You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: meltymax
meltymax Author
User level: Level 1
9 points

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.




User uploaded file

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 26, 2012 6:41 PM

Reply
Question marked as Top-ranking reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,649 points

Posted on Aug 26, 2012 8:05 PM

Please read this whole message before doing anything.


The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.


Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


Launch the Terminal application in any of the following ways:


☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.


When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


Step 1


Copy or drag — do not type — the line below into the Terminal window, then press return:


kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.


Step 2


Repeat with this line:


sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'


This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.


Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


Step 3


launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


Step 4


ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null


Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.


Step 5


osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.


You can then quit Terminal.

View in context
136 replies
User profile for user: The One And Only Arnz
The One And Only Arnz
User level: Level 1
4 points

Jun 18, 2014 3:45 AM in response to meltymax

Hi. Same here. I've had confirmation that something was done by the person but I want to find out exactly what as I completely distrust them now.


Results are:


Step1:


com.rim.driver.BlackBerryUSBDriverInt (0.0.74)


Step2:


com.openbase.com.openexec

com.trusteer.rooks.rooksd

com.rim.BBDaemon

com.oracle.java.Helper-Tool

com.google.keystone.daemon

com.adobe.fpsaud


Step3:


com.tomtom.HOMERunnerApp.20096

jp.co.Canon.bj.scan.network.scannerselector2.27488

com.rim.BBLaunchAgent

com.rim.RimAlbumArtDaemon

com.oracle.java.Java-Updater

com.google.keystone.system.agent

com.adobe.CS4ServiceManager

com.openbase.com.openlaunch

com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae


Step4:


/Library/Address Book Plug-Ins:

AddressBookDial.bundle


/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

BJUSBLoad.kext

CIJUSBLoad.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AVEngine.framework

Adobe AIR.framework

AudioMixEngine.framework

DivX Toolkit.framework

FxPlug.framework

HPDeviceModel.framework

HPPml.framework

HPServicesInterface.framework

HPSmartPrint.framework

MacScanner.framework

NyxAudioAnalysis.framework

OpenBaseAPI.framework

OpenBaseAdmin.framework

OpenBaseAdvancedAPI.framework

OpenBaseCR.framework

OpenBaseEOAdaptor.framework

OpenBaseForms.framework

OpenBaseLogin.framework

OpenBaseManager.framework

OpenBaseNet.framework

OpenBasePKPlugin.framework

PluginManager.framework

ProFX.framework

RIM_VSP.framework

RimBlackBerryUSB.framework

VShieldHelper.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobeFlash

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

DirectorShockwave.plugin

Disabled Plug-Ins

DivXBrowserPlugin.plugin

EPPEX Plugin.plugin

Flash Player.plugin

GarminGPSControl.plugin

JavaAppletPlugin.plugin

Mozillaplug.plugin

PictureTalk Execute.plugin

PictureTalk Version.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

RealPlayer Plugin.plugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

iPhotoPhotocast.plugin

npdivx.xpt

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.CS4ServiceManager.plist

com.google.keystone.agent.plist

com.oracle.java.Java-Updater.plist

com.rim.BBAlbumArtCacher.plist

com.rim.BBLaunchAgent.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.google.keystone.daemon.plist

com.oracle.java.Helper-Tool.plist

com.rim.BBDaemon.plist

com.trusteer.rooks.rooksd.plist

openbase.plist


/Library/PreferencePanes:

DivX.prefPane

Flash Player.prefPane

JavaControlPanel.prefPane

OpenBasePreferences.prefPane

RapportPreferences.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

.DS_Store

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:

VShieldEPOInterface

Virex


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

Picasa.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.337D0AA2-1352-41A3-B9F9-A77 7B794E4B1.plist

com.apple.SafariBookmarksSyncer.plist

com.zeobit.MacKeeper.Helper

jp.co.canon.Inkjet_Extended_Survey_Agent.plist

openlaunch.plist


Library/PreferencePanes:


Library/Services:

.localized


LimeWire/Incomplete:

Big-iMac:~ Dad$


Step5:

Canon IJ Network Scanner Selector2, AdobeResourceSynchronizer, TomTomHOMERunner, BlackBerry Device Manager


Please help. Thanx - Arnz

Reply
User profile for user: mark00thomas
mark00thomas
User level: Level 1
6 points

Jun 18, 2014 9:53 PM in response to The One And Only Arnz

Arnz, There is good news and bad news. The good news is that you know you have spy wear on your machine. The bad news is that you are going to have to do some work to get it back to normal.


