Apple’s Worldwide Developers Conference to kick off June 10 at 10 a.m. PDT with Keynote address

The Keynote will be available to stream on apple.com, the Apple Developer app, the Apple TV app, and the Apple YouTube channel. On-demand playback will be available after the conclusion of the stream.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: meltymax
meltymax Author
User level: Level 1
9 points

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.




User uploaded file

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 26, 2012 6:41 PM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,559 points

Posted on Aug 26, 2012 8:05 PM

Please read this whole message before doing anything.


The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.


Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


Launch the Terminal application in any of the following ways:


☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.


When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


Step 1


Copy or drag — do not type — the line below into the Terminal window, then press return:


kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.


Step 2


Repeat with this line:


sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'


This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.


Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


Step 3


launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


Step 4


ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null


Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.


Step 5


osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.


You can then quit Terminal.

View in context
136 replies
User profile for user: joandja
joandja
User level: Level 1
8 points

Dec 20, 2013 1:00 PM in response to meltymax

I'm hoping someone will read this and see if something fishy is going on? I did the steps provided (Which were excellently posted! Easy to understand). Just have no clue beyond that.


An added note. We had someone on 8/13 make 3 fraudulent charges on our iTunes acct. We closed the acct. and only use gift cards now. In 12/13 we had another fraudulent charge from EETsac on our c.c. and had to be reissued a new credit card.


Maybe someone's on our computer? Thanks.


STEP 1:

com.eltima.ElmediaPlayer.kext (1.0)


STEP 2:

com.intego.BackupAssistant.daemon

com.eltima.ElmediaPlayer.daemon

com.adobe.SwitchBoard

com.adobe.fpsaud


STEP 3:

com.kodak.BonjourAgent

com.intego.backupassistant.agent

com.conduit.loader.Agent

com.adobe.CS5ServiceManager

com.yahoo.YahooContactSyncAgent

com.nchsoftware.expressinvoice.agent

com.kodak.KODAK

com.kodak.KODAK

com.kodak.KODAK

com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9

com.adobe.AAM.Scheduler-1.0


STEP 4:

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

Adobe AIR.framework

EWSMac.framework

NyxAudioAnalysis.framework

OnOneWidgets.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework

onOneToolbox.framework


/Library/Input Methods:


/Library/InputManagers:

CTLoader


/Library/Internet Plug-Ins:

.DS_Store

AdobePDFViewer.plugin

Disabled Plug-Ins

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Musicnotes.plugin

NP-PPC-Dir-Shockwave

Quartz Composer.webplugin

QuickTime Plugin.plugin

Scorch.plugin

Silverlight.plugin

Unity Web Player.plugin

Unused

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.CS5ServiceManager.plist

com.conduit.loader.agent.plist

com.intego.backupassistant.agent.plist

com.kodak.BonjourAgent.plist


/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.apple.third_party_32b_kext_logger.plist

com.eltima.ElmediaPlayer.daemon.plist

com.intego.BackupAssistant.daemon.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

GBQLGenerator.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax

ct_scripting.osax


/Library/Spotlight:

AppleWorks.mdimporter

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:

Intego Backup Assistant

ProTec6b


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:

A BUNCH OF FONTS and this....

encodings.dir

fonts.dir

fonts.list

fonts.scale


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

com.kodak.KODAK AiO Annual Opt.plist

com.kodak.KODAK AiO Firmware Updater.plist

com.kodak.KODAK AiO Software Updater.plist

com.nchsoftware.expressinvoice.agent.plist

com.yahoo.YahooContactSyncAgent.plist


Library/PreferencePanes:

.DS_Store


Library/QuickTime:


STEP 5:

Safari, Dropbox

Reply
User profile for user: John Galt
John Galt
User level: Level 10
142,072 points

Dec 20, 2013 4:44 PM in response to joandja

joandja as has already been noted numerous times in this ancient thread you need to start your own Discussion. It's only by chance that I happened to read this one. Most of its qualified participants may no longer be subscribed to it.


The Conduit Community Toolbar spyware is installed on your Mac. While it alone does not explain any fraudulent account activity it is garbage you probably you do not want, and you will require specific instructions for getting rid of it. To ensure you do, please start your own Discussion.


Start with this page:


https://discussions.apple.com/community/mac_os


Navigate to your OS X version, then click the "Start a Discussion" link near the upper right under Actions.

