Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.


Question: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.

User uploaded file

MacBook Pro, Mac OS X (10.6.8)

Posted on

Question marked as Solved

Please read this whole message before doing anything.

The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

Step 1

Copy or drag — do not type — the line below into the Terminal window, then press return:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.

Step 2

Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.

Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

Step 5

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.

You can then quit Terminal.

Posted on

Page content loaded

Jun 28, 2017 1:32 PM in response to miccat00 In response to miccat00

miccat00 wrote:

I have followed those instructions and need help understanding the results. Can you help me with this?

Linc Davis, the person to whom you have responded, no longer posts in these forums. No one else is especially conversant with his methods or able to discuss the results of following his instructions. You may be better off starting your own post.

Jun 28, 2017 1:32 PM

Reply Helpful
User profile for user: meltymax

Question: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!