-
All replies
-
Helpful answers
-
by Linc Davis,Sep 22, 2011 3:09 PM in response to leifromglen ellyn
Linc Davis
Sep 22, 2011 3:09 PM
in response to leifromglen ellyn
Level 10 (207,958 points)
ApplicationsOpen the Sharing preference pane in System Preferences. Is "Screen Sharing" enabled (checked)? If so, disable it. If not, you or someone else must have installed third-party software that allows for remote control of the screen.
-
Sep 22, 2011 3:15 PM in response to leifromglen ellynby WZZZ,As soon as you've got this locked up again, change all your important passwords. Do it off line.
-
Sep 22, 2011 4:01 PM in response to Linc Davisby leifromglen ellyn,Thanks for replying! Screen sharing was not checked when that happened. Any idea about how to find where the third party software is?
-
by Linc Davis,Sep 22, 2011 4:24 PM in response to leifromglen ellyn
Linc Davis
Sep 22, 2011 4:24 PM
in response to leifromglen ellyn
Level 10 (207,958 points)
ApplicationsThird-party system modifications are a common cause of instability and poor performance. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions -- they’re easy to carry out and won’t change anything on your Mac.
Launch the Terminal application, copy or drag -- do not type -- the line of text below into the window, and press return:
kextstat -kl | awk ' !/apple/ { print $6 $7 } '
Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.)
Next, do the same thing with this line:
sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '
That's one line, not two. You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.
Next, this command:
launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '
Again, one line. Finally, one more:
ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null
Important: If you synchronize with a MobileMe account, your me.com email address will appear in the output of the above command. Change it to something like “user@me.com” before posting.
Remember, this is all drag-and-drop or copy-and-paste, whichever you prefer -- no typing, except your password.
You can then quit Terminal.
-
Sep 22, 2011 5:09 PM in response to Linc Davisby leifromglen ellyn,Wow, that looks way pro. I followed the instructions carefully (I think) and the following would be the result:
Last login: Thu Sep 22 18:53:09 on ttys000
Lei-Duans-MacBook-Pro:~ leiduan1010$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '
Lei-Duans-MacBook-Pro:~ leiduan1010$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '
WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
com.microsoft.office.licensing.helper
Lei-Duans-MacBook-Pro:~ leiduan1010$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '
com.pando.PMB
com.macpaw.CleanMyMac.helperTool
com.google.keystone.user.agent
Lei-Duans-MacBook-Pro:~ leiduan1010$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null
/Library/Components:
/Library/Extensions:
/Library/Frameworks:
Adobe AIR.framework
NyxAudioAnalysis.framework
PluginManager.framework
iLifeFaceRecognition.framework
iLifeKit.framework
iLifePageLayout.framework
iLifeSQLAccess.framework
iLifeSlideshow.framework
/Library/Input Methods:
IMKQIM.app
QQInput.app
/Library/Internet Plug-Ins:
DirectorShockwave.plugin
Flash Player.plugin
JavaPlugin2_NPAPI.plugin
JavaPluginCocoa.bundle
PandoWebPlugin.plugin
Quartz Composer.webplugin
QuickTime Plugin.plugin
RealPlayer Plugin.plugin
SharePointBrowserPlugin.plugin
SharePointWebKitPlugin.webplugin
flashplayer.xpt
iPhotoPhotocast.plugin
nsIQTScriptablePlugin.xpt
/Library/LaunchAgents:
/Library/LaunchDaemons:
com.microsoft.office.licensing.helper.plist
/Library/PreferencePanes:
Fan Control.prefPane
