I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Please read this whole message before doing anything.

The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

Step 1

Copy or drag — do not type — the line below into the Terminal window, then press return:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.

Step 2

Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.

Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

Step 5

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.

You can then quit Terminal.

com.netralia.driver.VBMicDriver (1.0.0)

com.netralia.driver.VBSpeakerDriver (1.0.0)

second lot:

com.macpaw.CleanMyMac3.Agent

com.microsoft.office.licensing.helper

com.google.keystone.daemon

Adobe_Genuine_Software_Integrity_Service

com.adobe.SwitchBoard

com.adobe.fpsaud

com.microsoft.autoupdate.helper

I don't know what any of this means.

Step 1:

com.netralia.driver.VBMicDriver (1.0.0)

com.netralia.driver.VBSpeakerDriver (1.0.0)

Step 2:

com.epson.esua.launcher

com.paragon.ntfs.trial

com.google.keystone.system.agent

com.microsoft.Word.46892

com.google.Chrome.45756

com.microsoft.autoupdate.fba.73872

com.adobe.AAM.Scheduler-1.0

com.macpaw.CleanMyMac3.Scheduler

com.adobe.ARM.df0ab5bbe6f698196fcc21e3c1e66dcb758bd911f4d637272d9d8109

com.nvidia.CUDASoftwareUpdate

Step 3:

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

BJUSBLoad.kext

CIJUSBLoad.kext

CalDigitHDProDrv.kext

EPSONUSBPrintClass.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

CUDA.framework

MacFUSE.framework

NyxAudioAnalysis.framework

OSXFUSE.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

AdobeExManDetect.plugin

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

Disabled Plug-Ins

Flash Player.plugin

JavaAppletPlugin.plugin

PepperFlashPlayer

Quartz Composer.webplugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.epson.esua.launcher.plist

com.google.keystone.agent.plist

com.nvidia.CUDASoftwareUpdate.plist

/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.agsservice.plist

com.adobe.fpsaud.plist

com.google.keystone.daemon.plist

com.macpaw.CleanMyMac3.Agent.plist

com.microsoft.autoupdate.helper.plist

com.microsoft.office.licensing.helper.plist

/Library/PreferencePanes:

CUDA Preferences.prefPane

Flash Player.prefPane

NTFSforMacOSX.prefPane

OSXFUSE.prefPane

/Library/PrivilegedHelperTools:

com.macpaw.CleanMyMac3.Agent

com.malwarebytes.MBAMHelperTool

com.microsoft.autoupdate.helper

com.microsoft.office.licensing.helper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec copy.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleMXFImport.component