1. back up your email, photos, etc. (I keep most of my users home folder and the mail and moble sync folders on a RAID set of drives)

2. delete the two processes below and any process, dameon that calls to them or is anyway related to them


AEProfiling.framework

com.trusteer.rooks.rooksd


3. boot from a different drive and boot your machine into target disk mode

4. use disk utility to erase and reformat the hard drive. I may be completely wrong, but I only let the zeroing out part go for the first 30 min or so thinking that they system folders and files are at the “beginning” of the disk

5. reinstall OSX

6. make new user name and password

7.reinstal apps fresh from app store or their website, not from Time Machine

8. don’t use time machine

Replace email folder and other data, but don’t use TM


And finally #9, slap the person who put that **** on your computer.

Reply
User profile for user: John Galt
John Galt
User level: Level 10
146,390 points

Jun 19, 2014 6:56 AM in response to The One And Only Arnz

The One And Only Arnz, while there are methods to determine the presence of known and commonly available keyloggers, there is no possible way for anyone to determine that one does not exist from the information you provided.


However, numerous other problems definitely exist with that Mac that will prevent its proper operation.

For assistance please read Writing an effective Apple Support Communities question

Reply
User profile for user: Community User
Community User

Jun 22, 2014 4:09 AM in response to Linc Davis

Hi, I'm concerned I may be in a similar situation. Any help would be appreciated!


FIRST:


com.rim.driver.BlackBerryUSBDriverInt (0.0.74)


SECOND:


com.rim.BBDaemon

com.adobe.fpsaud


THIRD:


com.rim.BBLaunchAgent

com.rim.RimAlbumArtDaemon

com.divx.agent.postinstall


FOURTH:


/Library/Components:


/Library/Extensions:


/Library/Frameworks:

Adobe AIR.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

RIM_VSP.framework

RimBlackBerryUSB.framework

iLifeFaceRecognition.framework

iLifeKit.framework

iLifePageLayout.framework

iLifeSQLAccess.framework

iLifeSlideshow.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.rim.BBAlbumArtCacher.plist

com.rim.BBLaunchAgent.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.apple.third_party_32b_kext_logger.plist

com.rim.BBDaemon.plist


/Library/PreferencePanes:

Flash Player.prefPane

Pref360Control.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

GBQLGenerator.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

AppleWorks.mdimporter

GBSpotlightImporter.mdimporter

LogicPro.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:

360ControlDaemon

ChmodBPF


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.divx.agent.postinstall.plist


Library/PreferencePanes:

FIFTH:


iTunesHelper

Reply
User profile for user: Ossyigby
Ossyigby
User level: Level 1
0 points

Jun 30, 2014 5:49 PM in response to Linc Davis

Hi,


I ran the process that you outline for detecting monitoring software. I believe that I may have had it installed on my MBP by my ex partner before he moved out. Below are the results to the process outline in your prior response to another user.


Thank you,


Jonathan




Step 1 results




-bash: $: command not found

Jonathans-MBP:~ jonathan$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.Logitech.Control Center.HID

com.Logitech.Unifying.HID Driver




Step 2 results




com.adobe.fpsaud




Step 3 results



Jonathans-MBP:~ jonathan$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'




Step 4 results



Jonathans-MBP:~ jonathan$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null




Step 5 results



Jonathans-MBP:~ jonathan$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Jonathans-MBP:~ jonathan$


Reply
User profile for user: nathanfromnewcastle
nathanfromnewcastle
User level: Level 1
0 points

Jul 6, 2014 8:35 AM in response to rrahimi

Thanks for your help,


I have the same concerns. I ran the above and found this.... What is your opinion?



Last login: Fri Jun 13 12:55:50 on console

11:~ nathan$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

11:~ nathan$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'



WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.



To proceed, enter your password, or type Ctrl-C to abort.



Password:

Sorry, try again.

Password:

Sorry, try again.

