112

    com.google.keystone.system.agent

    com.google.Chrome.25632

    com.valvesoftware.steamclean

    cn.com.zte.usbswapper.plist

    com.adobe.CS5ServiceManager

    com.adobe.AAM.Scheduler-1.0

    com.oracle.java.Java-Updater

    com.tvmobili.artwork

    com.fiplab.ConvertoHelper

    com.spotify.webhelper

    com.spigot.ApplicationManager

    alvins-iMac:~ alvinchuakwan$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

    hp_io_enabler_compound.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Disabled Plug-Ins

    Flash Player.plugin

    JavaAppletPlugin.plugin

    LogMeIn.plugin

    LogMeInSafari32.plugin

    Quartz Composer.webplugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Unity Web Player.plugin

    Unused

    flashplayer.xpt

    npContributeMac.bundle

     

    /Library/LaunchAgents:

    SwapperUFi.plist

    cn.com.zte.usbswapper.plist

    com.adobe.AAM.Updater-1.0.plist

    com.adobe.CS5ServiceManager.plist

    com.google.keystone.agent.plist

    com.logmein.logmeingui.plist

    com.logmein.logmeinguiagent.plist

    com.logmein.logmeinguiagentatlogin.plist

    com.oracle.java.Java-Updater.plist

    com.tvmobili.artwork.plist

    org.chromium.chromoting.plist

    org.macosforge.xquartz.startx.plist

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.google.keystone.daemon.plist

    com.logmein.logmeinblanker.plist

    com.logmein.logmeinserver.plist

    com.logmein.raupdate.plist

    com.microsoft.office.licensing.helper.plist

    com.oracle.java.Helper-Tool.plist

    com.tvmobili.tvmobilisvcd.plist

    org.macosforge.xquartz.privileged_startx.plist

     

    /Library/PreferencePanes:

    ChromeRemoteDesktop.prefPane

    Flash Player.prefPane

    Growl.prefPane

    JavaControlPanel.prefPane

     

    /Library/PrivilegedHelperTools:

    ChromeRemoteDesktopHost.bundle

    com.genieoinnovation.macextension.client

    com.microsoft.office.licensing.helper

    org.chromium.chromoting.json

    org.chromium.chromoting.me2me.sh

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    SoundboothScoreCodec.component

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

     

    /Library/StartupItems:

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    BlueStacks Install Detector.plugin

    RealPlayer Plugin.plugin

     

    Library/LanguageModeling:

    da-dynamic.lm

    de-dynamic.lm

    en-dynamic.lm

    es-dynamic.lm

    fi-dynamic.lm

    fr-dynamic.lm

    it-dynamic.lm

    nb-dynamic.lm

    nl-dynamic.lm

    pl-dynamic.lm

    pt-dynamic.lm

    sv-dynamic.lm

    tr-dynamic.lm

     

    Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.spigot.ApplicationManager.plist

    com.spotify.webhelper.plist

    com.valvesoftware.steamclean.plist

     

    Library/PreferencePanes:

    alvins-iMac:~ alvinchuakwan$

    alvins-iMac:~ alvinchuakwan$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

    hp_io_enabler_compound.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Disabled Plug-Ins

    Flash Player.plugin

    JavaAppletPlugin.plugin

    LogMeIn.plugin

    LogMeInSafari32.plugin

    Quartz Composer.webplugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Unity Web Player.plugin

    Unused

    flashplayer.xpt

    npContributeMac.bundle

     

    /Library/LaunchAgents:

