I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Good User wrote:

Are the terminal commands posted by linc davis at the beginning of this thread unsafe?

No, they are fine.

However, for the purposes of this discussion, they are also useless. As John pointed out, it's possible someone may spot a known keylogger in those results, but that doesn't mean much. There could easily be something hidden that doesn't show up in those results. If you believe that someone malicious has had unsupervised physical access to your computer, or remote access via some remote access software you already had installed, then there's nothing on the planet that can determine accurately whether that system is safe or not. Your only option is to wipe the drive and reinstall everything from scratch, then manually copy documents only from a non-Time Machine backup. Or, restore your entire system from a Time Machine (or other) backup made prior to the incident.

Thanks, Is this method considered from scratch, if one make the bootable OS X installer drive with the tampered mac? http://osxdaily.com/2013/10/26/clean-install-os-x-mavericks/

That is one description of how to do it, yes. You just need to be cautious about what you restore from backups.

Hi Linc and others!

Thanks for the informative article.

I have proceeded the instructions and my result is below. Can you help me out and let me know if anything strange?

Thanks and sorry for the trouble.

Carlos

RESULT FROM TERMINAL WINDOW MAC.

Last login: Fri Jan 2 13:50:08 on console

Ons-iMac:~ online$ sh

sh-3.2$ sh

sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.symantec.kext.internetSecurity (5.4f7)

at.obdev.nke.LittleSnitch (4226)

com.symantec.kext.ips (3.9.2f1)

sh-3.2$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.genieoinnovation.macextension.client

com.oracle.java.JavaUpdateHelper

com.symantec.liveupdate.daemon

at.obdev.littlesnitchd

com.microsoft.office.licensing.helper

com.symantec.errorreporting.periodic

com.symantec.symdaemon

com.adobe.SwitchBoard

com.symantec.sharedsettings

com.adobe.fpsaud

com.symantec.liveupdate.daemon.ondemand

com.teamviewer.Helper

sh-3.2$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

SymAPComm.kext

SymIPS.kext

SymInternetSecurity.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

ALUT.framework

Adobe AIR.framework

AudioMixEngine.framework

GenieoExtra.framework

NyxAudioAnalysis.framework

PluginManager.framework

QtBluetooth.framework

QtCLucene.framework

QtConcurrent.framework

QtCore.framework

QtDeclarative.framework

QtDesigner.framework

QtDesignerComponents.framework

QtGui.framework

QtHelp.framework

QtMacExtras.framework

QtMultimedia.framework

QtMultimediaQuick_p.framework

QtMultimediaWidgets.framework

QtNetwork.framework

QtNfc.framework

QtOpenGL.framework

QtPositioning.framework

QtPrintSupport.framework

QtQml.framework

QtQuick.framework

QtQuickParticles.framework

QtQuickTest.framework

QtScript.framework

QtScriptTools.framework

QtSensors.framework

QtSerialPort.framework

QtSql.framework

QtSvg.framework

QtTest.framework

QtWebKit.framework

QtWebKitWidgets.framework

QtWidgets.framework

QtXml.framework

QtXmlPatterns.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

Default Browser.plugin

Flash Player.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

at.obdev.LittleSnitchUIAgent.plist

com.adobe.AAM.Updater-1.0.plist

com.genieoinnovation.macextension.plist

com.oracle.java.Java-Updater.plist

com.symantec.errorreporter-periodicagent.plist

com.symantec.uiagent.application.plist

com.teamviewer.teamviewer.plist

com.teamviewer.teamviewer_desktop.plist

/Library/LaunchDaemons:

at.obdev.littlesnitchd.plist

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.genieoinnovation.macextension.client.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.oracle.java.JavaUpdateHelper.plist

com.symantec.errorreporter-periodic.plist

com.symantec.liveupdate.daemon.ondemand.plist

com.symantec.liveupdate.daemon.plist

com.symantec.nav.migrateqtf.plist

com.symantec.sharedsettings.plist

com.symantec.symdaemon.plist

com.teamviewer.Helper.plist

com.teamviewer.teamviewer_service.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