Password:

com.adobe.fpsaud

11:~ nathan$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.spotify.webhelper

11:~ nathan$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:



/Library/Extensions:



/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework



/Library/Input Methods:



/Library/Internet Plug-Ins:

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt



/Library/Keyboard Layouts:



/Library/LaunchAgents:



/Library/LaunchDaemons:

com.adobe.fpsaud.plist



/Library/PreferencePanes:

Flash Player.prefPane



/Library/PrivilegedHelperTools:



/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator



/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component



/Library/ScriptingAdditions:



/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter



/Library/StartupItems:



/etc/mach_init.d:



/etc/mach_init_per_login_session.d:



/etc/mach_init_per_user.d:



Library/Address Book Plug-Ins:



Library/Fonts:



Library/Input Methods:

.localized



Library/Internet Plug-Ins:



Library/Keyboard Layouts:



Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.4C945EC0-8B8E-4BA0-9696-527 C607F6E6A.plist

com.spotify.webhelper.plist



Library/PreferencePanes:

11:~ nathan$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Spotify

11:~ nathan$

Reply
User profile for user: lebeaupoete
lebeaupoete
User level: Level 1
4 points

Jul 11, 2014 12:47 PM in response to meltymax

Hi,

My results are:



Last login: Fri Jul 11 22:34:12 on ttys000

Ahmets-MacBook-Air:~ macbook$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Ahmets-MacBook-Air:~ macbook$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.



To proceed, enter your password, or type Ctrl-C to abort.



Password:

YandexDiskHelper

YandexDiskInstaller

com.oracle.java.JavaUpdateHelper

com.oracle.java.Helper-Tool

com.microsoft.office.licensing.helper

com.genieoinnovation.macextension.client

com.adobe.fpsaud

Ahmets-MacBook-Air:~ macbook$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.spotify.webhelper

com.oracle.java.Java-Updater

com.genieoinnovation.macextension

com.amazon.sendtokindle.launcher

com.google.keystone.user.agent

com.facebook.videochat.macbook.updater

Ahmets-MacBook-Air:~ macbook$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:



/Library/Extensions:



/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

GenieoExtra.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework



/Library/Input Methods:



/Library/Internet Plug-Ins:

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Unity Web Player.plugin

Unused

flashplayer.xpt

nsIQTScriptablePlugin.xpt



/Library/Keyboard Layouts:



/Library/LaunchAgents:

com.amazon.sendtokindle.launcher.plist

com.genieoinnovation.macextension.plist

com.oracle.java.Java-Updater.plist



/Library/LaunchDaemons:

YandexDiskHelper.plist

YandexDiskInstaller.plist

com.adobe.fpsaud.plist

com.genieoinnovation.macextension.client.plist

com.gopro.stereomodestatus.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.oracle.java.JavaUpdateHelper.plist



/Library/PreferencePanes:

Flash Player.prefPane

GoPro.prefPane

JavaControlPanel.prefPane



/Library/PrivilegedHelperTools:

Google Drive Icon Helper

YandexDiskHelper

YandexDiskInstaller

com.genieoinnovation.macextension.client

com.microsoft.office.licensing.helper

com.oracle.java.JavaUpdateHelper



/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator



/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleProResCodec.component

CFHDCompressor.component

CFHDDecompressor.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component



/Library/ScriptingAdditions:



/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter



/Library/StartupItems:



/etc/mach_init.d:



/etc/mach_init_per_login_session.d:



/etc/mach_init_per_user.d:



Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle



Library/Fonts:



Library/Input Methods:

.localized



Library/Internet Accounts:

V1



Library/Internet Plug-Ins:

FacebookVideoCalling.bundle



Library/Keyboard Layouts:



Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.E31CFC2F-7A54-479E-81C7-DEC 4D9818F19.plist

com.facebook.videochat.macbook.plist

com.google.keystone.agent.plist

com.spotify.webhelper.plist



Library/PreferencePanes:

8TracksRadioHelper.prefPane

Ahmets-MacBook-Air:~ macbook$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Google Drive, 8Tracks Helper, Spotify, Dropbox, Yandex.Disk

Ahmets-MacBook-Air:~ macbook$


---


My mac is operating in an odd way, its fan works loudly, when I opened my mac after this overworking of the fan, the login screen was cropped - I thought there was something wrong with it. I stumbled on this thread and wanted to send my results. Thanks for your help in advance.

Reply
User profile for user: MyCatRupert
MyCatRupert
User level: Level 1
8 points

Aug 20, 2014 11:39 PM in response to meltymax

I'm so inept that I'm hoping I followed the directions correctly. I have an evil sociopathic soon to be ex husband and I have reason to believe he's installed something on my computers. This is just from 1. I would so very much appreciate a translation.