Reply
User profile for user: edsonyazejy
edsonyazejy
User level: Level 1
0 points

Feb 13, 2014 4:41 PM in response to meltymax

Hello,


I'm having the same problem, can anyone help me and see if I have any keylogger or spyware in my computer?


Last login: Fri Feb 14 00:19:23 on ttys000

edsons-mbp:~ edsonyazejy$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.manycamllc.driver.ManyCamDriver (0.0.9)

edsons-mbp:~ edsonyazejy$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.teamviewer.service

com.parallels.mobile.kextloader.launchdaemon

com.parallels.mobile.dispatcher.launchdaemon

com.oracle.java.Helper-Tool

com.microsoft.office.licensing.helper

com.adobe.fpsaud

edsons-mbp:~ edsonyazejy$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.microsoft.Excel.27840

com.adobe.Reader.23440

com.wondershare.helper_compact.63568

com.nike.nikeplusconnect

com.parallels.mobile.startgui.launchagent

com.goacemjobhmmbdlbbfjgifjcojdfnjfm.updater

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

edsons-mbp:~ edsonyazejy$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

EWSMac.framework

NyxAudioAnalysis.framework

OSXFUSE.framework

PluginManager.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.nike.nikeplusconnect.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.parallels.mobile.dispatcher.launchdaemon.plist

com.parallels.mobile.kextloader.launchdaemon.plist

com.teamviewer.teamviewer_service.plist


/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

OSXFUSE.prefPane


/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleProResCodec.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component

ManyCamVDig_RGB.component

ManyCamVDig_YCbCr.component


/Library/ScriptingAdditions:

Ignitor.osax


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

.DS_Store

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:

HARRP___.TTF

HPOTTER.TTF

LUMOS.TTF

MagicSchoolOne.ttf

MagicSchoolTwo.ttf


Library/Frameworks:

EWSMac.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

.DS_Store

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.goacemjobhmmbdlbbfjgifjcojdfnjfm.updater.plist

com.parallels.mobile.startgui.launchagent.plist


Library/PreferencePanes:


Library/Services:

.localized

edsons-mbp:~ edsonyazejy$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, SmartDaemon, Dropbox, AdobeResourceSynchronizer, Wondershare Helper Compact

edsons-mbp:~ edsonyazejy$



THANK YOU

Reply
User profile for user: rickbeacham
rickbeacham
User level: Level 1
0 points

Feb 20, 2014 6:42 AM in response to edsonyazejy

Re-install Mac OS X if you feel someone has backdoor access. It will be easier to reinstall the OS. And you can't be certian what services are legit or have backdoors themselves.. Backup all personal data then Delete the OS and Re-install. Run Little Snitch and keep up with outgoing connections for a little while. Install a virus scanner and scan your fresh install of Mac OS X.

Reply
User profile for user: John Galt
John Galt
User level: Level 10
142,072 points

Feb 20, 2014 10:29 AM in response to rickbeacham

rickbeacham wrote:


Re-install Mac OS X if you feel someone has backdoor access. It will be easier to reinstall the OS.


That will do nothing to remove a keylogger.


Install a virus scanner and scan your fresh install of Mac OS X.


If one suspects a keylogger or other malware has been installed but does not know how to go about eliminating it, a complete system erasure followed by installing OS X and one's essential software will eliminate all doubt. Keyloggers aren't viruses and there is no product that can possibly detect every variant of one that may exist. Installing a "virus scanner" will do nothing beneficial and is far more likely to cause unrelated problems.

Reply
User profile for user: rickbeacham
rickbeacham
User level: Level 1
0 points

Feb 23, 2014 6:00 PM in response to John Galt



If one suspects a keylogger or other malware has been installed but does not know how to go about eliminating it, a complete system erasure followed by installing OS X and one's essential software will eliminate all doubt.



That is exactly what i said. Delete the OS and re-install. Maybe i should have neen clearer and said "delete everything on the harddrive..

Install a virus scanner and scan your fresh install of Mac OS X.

Yes, some viruses/malware are able to save data on other partitions. Yes mac os x has its own virus protection but so does microsoft. I would then remove the virus scanner after the threat is removed or not found since they use resources and can slow down your system .I'm not sure how a virus scanner will cause problems worse then the ones they are having. Its just eleminating a potentional attack vector.