SymantecQuickMenu.prefPane

/Library/PrivateFrameworks:

SymAVScan.framework

SymAppKitAdditions.framework

SymBase.framework

SymDaemon.framework

SymIPS.framework

SymLicensing.framework

SymSharedSettings.framework

SymSubmission.framework

SymUIAgent.framework

/Library/PrivilegedHelperTools:

com.genieoinnovation.macextension.client

com.microsoft.office.licensing.helper

com.oracle.java.JavaUpdateHelper

com.teamviewer.Helper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

Library/LaunchAgents:

.DS_Store

com.genieo.completer.download.plist

com.genieo.completer.ltvbit.plist

com.genieo.completer.update.plist

Library/PreferencePanes:

Library/Services:

AppDelete.workflow

sh-3.2$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Android File Transfer Agent

sh-3.2$

Please Please Help!!!

Library/PreferencePanes:

Tylers-MacBook-Pro:~ jdub$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.trendmicro.kext.filehook (1.5.0)

com.trendmicro.kext.KERedirect (1.0.0)

Tylers-MacBook-Pro:~ jdub$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

Sorry, try again.

Password:

Sorry, try again.

Password:

Sorry, try again.

sudo: 3 incorrect password attempts

Tylers-MacBook-Pro:~ jdub$ J666999w

-bash: J666999w: command not found

Tylers-MacBook-Pro:~ jdub$ J666999j

-bash: J666999j: command not found

Tylers-MacBook-Pro:~ jdub$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.trendmicro.TM.TmLoginMgr.16788

Tylers-MacBook-Pro:~ jdub$

Tylers-MacBook-Pro:~ jdub$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

Sorry, try again.

Password:

com.trendmicro.tmsm.plugin

com.trendmicro.icore.wp

com.trendmicro.icore.main

com.trendmicro.icore.av

com.trendmicro.tmsm.launcher

Tylers-MacBook-Pro:~ jdub$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

TMAppCommon.framework

TMAppCore.framework

TMGUIUtil.framework

iCoreClient.framework

iCoreClientPb.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Default Browser.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.trendmicro.icore.av.plist

com.trendmicro.icore.main.plist

com.trendmicro.icore.wp.plist

com.trendmicro.tmsm.launcher.plist

com.trendmicro.tmsm.plugin.plist

/Library/PreferencePanes:

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LanguageModeling:

en-dynamic.lm

es-dynamic.lm

nl-dynamic.lm

Library/PreferencePanes:

Library/Services:

Tylers-MacBook-Pro:~ jdub$

Tylers-MacBook-Pro:~ jdub$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

TmLoginMgr

Tylers-MacBook-Pro:~ jdub$

found these on my mac , how do i get rid of them? , i think these are keyloggers someone installed on my mac , i sthere anyway to view/delete the content aswell?

First, you should note that this topic goes back to 2012. Posting here is not the best way to get the most eyes looking at your problem. If further discussion is needed, I'd advise starting your own topic.

As to your question, both Abk and PKL are keyloggers (Aobo and Perfect Keylogger Lite). Someone would have to have installed them, or tricked you into running some kind of custom script or app that would have installed them. Most likely, the former is true.

If you don't know how those got there, and this is your computer (not a company computer, school computer, etc), then you need to erase your hard drive immediately and reinstall everything from scratch, then restore only documents from backup. For instructions, see:

How to reinstall Mac OS X from scratch

Be aware that there may be other things that have been done, so don't assume that removing those two keyloggers will be sufficient. Also be aware that there's no anti-virus software that can detect all possible malicious changes that a hacker with access to the computer might have made. So, yes, although it's unpleasant, erasing really is the only solution.