AppleProResCodec.component

AvidAV1xCodec.component

AvidAVDJCodec.component

AvidAVUICodec.component

AvidAVd1Codec.component

AvidAVdnCodec.component

AvidAVdvCodec.component

AvidAVpkCodec.component

AvidAVrpCodec.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component

XFMpeg2Dec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

.DS_Store

ADAMCGPRO - SHRENIK

ADAMCGPRO - SHRENIK.zip

California.ttf

CarrickGroovy.ttf

CatsAlphabet.ttf

DIN Font

FUTURA_BT.zip

Futura BT ƒ

Futura Font

GaramondPremierPro

Happy_brown_cat.ttf

Happy_brown_cat_shadow.ttf

Internet Fonts

Makhina

Makhina.zip

Schoolbell.ttf

Somatic-Rounded-Typeface.zip

Somatic-Rounded.otf

Tribeca.ttf

VAG Rounded

VAG Rounded Bold.ttf

VAG Rounded Light.ttf

VAG-Rounded-Std-Light_47298.ttf

badaboom_bb

california

california.zip

carbon.ttf

carrick_groovy.zip

caviar_dreams

citycontrasts

citycontrasts.zip

code

dweebogoth

dweebogoth.zip

ennobled_pet

floyd 2.TTF

floyd.TTF

floydian.zip

harlequin

harlequin.zip

incognitype

incognitype.zip

kc-fonts_black-asylum

kc-fonts_black-asylum.zip

kc-fonts_subway-novella

kc-fonts_subway-novella.zip

kenyan_coffee

kingthings_printing

kingthings_printing.zip

linowrite.ttf

lion_king.ttf

lion_king.zip

monsterama

mrsmonster.ttf

mrsmonster3d.ttf

mrsmonsterital.ttf

nexa

nexa.zip

nu_century_gothic.ttf

nu_century_gothic.zip

raleway

skater_girls_rock

skinny_notfon1234

skinny_notfon1234.zip

tabu

tabu.zip

tension-type_my-underwood

tension-type_my-underwood.zip

traveling_typewriter

tribeca.zip

truskey

truskey.zip

ufonts.com_castine-opentype.otf

uwch 2.ttf

vagroundedblacksskbold.ttf

veteran typewriter.ttf

walkway

waltographUI.ttf

youmurdererbb_reg.ttf

yourock

yourock.zip

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARM.df0ab5bbe6f698196fcc21e3c1e66dcb758bd911f4d637272d9d8109.plist

com.macpaw.CleanMyMac3.Scheduler.plist

Library/PreferencePanes:

Library/Services:

.localized

Last step:

CleanMyMac 3 Menu

Please note that the user that would have requested the logs you are posting, no longer posts here at ASC. Also note that this thread is old, long, and already marked as solved. If you have an issue, it may be best to create a new thread with pertinent details.

Am I infected with keylogger or something? I did the things you told. And here is the output:

Last login: Fri Jun 23 12:36:28 on ttys000

lols-MacBook-Air:~ lol$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

lols-MacBook-Air:~ lol$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

lols-MacBook-Air:~ lol$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.google.keystone.user.agent

lols-MacBook-Air:~ lol$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.apple.remotepairtool.plist

/Library/PreferencePanes:

/Library/PrivilegedHelperTools:

/Library/QuickLook:

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.google.keystone.agent.plist

Library/PreferencePanes:

lols-MacBook-Air:~ lol$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

lols-MacBook-Air:~ lol$ exit

logout

[Process completed]

Hi there, I have followed the first step of your advise above and the result came up as follows, which I found strange com.rim.driver.BlackBerryUSBDriverInt (0.0.67) I don't own a Black Berry at all., but I know someone who does. Do I need to be concerned, and if so, how do I remove it?

CentaurZA wrote:

Hi there, I have followed the first step of your advise above and the result came up as follows, which I found strange com.rim.driver.BlackBerryUSBDriverInt (0.0.67) I don't own a Black Berry at all., but I know someone who does. Do I need to be concerned, and if so, how do I remove it?

Linc Davis, the person to whom you have responded, no longer posts in these forums. No one else is especially conversant with his methods. You may be better off starting your own post.

I'd say you don't need to be worried about it. But, if you want it gone, you should just be able to drag it to the trash.

miccat00 wrote:

I have followed those instructions and need help understanding the results. Can you help me with this?

Linc Davis, the person to whom you have responded, no longer posts in these forums. No one else is especially conversant with his methods or able to discuss the results of following his instructions. You may be better off starting your own post.

If you end up discovering something, you should inform law enforcement and contact your lawyer. Any form of Wiretapping without consent is a crime and in some jurisdictions can carry very long sentences.

Also, use a different safe computer to reset:

- Your online banking and other financial information passwords, security questions/answers, etc.

- Your email passwords and security information

- Other similar senstitive information that might have been compromised

I'll chip in. From your results:

/Library/LaunchAgents:

com.spsecure.euseragent.plist

It's Spector Pro, monitoring software:

<Link Edited by Host>

There should be a law banning software like that - I'm sure that they fly under the parental control radar, but still...

Good find - I hope that the OP doesn't have to buy the software to uninstall it.

Clinton

Don't get rid of it at all until you have consulted a lawyer and/or informed the police. Your computer may be evidence of a crime or an actionable wrong.

When the time comes to remove it, you'll do so by backing up your data, erasing the boot volume, and restoring only your documents and settings. All your third-party software will have to be reinstalled from fresh copies.