You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.




User uploaded file

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 26, 2012 6:41 PM

Reply
Question marked as Top-ranking reply

Posted on Aug 26, 2012 8:05 PM

Please read this whole message before doing anything.


The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.


Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


Launch the Terminal application in any of the following ways:


☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.


When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


Step 1


Copy or drag — do not type — the line below into the Terminal window, then press return:


kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.


Step 2


Repeat with this line:


sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'


This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.


Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


Step 3


launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


Step 4


ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null


Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.


Step 5


osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.


You can then quit Terminal.

136 replies

Aug 21, 2013 8:18 AM in response to NY Jetman

I would recommend staying away from scanning software that you get from a thrid party vendor. Mac's are designed to "repair" themselves. If you are wanting to have your system checked I would recommend finding an Apple authorized place to do that or take it to the Apple store. These online softwares are okay, but why take your Mercedez to a guy who works on Chevy's? Get what I mean.

Aug 25, 2013 2:43 PM in response to meltymax

i also think i may have a keylogger on ym mac as someone tried to log into my facebook account from a country i have never been to.

can someone check to see if there is anything on my mac

out put after 1:

com.rim.driver.BlackBerryUSBDriverInt (0.0.74)

com.rim.driver.BlackBerryUSBDriverVSP (0.0.74)


output after 2:

com.rim.BBDaemon

com.mac.adg.SquidMan

com.adobe.fpsaud


outputafter 3:

com.rim.BBLaunchAgent

com.rim.RimAlbumArtDaemon

com.spotify.webhelper

com.pando.PMB

com.google.keystone.user.agent

com.codecm.uploader

com.valvesoftware.steamclean

com.google.Chrome.framework.service_process/Users/samuelheller/Library/Applicati on_Support/Google/Chrome

com.valvesoftware.steam.ipctool


output after 4:

/Library/Components:



/Library/Extensions:



/Library/Frameworks:

Adobe AIR.framework

DivX Toolkit.framework

NyxAudioAnalysis.framework

PluginManager.framework

RIM_VSP.framework

RimBlackBerryUSB.framework

iTunesLibrary.framework



/Library/Input Methods:



/Library/Internet Plug-Ins:

DirectorShockwave.plugin

DivXBrowserPlugin.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

NP-PPC-Dir-Shockwave

OVSHelper.plugin

OfficeLiveBrowserPlugin.plugin

PandoWebPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

Unity Web Player.plugin

Unused

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt



/Library/Internet Plug-Ins (Disabled):

Flash Player.plugin



/Library/Keyboard Layouts:



/Library/LaunchAgents:

com.rim.BBAlbumArtCacher.plist

com.rim.BBLaunchAgent.plist



/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.apple.third_party_32b_kext_logger.plist

com.mac.adg.SquidMan.plist

com.rim.BBDaemon.plist



/Library/PreferencePanes:

DivX.prefPane

Flash Player.prefPane

MediaBooster.prefPane



/Library/PrivilegedHelperTools:

com.mac.adg.SquidMan



/Library/QuickLook:

GBQLGenerator.qlgenerator

iWork.qlgenerator



/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

DivX Decoder.component

DivX Encoder.component



/Library/Spotlight:

AppleWorks.mdimporter

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter



/Library/StartupItems:



/etc/mach_init.d:

dashboardadvisoryd.plist



/etc/mach_init_per_login_session.d:



/etc/mach_init_per_user.d:



Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle



Library/Fonts:



Library/Input Methods:

.localized



Library/Internet Plug-Ins:



Library/Keyboard Layouts:



Library/LaunchAgents:

.DS_Store

com.apple.FTMonitor.plist

com.apple.FolderActions.enabled.plist

com.apple.FolderActions.folders.plist

com.apple.imagent.plist

com.apple.marcoagent.plist

com.codecm.uploader.plist

com.google.keystone.agent.plist

com.pando.PMB.plist

com.spotify.webhelper.plist

com.valvesoftware.steamclean.plist



Library/PreferencePanes:


output after 5: Skype, SpeechSynthesisServer, iTunesHelper, Steam, Spotify, Android File Transfer Agent

Sep 7, 2013 7:23 PM in response to Linc Davis

Please if you read this could you please help me too?? I also have the same problem and have followed your instructions and would like to post my findings so you can help me with the outputs I recieved...I am desperate trying to sort out a series of very mysterious happenig in my life right now which are driving me crazy....thank you.