MediaBooster.prefPane
/Library/PrivilegedHelperTools:
com.microsoft.office.licensing.helper
/Library/QuickLook:
SogouSkinPreviewer.qlgenerator
iWork.qlgenerator
/Library/QuickTime:
AppleIntermediateCodec.component
AppleMPEG2Codec.component
/Library/ScriptingAdditions:
Adobe Unit Types.osax
/Library/StartupItems:
FanControlDaemon
Library/Address Book Plug-Ins:
SkypeABDialer.bundle
SkypeABSMS.bundle
Library/Input Methods:
.localized
Library/Internet Plug-Ins:
ThunderPlugIn.plugin
Library/LaunchAgents:
com.apple.CSConfigDotMacCert-leiduan1010@me.com-SharedServices.Agent.plist
com.apple.FTMonitor.plist
com.apple.FolderActions.enabled.plist
com.apple.FolderActions.folders.plist
com.apple.imagent.plist
com.apple.marcoagent.plist
com.google.keystone.agent.plist
com.macpaw.CleanMyMac.helperTool.plist
com.pando.PMB.plist
Library/PreferencePanes:
Lei-Duans-MacBook-Pro:~ leiduan1010$
-
-
by Linc Davis,Sep 22, 2011 5:32 PM in response to leifromglen ellyn
Linc Davis
Sep 22, 2011 5:32 PM
in response to leifromglen ellyn
Level 10 (207,958 points)
ApplicationsI don't think it's any of that. Post the output of this command:
ps -cx
-
-
Sep 22, 2011 5:35 PM in response to Linc Davisby leifromglen ellyn,PID TTY TIME CMD
101 ?? 0:00.32 launchd
105 ?? 0:14.33 Dock
106 ?? 0:03.53 SystemUIServer
107 ?? 0:09.69 Finder
111 ?? 0:00.01 pboard
114 ?? 0:01.89 fontd
116 ?? 0:02.66 quicklookd
119 ?? 0:00.07 imklaunchagent
124 ?? 0:00.81 UserEventAgent
131 ?? 0:00.47 AirPort Base Station Agent
134 ?? 0:00.37 imagent
138 ?? 0:00.67 TISwitcher
190 ?? 4:30.38 Safari
192 ?? 6:58.57 WebProcess
197 ?? 0:00.37 AppleSpell
198 ?? 0:20.31 Mail
201 ?? 0:00.01 LKDCHelper
300 ?? 4:16.32 QQ
344 ?? 0:13.42 Software Update
409 ?? 3:17.23 PluginProcess
523 ?? 0:00.04 BezelUIServer
612 ?? 0:03.31 PluginProcess
614 ?? 0:13.79 java
630 ?? 0:00.56 mdworker
675 ?? 0:05.73 QQInput
715 ?? 0:00.14 SyncServer
737 ?? 0:00.13 Terminal
738 ?? 0:00.00 (SFLIconTool)
739 ttys000 0:00.06 login
740 ttys000 0:00.00 -bash
743 ttys000 0:00.00 ps
-
by Linc Davis,Sep 22, 2011 5:55 PM in response to leifromglen ellyn
Linc Davis
Sep 22, 2011 5:55 PM
in response to leifromglen ellyn
Level 10 (207,958 points)
ApplicationsThe only possibility I can see there is that you're running some kind of Java VNC server. Launch the Activity Monitor application, select "My Processes" from the popup menu in the toolbar, and enter "java" (without the quotes) in the filter box. Double-click the java process in the table. What are its parent process and open files?
-
Sep 22, 2011 6:19 PM in response to leifromglen ellynby X423424X,Please post the output from ps ax as opposed to ps cx.
-
Sep 23, 2011 12:56 PM in response to leifromglen ellynby MadMacs0,It might be related to a couple of Trojans that were announced today:
F-Secure: Mac trojan posing as a PDF file
http://www.f-secure.com/weblog/archives/00002241.html
Sophos Security Blog: Mac OS X Trojan hides behind malicious PDF disguise
http://nakedsecurity.sophos.com/2011/09/23/mac-os-x-trojan-hides-behind-maliciou s-pdf-disguise/
MacFixIt: New OS X Trojan horse sends screenshots, files to remote servers
http://reviews.cnet.com/8301-13727_7-20110677-263/
except there should be a process called "checkvir" running.
-
Mar 10, 2012 2:35 PM in response to leifromglen ellynby MikeMJD,Hi there, did you find a solution in the end? I've got the same problem now... Very annoying!
Which of the above instructions should I follow?
-
Oct 17, 2012 3:16 PM in response to leifromglen ellynby lkstevens,Had a similar experience as well. Not sure what to do at this point either. Tempted to just format and reinstall everything.