If you are still having problems. Install linux 🙂. Use VMware to run linux or use a live CD or USB(safer). Make sure its read only. This way when making credit card payments you will be safe.

Reply
User profile for user: PlaceNarration
PlaceNarration
User level: Level 1
0 points

Mar 2, 2014 12:02 PM in response to Linc Davis

Hi there Linc,


I too am in the same boat, and was wondering if you would so kind as to take a peek at my results and let me know if there is anything suspicious or if I have a keylogger. I followed all of your instructions, and will post the text after this short note. THANK YOU so much, if you have the time to look at it.


Kindest regards,

Crystal


-

Last login: Sat Mar 1 13:46:36 on console

localhost:~ crystal$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

  1. com.paceap.kext.pacesupport.snowleopard (5.7.2)
  2. com.digidesign.iokit.DigiDal (9.0.3f4)
  3. com.Apogee.driver.DuetFWOverideDriver (1.4.4)
  4. com.Cycling74.driver.Soundflower (1.6.2)

localhost:~ crystal$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

  1. com.paceap.pacesupport
  2. com.spotflux.Spotflux
  3. com.paceap.eden.licensed
  4. com.hidden.daemon
  5. com.google.keystone.daemon
  6. com.duetDaemon.plist
  7. com.digidesign.fwfamily.helper
  8. com.adobe.versioncueCS4
  9. com.adobe.fpsaud

localhost:~ crystal$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.google.keystone.system.agent
  2. com.frontierdesign.tranzport.daemon
  3. com.adobe.CS4ServiceManager
  4. com.yahoo.YahooContactSyncAgent
  5. com.nchsoftware.reflect.agent
  6. com.divx.agent.postinstall
  7. com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9
  8. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

localhost:~ crystal$

localhost:~ crystal$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. AECore.framework
  2. AFnd.framework

Adobe AIR.framework

  1. ArcCon.framework
  2. CFnd.framework
  3. Compressor.framework
  4. DAE.framework
  5. DFW.framework
  6. DHS.framework
  7. DSI.framework
  8. DSPManager.framework
  9. DSPPublishing.framework
  10. DUI.framework
  11. DigiPlatformSupport.framework
  12. DigiStreamManager.framework
  13. DigidesignFWDriver.framework
  14. DirectIO.framework

DivX Toolkit.framework

  1. FxPlug.framework
  2. MediaServerAPI.framework
  3. Motion.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. ProFX.framework
  7. ProMetadataSupport.framework
  8. Qmaster.framework
  9. TSLicense.framework
  10. XSKey.framework
  11. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

  1. AdobePDFViewer.plugin
  2. AdobePDFViewerNPAPI.plugin

AmazonMP3DownloaderPlugin.plugin

DivXBrowserPlugin.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

Google Earth Web Plug-in.plugin

JavaAppletPlugin.plugin

NP-PPC-Dir-Shockwave

  • OVSHelper.plugin
  • OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. Silverlight.plugin
  2. flashplayer.xpt
  3. googletalkbrowserplugin.plugin
  4. iPhotoPhotocast.plugin
  5. npContributeMac.bundle

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin


/Library/Internet Plug-Ins (Disabled):

Flash Player.plugin


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.adobe.CS4ServiceManager.plist
  2. com.frontierdesign.tranzport.daemon.plist
  3. com.google.keystone.agent.plist


/Library/LaunchDaemons:

  1. PACESupport.plist
  2. com.DuetDaemon.plist
  3. com.adobe.fpsaud.plist
  4. com.adobe.versioncueCS4.plist
  5. com.apple.aelwriter.plist
  6. com.apple.qmaster.qmasterd.plist
  7. com.apple.third_party_32b_kext_logger.plist
  8. com.digidesign.fwfamily.helper.plist
  9. com.google.keystone.daemon.plist
  10. com.hidden.daemon.plist
  11. com.paceap.eden.licensed.plist
  12. com.spotflux.Spotflux.plist


/Library/PreferencePanes:

Apple Qmaster.prefPane

DivX.prefPane

Flash Player.prefPane

Flip4Mac WMV.prefPane

Growl.prefPane

VersionCueCS4.prefPane


/Library/PrivilegedHelperTools:

  1. com.spotflux.Spotflux
  2. licenseDaemon.app


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iWork.qlgenerator


/Library/QuickTime:

  1. AppleAVCIntraCodec.component
  2. AppleHDVCodec.component
  3. AppleIntermediateCodec.component

AppleMPEG2Codec.component

  1. AppleProResCodec.component
  2. DVCPROHDCodec.component
  3. DVCPROHDMuxer.component
  4. DVCPROHDVideoDigitizer.component
  5. DVCPROHDVideoOutput.component
  6. DVCPROHDVideoOutputClock.component
  7. DVCPROHDVideoOutputCodec.component
  8. DesktopVideoOut.component

DivX Decoder.component

DivX Encoder.component

FCP Uncompressed 422.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

  1. IMXCodec.component
  2. LiveType.component
  3. Motion.component
  4. PanasonicAVCCAMImporter.component
  5. SoundboothScoreCodec.component
  6. iChatTheaterPreview.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

  1. AppleWorks.mdimporter
  2. GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:

DigidesignLoader

PACESupport


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.versioncueCS4.monitor.plist


Library/Address Book Plug-Ins:

AdiumAddressBookAction_AIM.scpt

AdiumAddressBookAction_ICQ.scpt

AdiumAddressBookAction_Jabber.scpt

AdiumAddressBookAction_MSN.scpt

AdiumAddressBookAction_SMS.scpt

AdiumAddressBookAction_Yahoo.scpt

  1. SkypeABDialer.bundle
  2. SkypeABSMS.bundle


Library/Fonts:

Belwe_Mono_Plain.ttf

Caviar Dreams Bold.ttf

CaviarDreams.ttf

CaviarDreams_BoldItalic.ttf

CaviarDreams_Italic.ttf

WendyLPStd-Medium.otf


Library/Frameworks:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

Aspera Web 3.1.2.72265.plugin

BrowserPlus_2.9.8.plugin

CitrixOnlineWebDeploymentPlugin.plugin

OctoshapeWeb.plugin

fbplugin_1_0_3.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  2. com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist
  3. com.divx.agent.postinstall.plist
  4. com.nchsoftware.reflect.agent.plist
  5. com.yahoo.YahooContactSyncAgent.plist


Library/PreferencePanes:

.2Q42TU49FV7VSGGC

.localized

  1. BrowserPlusPrefs.prefPane
  2. Growl.prefPane
  3. MusicManager.prefPane

localhost:~ crystal$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

TomTomHOMERunner, Jumpcut, Music Manager, BitTorrent, Dropbox, ConnectService, DuetPopUp

localhost:~ crystal$

Reply
User profile for user: Maxformal
Maxformal
User level: Level 1
0 points

Mar 2, 2014 7:54 PM in response to meltymax

Can someone check mine out too please? I don't know too awful much about computers, but I ran the steps and here's what I came up with:


Password:

Sorry, try again.

Password:

com.mcafee.virusscan.fmpd

com.mcafee.ssm.ScanManager

com.adobe.fpsaud

-macbook-pro-2:~ Max$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

jp.co.canon.cijscannerregister.4784

com.adobe.PDApp.AAMUpdatesNotifier.44208.0F49F9FA-2C85-455B-94D3-F0A2E74EE2A9

com.skype.skype.16752

com.hp.productresearch.5312

com.thursby.pkard.tokendagent

com.mcafee.reporter

com.mcafee.menulet

com.hp.help.tocgenerator

com.google.keystone.user.agent

com.adobe.AAM.Scheduler-1.0

macbook-pro-2:~ Max$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AVEngine.framework

AudioMixEngine.framework

HPSmartPrint.framework

MacFUSE.framework

MacScanner.framework

NyxAudioAnalysis.framework

PluginManager.framework

ScanBooster.framework

Snapfish.framework

VirusScanPreferences.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AmazonMP3DownloaderPlugin101750.plugin

CouponPrinter-FireFox_v2.plugin

CouponPrinter-Safari.webplugin

Default Browser.plugin

Flash Player.plugin

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SiteAdvisor.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt


/Library/Internet Plug-Ins (Disabled):

Flash Player.plugin


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.hp.help.tocgenerator.plist

com.mcafee.menulet.plist

com.mcafee.reporter.plist

com.thursby.pkard.tokendagent.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.mcafee.ssm.ScanManager.plist

com.mcafee.virusscan.fmpd.plist


/Library/PreferencePanes:

Flash Player.prefPane

MacFUSE.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleProResCodec.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:

PKard


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

YMsgrCallABPlugin.bundle

YMsgrMsnABPlugin.bundle

YMsgrSmsABPlugin.bundle

YMsgrYimABPlugin.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.apple.FolderActions.enabled.plist

com.apple.FolderActions.folders.plist

com.google.keystone.agent.plist


Library/PreferencePanes:


Library/Services:

.localized

-macbook-pro-2:~ Max$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Skype, HP Product Research, HPEventHandler

-macbook-pro-2:~ Max$


It all looks good to me, but like I said I don't know too much about it. I have a crazy ex and I want to make sure she's still not stalking me lol. Thanks!