    SwapperUFi.plist

    cn.com.zte.usbswapper.plist

    com.adobe.AAM.Updater-1.0.plist

    com.adobe.CS5ServiceManager.plist

    com.google.keystone.agent.plist

    com.logmein.logmeingui.plist

    com.logmein.logmeinguiagent.plist

    com.logmein.logmeinguiagentatlogin.plist

    com.oracle.java.Java-Updater.plist

    com.tvmobili.artwork.plist

    org.chromium.chromoting.plist

    org.macosforge.xquartz.startx.plist

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.google.keystone.daemon.plist

    com.logmein.logmeinblanker.plist

    com.logmein.logmeinserver.plist

    com.logmein.raupdate.plist

    com.microsoft.office.licensing.helper.plist

    com.oracle.java.Helper-Tool.plist

    com.tvmobili.tvmobilisvcd.plist

    org.macosforge.xquartz.privileged_startx.plist

     

    /Library/PreferencePanes:

    ChromeRemoteDesktop.prefPane

    Flash Player.prefPane

    Growl.prefPane

    JavaControlPanel.prefPane

     

    /Library/PrivilegedHelperTools:

    ChromeRemoteDesktopHost.bundle

    com.genieoinnovation.macextension.client

    com.microsoft.office.licensing.helper

    org.chromium.chromoting.json

    org.chromium.chromoting.me2me.sh

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    SoundboothScoreCodec.component

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

     

    /Library/StartupItems:

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    BlueStacks Install Detector.plugin

    RealPlayer Plugin.plugin

     

    Library/LanguageModeling:

    da-dynamic.lm

    de-dynamic.lm

    en-dynamic.lm

    es-dynamic.lm

    fi-dynamic.lm

    fr-dynamic.lm

    it-dynamic.lm

    nb-dynamic.lm

    nl-dynamic.lm

    pl-dynamic.lm

    pt-dynamic.lm

    sv-dynamic.lm

    tr-dynamic.lm

     

    Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.spigot.ApplicationManager.plist

    com.spotify.webhelper.plist

    com.valvesoftware.steamclean.plist

     

    Library/PreferencePanes:

    alvins-iMac:~ alvinchuakwan$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

    hp_io_enabler_compound.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    Adobe AIR.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Disabled Plug-Ins

    Flash Player.plugin

    JavaAppletPlugin.plugin

    LogMeIn.plugin

    LogMeInSafari32.plugin

    Quartz Composer.webplugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    Unity Web Player.plugin

    Unused

    flashplayer.xpt

    npContributeMac.bundle

     

    /Library/LaunchAgents:

    SwapperUFi.plist

    cn.com.zte.usbswapper.plist

    com.adobe.AAM.Updater-1.0.plist

    com.adobe.CS5ServiceManager.plist

    com.google.keystone.agent.plist

    com.logmein.logmeingui.plist

    com.logmein.logmeinguiagent.plist

    com.logmein.logmeinguiagentatlogin.plist

    com.oracle.java.Java-Updater.plist

    com.tvmobili.artwork.plist

    org.chromium.chromoting.plist

    org.macosforge.xquartz.startx.plist

     

    /Library/LaunchDaemons:

    com.adobe.SwitchBoard.plist

    com.adobe.fpsaud.plist

    com.google.keystone.daemon.plist

    com.logmein.logmeinblanker.plist

    com.logmein.logmeinserver.plist

    com.logmein.raupdate.plist

    com.microsoft.office.licensing.helper.plist

    com.oracle.java.Helper-Tool.plist

    com.tvmobili.tvmobilisvcd.plist

    org.macosforge.xquartz.privileged_startx.plist

     

    /Library/PreferencePanes:

    ChromeRemoteDesktop.prefPane

    Flash Player.prefPane

    Growl.prefPane

    JavaControlPanel.prefPane

     

    /Library/PrivilegedHelperTools:

    ChromeRemoteDesktopHost.bundle

    com.genieoinnovation.macextension.client

    com.microsoft.office.licensing.helper

    org.chromium.chromoting.json

    org.chromium.chromoting.me2me.sh

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    SoundboothScoreCodec.component

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

     

    /Library/StartupItems:

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    BlueStacks Install Detector.plugin

    RealPlayer Plugin.plugin

     