Also, be aware that the presence of a keylogger means that anything you may have typed should be considered compromised. This includes things like passwords and credit card numbers, but could include any number of other things as well, such as bank account numbers or social security number. You will need to change ALL your passwords (after cleaning the machine), alert your credit card companies and any other financial institutions, and consider subscribing to a credit monitoring service.

If this is not a computer that is on loan to you from somewhere, like your place of work or school, then the fact that they would be willing to log all your keystrokes should be greatly concerning, and you should not do ANYTHING on that computer that you're not willing for them to monitor.

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)

I've added some limited support for keylogger detection to my free utility "DetectX".

In v1.22, DetectX will confirm the presence of the following keyloggers:

AOBO

AMK

Elite Keylogger

LogKext

PKL

Specter Pro (apparently discontinued, but possibly still being distributed by 3rd parties)

WebWatcher

I'll add more as time and knowledge allow (if any experts out there would like to share any others they know of, please contact me off list. A contact email can be found on the same site as my app).

There's a whole list of important caveats that anyone hunting down keyloggers should be aware of. Many are buried in this thread; I've summarised the key points here, at least insofar as they pertain to using DetectX:

http://sqwarq.com/detectx/keylogger-detection/

DetectX can be downloaded for free from here:

http://sqwarq.com/detectx

(Disclaimer: These are links to my personal website from which I may derive some form of compensation).

If one suspects a keylogger or other malware has been installed but does not know how to go about eliminating it, a complete system erasure followed by installing OS X and one's essential software will eliminate all doubt.

How do you do a complete system erasure? Is this a reformat of the hard drive?

this came up after step 4:

com.brother.LOGINserver

com.bittorrent.uTorrent.64784

com.wondershare.helper_compact.83812

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

com.axentra.hipserv.hipservagent.47460

com.brother.ControlCenter.78984

com.brother.utility.USBserver.85800

com.hp.productresearch

com.google.GoogleDrive.42064

com.brother.utility.NETserver.86084

com.adobe.Reader.38940

org.mozilla.firefox.41212

com.google.keystone.user.agent

Hello, I ran your script and this is what I obtained. Does anything look odd?

Thanks in advance.

1. com.oracle.java.JavaUpdateHelper
2. com.tvmobili.tvmobilisvcd
3. com.microsoft.office.licensing.helper
4. com.oracle.java.Helper-Tool
5. com.adobe.fpsaud

org.macosforge.xquartz.privileged_startx

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

1. ArcMSR.kext
2. CalDigitHDProDrv.kext
3. HighPointIOP.kext
4. HighPointRR.kext
5. PromiseSTEX.kext
6. SoftRAID.kext

/Library/Frameworks:

1. AEProfiling.framework
2. AERegistration.framework
3. AudioMixEngine.framework
4. NyxAudioAnalysis.framework
5. PluginManager.framework
6. iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

1. AdobePDFViewer.plugin
2. AdobePDFViewerNPAPI.plugin
3. CitrixICAClientPlugIn.plugin

Default Browser.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

1. SharePointBrowserPlugin.plugin
2. SharePointWebKitPlugin.webplugin
3. Silverlight.plugin

Unity Web Player.plugin

Unused

1. flashplayer.xpt
2. nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

1. com.citrix.AuthManager_Mac.plist
2. com.citrix.ReceiverHelper.plist
3. com.citrix.ServiceRecords.plist
4. com.nike.nikeplusconnect.plist
5. com.oracle.java.Java-Updater.plist
6. com.tvmobili.artwork.plist

org.macosforge.xquartz.startx.plist

/Library/LaunchDaemons:

1. com.adobe.fpsaud.plist
2. com.microsoft.office.licensing.helper.plist
3. com.oracle.java.Helper-Tool.plist
4. com.oracle.java.JavaUpdateHelper.plist
5. com.tvmobili.tvmobilisvcd.plist

org.macosforge.xquartz.privileged_startx.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

/Library/PrivilegedHelperTools:

1. com.microsoft.office.licensing.helper
2. com.oracle.java.JavaUpdateHelper

/Library/QuickLook:

1. iBooksAuthor.qlgenerator
2. iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

1. iBooksAuthor.mdimporter
2. iWork.mdimporter

/Library/StartupItems:

HWNetMgr

HWPortDetect

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

1. SkypeABDialer.bundle
2. SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Picasa.plugin

Library/Keyboard Layouts:

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

1. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
2. com.google.GoogleContactSyncAgent.plist
3. com.google.keystone.agent.plist

Library/PreferencePanes:

MusicManager.prefPane

Library/Services:

.localized

iTunesHelper, Dropbox, Calendar, Serviio-Console, Jawbone Updater, Music Manager, SurplusMeterAgent, Music Manager, Google Drive, Plex Media Server

I have the same suspicions but realize that I am on a long list of others. I am just going to erase and do a clean reinstall my OS. I think that is the easiest solution.

Hello Linc,

Could you help me with the information I generated from your instructions? I would really appreciate it. I think I have spyware too!

1. com.avast.PacketForwarder (2.0)
2. com.avast.AvastFileShield (2.1.0)

XXXXXs-MacBook-Pro:~ n$

1. com.avast.crashreport
2. com.avast.account
3. com.avast.fileshield
4. com.avast.proxy
5. com.avast.service
6. com.avast.daemon
7. com.google.keystone.daemon
8. com.avast.update
9. com.avast.uninstall
10. com.avast.init
11. com.adobe.fpsaud

XXXXXs-MacBook-Pro:~ n$

1. com.avast.helper
2. com.google.keystone.system.agent
3. com.epson.eventmanager.agent
4. com.avast.userinit
5. com.avast.update-agent
6. com.avast.home.userinit

XXXXXs-MacBook-Pro:~ n$

/Library/Components:

/Library/Extensions:

EPSONUSBPrintClass.kext

/Library/Frameworks:

Adobe AIR.framework

1. NyxAudioAnalysis.framework
2. PluginManager.framework
3. iLifeFaceRecognition.framework
4. iLifeKit.framework
5. iLifePageLayout.framework
6. iLifeSQLAccess.framework
7. iLifeSlideshow.framework
8. iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

1. AdobePDFViewer.plugin
2. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

NP-PPC-Dir-Shockwave

PepperFlashPlayer

Quartz Composer.webplugin

QuickTime Plugin.plugin

1. flashplayer.xpt
2. googletalkbrowserplugin.plugin
3. iPhotoPhotocast.plugin
4. nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Internet Plug-Ins (Disabled):

Flash Player.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

1. com.avast.update-agent.plist
2. com.avast.userinit.plist
3. com.epson.eventmanager.agent.plist
4. com.google.keystone.agent.plist

/Library/LaunchDaemons:

1. com.adobe.fpsaud.plist
2. com.avast.init.plist
3. com.avast.uninstall.plist
4. com.avast.update.plist
5. com.google.keystone.daemon.plist

/Library/PreferencePanes:

Flash Player.prefPane

/Library/PrivilegedHelperTools:

/Library/QuickLook:

1. GBQLGenerator.qlgenerator
2. iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/Spotlight:

1. AppleWorks.mdimporter
2. GBSpotlightImporter.mdimporter
3. LogicPro.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

dashboardadvisoryd.plist

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

1. SkypeABDialer.bundle
2. SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.avast.home.userinit.plist

Library/PreferencePanes:

XXXXXXX-MacBook-Pro:~ n$

iTunesHelper, Mail, Jawbone Updater, Google Chrome

XXXXXs-MacBook-Pro:~ n$

Hey Linc Davis! We had some email go around at the office and I received it and opened it. Apparently there was a good chance of a keylogger in it... I completed your steps and have pasted the results below. Any help would be amazing! I have no idea what I'm looking for...