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,995 points

Mar 3, 2014 3:55 AM in response to Maxformal

Folks, please stop posting this output here! These are not helpful.


First of all, there's really no reliable way to determine whether you have a keylogger or other remote access tool installed. A knowledgeable user may be able to identify certain specific malicious programs from this output, but if nothing suspicious is seen, that really means nothing at all. There could still be something there.


Secondly, posting here is not an effective way of getting help. The knowledgeable people here are no longer responding on this topic. Linc Davis said it best here.

Reply
User profile for user: PlaceNarration
PlaceNarration
User level: Level 1
0 points

Mar 3, 2014 6:11 PM in response to thomas_r.

Wow, thank you for alerting us to this Thomas. It's almost hard to believe after reading the post you just shared that people STILL are specifically asking direct requests of him - *after* he just specifically asked them not to. At least in this case, we (unknowing/ignorant of the proper site ettiquette) saw someone get help on something and so asked for the same, but on the other article, the FIRST post is him explaining why he isn't responding to this one, how the site is supposed to work and what they should do to go about getting a response, should they still need one. People are either stupid or just selfish. I can't figure out which.


Anyways, apologies for the faux pas, and thanks for alerting me to the proper process.


Cheers,

Crystal

Reply
User profile for user: sbal12
sbal12
User level: Level 1
0 points

May 6, 2014 7:36 AM in response to meltymax

Same to me here. Don't know for sure, hope someone can help me with the output underneath, following steps 1 - 4


Output after step 1:

com.Cycling74.driver.Soundflower (1.6.6)$


Output after step 2:

org.tcpdump.chmod_bpf

com.oracle.java.Helper-Tool

com.adobe.fpsaud$


Output after step 3:

de.novamedia.VMCStatusMenue.10592

com.oracle.java.Java-Updater

com.spotify.webhelper

com.google.keystone.user.agent

com.divx.agent.postinstall$


Output after step 4:

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

DivX Toolkit.framework

NMDeviceObserver.framework

NMGsmKit.framework

NMNetCore.framework

NMNetWorker.framework

NMRegistrationCore.framework

NMStatistics.framework

NyxAudioAnalysis.framework

PluginManager.framework

gsm_device_tools.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

Becon.plugin

Default Browser.plugin

DivXBrowserPlugin.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

OVSHelper.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.oracle.java.Java-Updater.plist

de.novamedia.VodafoneDeviceObserver.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.oracle.java.Helper-Tool.plist

org.tcpdump.chmod_bpf.plist


/Library/PreferencePanes:

DivX.prefPane

Flash Player.prefPane

JavaControlPanel.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:

ChmodBPF

Sudochmod


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

.DS_Store

Becon.plugin

Google Earth Web Plug-in.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

.DS_Store

com.divx.agent.postinstall.plist

com.google.keystone.agent.plist

com.spotify.webhelper.plist


Library/PreferencePanes:

Perian.prefPane


Library/QuickTime:

AC3MovieImport.component

Perian.component


Library/Services:

.localized



Output after step 5:

iTunesHelper, Dropbox, VMCStatusMenu, Vodafone Mobile Broadband



This is the output I receive. Would be great if anyone can help me on this. Analyzing this data is too complex for me (unfortunaltely), but I trust on the community support.


Thanks!

Reply
User profile for user: Commander Smackaho
Commander Smackaho
User level: Level 1
4 points

May 17, 2014 6:43 AM in response to Maxformal

I think we've all been duped and apple didnt even see it, that "flashplayer.xpt " is the winner it's an executable script from the browser it's been in there waiting for awhile now and its attaching to all your framework files or better yet replacing them this is a rough one boys we need and the worst part is, I think its been sitting to long to matter now

Reply

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up