    Library/LanguageModeling:

    da-dynamic.lm

    de-dynamic.lm

    en-dynamic.lm

    es-dynamic.lm

    fi-dynamic.lm

    fr-dynamic.lm

    it-dynamic.lm

    nb-dynamic.lm

    nl-dynamic.lm

    pl-dynamic.lm

    pt-dynamic.lm

    sv-dynamic.lm

    tr-dynamic.lm

     

    Library/LaunchAgents:

    com.adobe.AAM.Updater-1.0.plist

    com.spigot.ApplicationManager.plist

    com.spotify.webhelper.plist

    com.valvesoftware.steamclean.plist

     

    Library/PreferencePanes:

    alvins-iMac:~ alvinchuakwan$

  • by MadMacs0,

    MadMacs0 MadMacs0 Jan 1, 2016 3:56 AM in response to chef_ack
    Level 5 (4,791 points)
    Jan 1, 2016 3:56 AM in response to chef_ack

    Please read my post immediately above yours. Nobody else seems to be following this over 4-½ year old topic and I can't properly interpret what you posted.

     

    Start a new discussion topic with only the description of what you know and have observed for yourself. I'm sure the diagnostics Linc gave have changed after all this time and you need to be logged in as admin in order to properly run them.

     

    That being said, if you plan on pursuing this from a legal standpoint then you need to take your computer to the authorities in your area and have it forensically examined by a qualified law enforcement tech. Once you allowed physical access, most anything could have been done to it and it probably won't be obvious to any of us.

  • by MatiZu,

    MatiZu MatiZu Aug 25, 2016 3:26 AM in response to Linc Davis
    Level 1 (12 points)
    Desktops
    Aug 25, 2016 3:26 AM in response to Linc Davis

    I followed the instruction. could you please check the results for me? Is there more ways of checking if the mac was hacked? Thank you.

    Last login: Thu Aug 25 08:49:57 on console

    Matyldas-iMac:~ MatiZu$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    Matyldas-iMac:~ MatiZu$

    Matyldas-iMac:~ MatiZu$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    Matyldas-iMac:~ MatiZu$

    Matyldas-iMac:~ MatiZu$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    Matyldas-iMac:~ MatiZu$

    Matyldas-iMac:~ MatiZu$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

     

    Password:

    com.adobe.fpsaud

    Matyldas-iMac:~ MatiZu$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

    Matyldas-iMac:~ MatiZu$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Flash Player.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    flashplayer.xpt

    nsIQTScriptablePlugin.xpt

     

    /Library/LaunchAgents:

     

    /Library/LaunchDaemons:

    com.adobe.fpsaud.plist

     

    /Library/PreferencePanes:

    Flash Player.prefPane

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/StartupItems:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/LanguageModeling:

    en-dynamic.lm

     

    Library/PreferencePanes:

    Matyldas-iMac:~ MatiZu$ ps -cx

      PID TTY           TIME CMD

      218 ??         0:01.17 cfprefsd

      219 ??         0:00.56 UserEventAgent

      221 ??         0:01.39 distnoted

      224 ??         0:02.00 Dock

      226 ??         0:03.72 SystemUIServer

      227 ??         0:14.67 Finder

      233 ??         0:00.01 pboard

      234 ??         0:00.34 Spotlight

      235 ??         0:01.35 fontd

      238 ??         0:00.06 bird

      239 ??         0:00.22 usernoted

      242 ??         0:00.20 com.apple.wifi.proxy

      243 ??         0:00.25 SpotlightNetHelper

      244 ??         0:00.56 sharingd

      245 ??         0:00.12 tccd

      246 ??         0:00.88 lsuseractivityd

      247 ??         0:00.18 iconservicesagent

      248 ??         0:00.26 pkd

      250 ??         0:14.59 nsurlstoraged

      251 ??         0:00.14 com.apple.dock.extra

      252 ??         0:00.56 identityservicesd

      253 ??         0:00.03 spindump_agent

      255 ??         0:00.02 SocialPushAgent

      257 ??         0:00.07 Keychain Circle Notification

      260 ??         0:00.59 NotificationCenter

      262 ??         0:00.18 AppleIDAuthAgent

      264 ??         0:00.51 CalendarAgent

      266 ??         0:00.03 askpermissiond

      267 ??         0:00.10 imagent

      268 ??         0:00.05 cloudpaird

      271 ??         0:00.09 WiFiAgent

      272 ??         0:00.14 diagnostics_agent

      274 ??         0:00.12 soagent

      275 ??         0:01.09 storeaccountd

      280 ??         0:00.05 CallHistorySyncHelper

      281 ??         0:00.03 mapspushd

      282 ??         0:00.06 fmfd

      283 ??         0:01.48 secinitd

      284 ??         0:00.03 IMDPersistenceAgent

      286 ??         0:00.03 CallHistoryPluginHelper

      287 ??         0:00.03 secd

      288 ??         0:00.12 CalNCService

      289 ??         0:00.06 accountsd

      293 ??         0:00.05 pbs

      294 ??         0:00.86 AppleSpell

      296 ??         0:00.03 com.apple.InputMethodKit.UserDictionary

      312 ??         0:00.02 storelegacy

      314 ??         0:00.59 storeassetd

      315 ??         0:00.08 LaterAgent

      316 ??         0:00.12 CoreServicesUIAgent

      318 ??         0:00.11 storedownloadd

      342 ??         0:00.29 cloudphotosd

      343 ??         0:00.09 com.apple.CloudPhotosConfiguration

      344 ??         0:00.03 photolibraryd

      350 ??         2:33.78 Safari

      353 ??         1:20.87 com.apple.WebKit.Networking

      356 ??         0:00.10 AirPlayUIAgent

      358 ??         0:00.28 cloudd

      361 ??         0:00.02 nsurlsessiond

      377 ??         0:00.11 SafariNotificationAgent

      387 ??         0:00.03 com.apple.NotesMigratorService

      407 ??         0:03.25 com.apple.Safari.SearchHelper

      419 ??         0:00.16 callservicesd

      668 ??         0:00.01 mdflagwriter

      678 ??         3:28.43 com.apple.WebKit.WebContent

      692 ??         0:00.02 DataDetectorsDynamicData

      695 ??         0:00.01 helpd

      728 ??         2:14.97 com.apple.WebKit.WebContent

      729 ??         0:00.01 com.apple.audio.SandboxHelper

      730 ??         0:00.03 com.apple.audio.ComponentHelper

      736 ??         0:00.83 nbagent

      738 ??         0:00.47 installd

    1076 ??         0:00.16 com.apple.CommerceKit.TransactionService

    1089 ??         0:00.03 mdworker

    1149 ??         0:00.21 storeuid

    1151 ??         0:00.01 com.apple.appstore.PluginXPCService

    1169 ??         0:16.02 com.apple.WebKit.WebContent

    1171 ??         0:00.02 mdworker

    1172 ??         0:00.03 mdworker

    1179 ??         0:00.02 mdworker

    1189 ??         0:02.68 Terminal

    1191 ttys000    0:00.04 login

    1192 ttys000    0:00.02 -bash

    1210 ttys000    0:00.00 ps

    Matyldas-iMac:~ MatiZu$

  • by MadMacs0,

    MadMacs0 MadMacs0 Aug 25, 2016 5:08 AM in response to MatiZu
    Level 5 (4,791 points)
    Aug 25, 2016 5:08 AM in response to MatiZu

    Nobody else seems to be following this over 5 year old topic and I can't properly interpret what you posted.

     

    Start a new discussion topic with only the description of what you know and have observed for yourself without anything else until asked for. I'm sure the diagnostics Linc gave have changed after all this time.

Previous Page 2