Sep 8, 2013 9:08 AM in response to Linc Davis

If you can please help me....this is what I got..please.


Output after 1st:

localhost:~ lamalika$


Output after 2nd

  1. com.google.keystone.daemon
  2. com.adobe.fpsaud


Output after 3rd

com.google.keystone.system.agent


Output after 4th

localhost:~ lamalika$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. NyxAudioAnalysis.framework
  2. PluginManager.framework
  3. TSLicense.framework
  4. iLifeFaceRecognition.framework
  5. iLifeKit.framework
  6. iLifePageLayout.framework
  7. iLifeSQLAccess.framework
  8. iLifeSlideshow.framework
  9. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

CitrixICAClientPlugIn.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

Unity Web Player.plugin

Unused

  1. flashplayer.xpt
  2. googletalkbrowserplugin.plugin
  3. iPhotoPhotocast.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.google.keystone.agent.plist


/Library/LaunchDaemons:

  1. com.adobe.fpsaud.plist
  2. com.apple.third_party_32b_kext_logger.plist
  3. com.google.keystone.daemon.plist


/Library/PreferencePanes:

Citrix online plug-in.prefPane

Flash Player.prefPane

Flip4Mac WMV.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iWork.qlgenerator


/Library/QuickTime:

AC3MovieImport.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

Perian.component


/Library/Spotlight:

  1. AppleWorks.mdimporter
  2. GBSpotlightImporter.mdimporter
  3. LogicPro.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

  1. SkypeABDialer.bundle
  2. SkypeABSMS.bundle
  3. YMsgrCallABPlugin.bundle
  4. YMsgrMsnABPlugin.bundle
  5. YMsgrSmsABPlugin.bundle
  6. YMsgrYimABPlugin.bundle


Library/Fonts:


Library/Frameworks:

  1. SamsungKiesFoundation.framework
  2. SamsungKiesSerialPort.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

.DS_Store

KickStartPlugIn64.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.apple.CSConfigDotMacCert-***-SharedServices.Agent.plist
  2. com.apple.FolderActions.enabled.plist
  3. com.apple.FolderActions.folders.plist


Library/PreferencePanes:


Output After 5th


iTunesHelper, Safari, Skype, KiesAgent, KiesViaWiFiAgent, fuspredownloader

localhost:~ lamalika$


Thank you so so much


<Email Edited By Host>

Sep 7, 2013 7:48 PM in response to tololo

tololo wrote:


Please if you read this could you please help me too?? I also have the same problem

Note that the last three or four users who tried to jump on have not been assisted by anybody that knows much about this, so I suspect they are no longer monitoring this thread. You'd probably get better results by starting with a new subject and describe exactly what symptoms you are observing along with the Mac model and OS X version you are using.

Sep 7, 2013 8:06 PM in response to Linc Davis

My attention was called to this thread, which I had stopped reading more than a year ago. I'm only commenting on it now because I'm saddened by this outpouring of agony.


I answer a few questions on this site, but only as many as I have time for, and only the ones I choose. I cannot and do not take requests.


Another thing I can't do is computer forensics; that is, the investigation of criminal tampering with a computer. The most that I could do is rule in or out the presence of one of the commercial keylogging products that I happen to know of. Those products are not designed for illegal wiretapping. They're designed to lawfully monitor the activities of employees or children. My knowledge of the subject is far from complete, and in any case, it would be quite easy for a sophisticated attacker with access to the computer to install a keylogger that I couldn't detect by the means at my disposal here. If I were going to install a keylogger on someone's computer, I could, and would, do it in a way that wouldn't be so easily detectable.


Even a complete forensic analysis wouldn't rule out the presence of a hardware keylogger, which is a small, inconspicuous device that needs no software in order to operate. It could, for example, be hidden inside an ordinary-looking USB cable. Even an expert might not be able to find such a device.


A motivated attacker could take even more extreme measures, by planting listening devices in the victim's home or car.