Meltymax, you are the bomb for sharing this and helping. Thank you. What do you see?


com.github.osxfuse.filesystems.osxfusefs (2.6.4)



com.google.keystone.daemon


com.cleverfiles.cfbackd

com.adobe.SwitchBoard

com.adobe.fpsaud



om.evernote.EvernoteHelper


2BUA8C4S2C.com.agilebits.onepassword4-helper

com.wacom.wacomtablet

com.google.keystone.system.agent

com.adobe.AdobeCreativeCloud

com.spotify.webhelper

com.google.GoogleContactSyncAgent

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

com.adobe.AAM.Scheduler-1.0



/Library/Components:


/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

OSXFUSE.framework

PluginManager.framework

WacomMultiTouch.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

AdobeExManDetect.plugin

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

WacomNetscape.plugin

WacomTabletPlugin.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.AdobeCreativeCloud.plist

com.google.keystone.agent.plist

com.wacom.wacomtablet.plist

/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.cleverfiles.cfbackd.plist

com.google.keystone.daemon.plist

/Library/PreferencePanes:

Flash Player.prefPane

OSXFUSE.prefPane

WacomTablet.prefPane

/Library/PrivilegedHelperTools:

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.42897104-685F-4B6E-A977-7AC BD5C5C2E9.plist

com.google.GoogleContactSyncAgent.plist

com.spotify.webhelper.plist

SmartDaemon, iTunesHelper

Reply
User profile for user: bethanyjoyful
bethanyjoyful
User level: Level 1
4 points

Sep 1, 2014 8:51 PM in response to meltymax

I have the same problem - ex husband seems creepily informed of details of my life and it is freaking me out... can someone see if they see anything fishy??


Last login: Mon Aug 25 23:17:28 on console

Bethanys-iMac:~ Bethany$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Bethanys-iMac:~ Bethany$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

com.adobe.fpsaud

Bethanys-iMac:~ Bethany$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.adobe.Photoshop.35936

com.adobe.AdobeCreativeCloud

com.adobe.AAM.Scheduler-1.0

Bethanys-iMac:~ Bethany$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

Default Browser.plugin

Flash Player.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.AdobeCreativeCloud.plist


/Library/LaunchDaemons:

com.adobe.fpsaud.plist


/Library/PreferencePanes:

Flash Player.prefPane


/Library/PrivilegedHelperTools:


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Fonts:

Fonthead Design - SpillMilk.otf

IgniteTheLight.ttf

Sue Ellen Francisco.ttf

appopaint-Regular.otf


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist


Library/PreferencePanes:


Library/Services:

Bethanys-iMac:~ Bethany$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper

Bethanys-iMac:~ Bethany$

Bethanys-iMac:~ Bethany$

Reply
User profile for user: John Galt
John Galt
User level: Level 10
146,390 points

Sep 2, 2014 9:42 AM in response to bethanyjoyful

Hi Bethany,


It is quite impossible for anyone on this support site to provide absolute assurance that a keylogger is not installed on your system; it is only possible to confirm one of a few well-known keylogger apps exist. It is also quite impossible for anyone to provide absolute assurance that your Mac's hardware has not been maliciously altered to accomplish the same thing - short of an intensive, time-consuming hands-on inspection - and even that can be difficult.


Moreover, it is a bad idea to execute Terminal commands posted by random people on the Internet unless you know exactly what they are and what they are going to do. Terminal commands requiring superuser privileges can result in system corruption, loss of data, theft of personal information, or all of the above.

It is an especially bad idea to follow instructions intended to diagnose someone else's problem, and then post the results on a publicly accessible website such as this one.


I am sorry to tell you this, but all this demonstrates poor judgment on your part and strongly suggests you have not followed common-sense principles for safeguarding your private information such as your Mac's name and the passwords you use to keep your information secure. It's a lot easier for someone to spy on you and become creepily informed of your private activities using far simpler techniques than to install a keylogger on your Mac.

There are other simple precautions you should take. For thorough assistance and recommendations you should post your own question - not tack on a response to this very old one. To do that read Writing an effective Apple Support Communities question. It's the best way to receive timely, relevant, and accurate responses to your particular concerns.


Reply
User profile for user: clintonfrombirmingham
clintonfrombirmingham
User level: Level 7
30,106 points

Sep 3, 2014 10:23 AM in response to Good User

Good User


You can be assured that nothing that Linc posted, nor the output that you provided, could compromise your computer in any way. As John points out, it's best to start your own thread so that your post doesn't get lost in posts of long ago. Ask the question yourself in a new message and you will, perhaps, get some other responses which may be more helpful.


Good luck,


Clinton


MacBook Pro (15-inch Late 2011), OS Mavericks 10.9.4, 16GB Crucial RAM, Crucial M500 960GB SSD, 27” Apple Thunderbolt Display

Reply

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up