Last login: Tue Sep 1 08:42:01 on console

Josephs-MacBook-Pro:~ verrucktfuchs$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.Cycling74.driver.Soundflower (1.6.6)

com.intego.netbarrier.kext.monitor (177)

com.intego.netbarrier.kext.network (177)

com.intego.netbarrier.kext.process (177)

com.intego.virusbarrier.kext.realtime (322)

Josephs-MacBook-Pro:~ verrucktfuchs$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

Password:

com.intego.virusbarrier.daemon.emlparser

com.adobe.ARMDC.Communicator

com.adobe.adobeupdatedaemon

com.oracle.java.JavaUpdateHelper

com.intego.commonservices.icalserver

com.intego.netbarrier.daemon

com.intego.virusbarrier.daemon.realtime

com.intego.commonservices.daemon.taskmanager

com.microsoft.office.licensing.helper

com.oracle.java.Helper-Tool

com.intego.commonservices.metrics.kschecker

com.intego.netupdate.daemon

com.intego.netbarrier.daemon.logger

com.intego.virusbarrier.daemon

com.adobe.ARMDC.SMJobBlessHelper

com.intego.netbarrier.daemon.monitor

com.intego.virusbarrier.daemon.logger

com.teamviewer.Helper

com.intego.virusbarrier.daemon.scanner

com.intego.commonservices.daemon.integod

Josephs-MacBook-Pro:~ verrucktfuchs$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.microsoft.autoupdate.fba.78700

com.brother.LOGINserver

com.intego.commonservices.taskmanager

com.intego.virusbarrier.alert

com.intego.netupdate.agent

com.google.GoogleDrive.44052

com.adobe.AdobeCreativeCloud

com.intego.netbarrier.alert

com.intego.commonservices.uninstaller

com.brother.utility.USBserver.14800

com.digitician.examinet.52856

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

com.adobe.AAM.Scheduler-1.0

com.digitician.PeakHour-Helper

com.adobe.PDApp.AAMUpdatesNotifier.61944.BCF122F0-D7F6-479A-8D0E-E8C9580531D4

com.oracle.java.Java-Updater

com.intego.commonservices.integomenu

com.citrixonline.GoToMeeting.G2MUpdate

com.adobe.acc.AdobeDesktopService.100852.3F9B0CAF-219D-4425-954D-9D024C692F1E

com.google.Chrome.43768

com.google.keystone.user.agent

com.microsoft.Office365Service.51152

com.brother.utility.NETserver.15652

Josephs-MacBook-Pro:~ verrucktfuchs$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

IntegoiCalFramework.framework

NetUpdateShared.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Intego:

.isb6_info

.netbarrier_info

IM_ObjectiveMetrics.framework

Intego Uninstaller.app

IntegoiCalServer

TaskManager

commonservices.bundle

im_helper_tool

im_ks_tool

integod

netbarrier.bundle

netupdated.bundle

virusbarrier.bundle

/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

DirectorShockwave.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist

com.adobe.AdobeCreativeCloud.plist

com.brother.LOGINserver.plist

com.intego.commonservices.integomenu.plist

com.intego.commonservices.taskmanager.plist

com.intego.commonservices.uninstaller.plist

com.intego.netbarrier.alert.plist

com.intego.netupdate.agent.plist

com.intego.virusbarrier.alert.plist

com.oracle.java.Java-Updater.plist

com.teamviewer.teamviewer.plist

com.teamviewer.teamviewer_desktop.plist

/Library/LaunchDaemons:

com.adobe.ARMDC.Communicator.plist

com.adobe.ARMDC.SMJobBlessHelper.plist

com.adobe.adobeupdatedaemon.plist

com.intego.commonservices.daemon.integod.plist

com.intego.commonservices.daemon.taskmanager.plist

com.intego.commonservices.icalserver.plist

com.intego.commonservices.metrics.kschecker.plist

com.intego.netbarrier.daemon.logger.plist

com.intego.netbarrier.daemon.monitor.plist

com.intego.netbarrier.daemon.plist

com.intego.netupdate.daemon.plist

com.intego.virusbarrier.daemon.emlparser.plist

com.intego.virusbarrier.daemon.logger.plist

com.intego.virusbarrier.daemon.plist

com.intego.virusbarrier.daemon.scanner.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.oracle.java.JavaUpdateHelper.plist

com.teamviewer.Helper.plist

com.teamviewer.teamviewer_service.plist

/Library/PreferencePanes:

JavaControlPanel.prefPane

Tuxera NTFS.prefPane

/Library/PrivilegedHelperTools:

NetUpdateAgent.app

com.adobe.ARMDC.Communicator

com.adobe.ARMDC.SMJobBlessHelper

com.microsoft.office.licensing.helper

com.oracle.java.JavaUpdateHelper

com.teamviewer.Helper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Bentham.otf

Blokletters-Balpen.ttf

Blokletters-Potlood.ttf

Blokletters-Viltstift.ttf

Chomp.ttf

Daniel-Black.otf

Montserrat-Black.otf

Montserrat-Bold.otf

Montserrat-Hairline.otf

Montserrat-Light.otf

Montserrat-Regular.otf

Multicolore.otf

billy.ttf

daniel.ttf

danielbd.ttf

rabiohead.ttf

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

CitrixOnlineWebDeploymentPlugin.plugin

WebEx64.plugin

Library/Keyboard Layouts:

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pt-dynamic.lm

ru-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.citrixonline.GoToMeeting.G2MUpdate.plist

com.google.keystone.agent.plist

Library/PreferencePanes:

Library/Services:

Josephs-MacBook-Pro:~ verrucktfuchs$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Google Drive, AdobeResourceSynchronizer

Josephs-MacBook-Pro:~ verrucktfuchs$

Linc, can you help me see if the result of your search/scan found anything? Step 2, 3 and 5 was pretty straightforward, but step 4 was harder, and i do not know what i found...

Step 2:

com.macpaw.CleanMyMac3.Agent

com.oracle.java.JavaUpdateHelper

com.microsoft.office.licensing.helper

com.oracle.java.Helper-Tool

com.adobe.fpsaud

Step 3

com.maintain.PurgeInactiveMemory

com.maintain.SystemEvents

com.valvesoftware.steamclean

com.valvesoftware.steam.ipctool

com.oracle.java.Java-Updater

com.macpaw.cleanmymac3.menu.63364

com.macpaw.CleanMyMac3.Scheduler

com.spotify.client.50300

com.spotify.webhelper

com.getdropbox.dropbox.39508

com.google.keystone.user.agent

com.spigot.ApplicationManager

com.maintain.ShowUserLibraryDirectory

Step 4

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Default Browser.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.maintain.LogOut.plist

com.maintain.PurgeInactiveMemory.plist

com.maintain.Restart.plist

com.maintain.ShutDown.plist

com.maintain.Sleep.plist

com.maintain.SystemEvents.plist

com.oracle.java.Java-Updater.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.macpaw.CleanMyMac3.Agent.plist

com.maintain.AutoLoginUserScreenLocked.plist

com.maintain.CocktailScheduler.plist

com.maintain.HideSpotlightMenuBarIcon.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.oracle.java.JavaUpdateHelper.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

/Library/PrivilegedHelperTools:

com.macpaw.CleanMyMac3.Agent

com.microsoft.office.licensing.helper

com.oracle.java.JavaUpdateHelper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

.DS_Store

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.google.keystone.agent.plist

com.macpaw.CleanMyMac3.Scheduler.plist

com.maintain.ShowUserLibraryDirectory.plist

com.piriform.CCleaner.BrowserMonitor.plist

com.spigot.ApplicationManager.plist

com.spotify.webhelper.plist

com.valvesoftware.steamclean.plist

Library/PreferencePanes:

Library/Services:

.localized

Step 5

Steam, iTunesHelper, Dropbox, CleanMyMac 3 Menu, Spotify