Wiretapping is a crime. Please, ladies -- as most of you seem to be -- if you think you're a victim of that crime, look to a lawyer, a support group, or the police for help. Don't look to a stranger on a public message board. Anyone who's willing to take the risk of prosecution to tamper with your computer may be willing to take other risks, too. Be safe.

Sep 7, 2013 10:27 PM in response to Linc Davis

Thank you so much for replying and I completely understand what you are saying...could you please help me rule out the presence of the commercial keylogging you may happen to know of? Iam pretty sure the person I am talking about is very savvy but I am somehow betting that he may be betting on my ignorance to go undetected with something very simple...please.


Once I have something to base it on I can move forward but right now I am empty handed and have nothing but my suspicions and this has gotten me nowhere when seeking help. I have to start my own investigation for now and this is my beginning. I understand the risk of this but I really have no other choice for now.

Sep 21, 2013 3:21 PM in response to Linc Davis

Hi Linc and everyone.


Wondering if you could help me decipher if there's something on my computer too, please.


Thanks very much



Step 1:


com.digidesign.iokit.DigiDal (10.0f56)

com.RME.driver.FirefaceAudioDriver (3.06)

com.paceap.kext.pacesupport.snowleopard (5.9)

com.caiaq.driver.NIUSBMaschineControllerDriver (2.5.2)


Step 2:

org.samba.smbd

org.samba.nmbd

com.paceap.pacesupport

com.paceap.eden.licensed

com.digidesign.fwfamily.helper

com.adobe.fpsaud


Step 3

de.rme-audio.hdspAgent

de.rme-audio.firefaceUSBAgent

de.rme-audio.firefaceAgent

com.google.keystone.user.agent


step 4

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

AFnd.framework

CFnd.framework

DAE.framework

DFW.framework

DHS.framework

DSI.framework

DSPManager.framework

DUI.framework

DigiPlatformSupport.framework

DigiStreamManager.framework

DigidesignFWDriver.framework

DirectIO.framework

NyxAudioAnalysis.framework

PluginManager.framework

SonicBirth.framework

TSLicense.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

NP-PPC-Dir-Shockwave

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

flashplayer.xpt

iLok Client Helper Plugin

iLokClientHelper.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

de.rme-audio.firefaceAgent.plist

de.rme-audio.firefaceUSBAgent.plist

de.rme-audio.hdspAgent.plist


/Library/LaunchDaemons:

PACESupport.plist

com.adobe.fpsaud.plist

com.digidesign.fwfamily.helper.plist

com.paceap.eden.licensed.plist


/Library/PreferencePanes:

DigidesignFireWireAudio.prefPane

DigidesignMbox2.prefPane

Flash Player.prefPane

Flip4Mac WMV.prefPane

NIUSBAudio.prefPane


/Library/PrivilegedHelperTools:

Google Drive Icon Helper

licenseDaemon.app


/Library/QuickLook:

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/Spotlight:

AppleWorks.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:

Digidesign Mbox 2

DigidesignLoader


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.google.keystone.agent.plist


Library/PreferencePanes:

.FA686BFF5186C9DDF6D8

.U9HSPVH6XNHB

.VAOC8YCKM1X4


Step 5

iTunesHelper, Dropbox, NIHardwareAgent

Sep 21, 2013 3:54 PM in response to salscopis

salscopis wrote:


Hi Linc and everyone.


Wondering if you could help me decipher if there's something on my computer too, please.

As Linc just told the last user:

The right way to use this site is first to search for answered questions similar to yours (which you must already have done), and if you don't find a solution that way, to start your own thread.
He is not monitoring this ancient thread and I probably should stop as well.

Nov 21, 2013 4:45 PM in response to meltymax

I am unable to carry out this search to finding the spyware. After I input this information into my terminal, when I get to the point of inputing my password it will not let me type it or anything else. My password works everywhere else needed on my computer, but not the terminal after I have copied and pasted the information listed above. I am hoping to ascertain the type of sypware on my computer. I know for a fact that it is there and it has created havock in my life. This person has phisical access to my computer.


Is there spyware that will prevent inputing this information into the terminal?

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.