Previous 1 2 3 Next 113 Replies Latest reply: Sep 26, 2015 4:48 PM by Veby7
meltymax Level 1 (0 points)

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.




Screen shot 2012-08-26 at 7.33.36 PM.png

MacBook Pro, Mac OS X (10.6.8)
  • Linc Davis Level 10 (184,770 points)

    Please read this whole message before doing anything.


    The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


    These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


    Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


    Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.


    Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


    Launch the Terminal application in any of the following ways:


    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


    ☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.


    When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


    Step 1


    Copy or drag — do not type — the line below into the Terminal window, then press return:


    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


    Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.


    Step 2


    Repeat with this line:


    sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'


    This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.


    Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


    Step 3


    launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


    Step 4


    ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null


    Important: If you formerly synchronized with a MobileMe account, your email address may appear in the output of the above command. If so, anonymize it before posting.


    Step 5


    osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


    Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.


    You can then quit Terminal.

  • rrahimi Level 3 (615 points)

    If you end up discovering something, you should inform law enforcement and contact your lawyer. Any form of Wiretapping without consent is a crime and in some jurisdictions can carry very long sentences.


    Also, use a different safe computer to reset:


    - Your online banking and other financial information passwords, security questions/answers, etc.

    - Your email passwords and security information

    - Other similar senstitive information that might have been compromised

  • meltymax Level 1 (0 points)

    That is great information and great step by step instructions thank you, although can you explain what this is doing? If I complete those steps will I know if I had spyware or keyloggers on my mac? What exactly is this process doing? My apologies I am a day to day user,  and not very skilled with all of the background stuff that makes the computer run... I appreciate your response. Thank you.

  • meltymax Level 1 (0 points)

    Output after step 1:

    com.spsys.driver.ENKEDriver (1)

    com.spsys.driver.EIOKitDriver (1.0.1)


    Output after step 2:




    Output after step 3:



    Output after step 4:


















    /Library/Input Methods:



    /Library/Internet Plug-Ins:

    EPPEX Plugin.plugin

    Flash Player.plugin


    Quartz Composer.webplugin

    QuickTime Plugin.plugin







    /Library/Keyboard Layouts:













    Flash Player.prefPane




















    Microsoft Office.mdimporter

















    Library/Address Book Plug-Ins:






    Library/Input Methods:




    Library/Internet Plug-Ins:



    Library/Keyboard Layouts:










    Output after step 5:

    iTunesHelper, 3G Watcher



    That is all of the output that I received. Hopefully there is some useful information here?


    <E-mail Edited by Host>

  • rrahimi Level 3 (615 points)

    I'll chip in. From your results:




    It's Spector Pro, monitoring software:



    SPECTOR PRO has deservedly earned its reputation as not only the most trusted monitoring software in the world, but as also the most feature-rich, while being easy and intuitive... even for beginners!


    Capture Keystrokes Typed
    Keystrokes Typed
    Capture every single Keystroke they type including passwords
    Capture Chats and IM's
    Capture & review all Chats and Instant Messages — both sides!
    Read every Email Sent & Received — including web-based emails
    Capture Web Sites Visited
    Web Sites Visited
    Review every Web Site they visit and see what they do while on them
    Capture Facebook + Social Networks
    See everything they do on Facebook + Social Networks (including all the profiles they visit and pictures they post)
    Remote Viewer
    Remote Viewer
    Remotely review your recordings from another PC or Mac
    Capture Searches
    Online Searches
    Quickly find what they are searching for on Google,Yahoo, AOL, Bing ...
    Capture Program Activity
    Program Activity
    See every program they run, including games and iTunes
    Capture Keyword Activity
    Keyword Alerts
    Even be notified when they use inappropriate language or visit sites you deem harmful
    Website Blocking
    Website Blocking
    Block them from visiting any web site or chatting with anyone you want
    Screen Snapshot
    Video-Style Playback!
    And, best of all, with the world's best Screen Snapshot Surveillance recorder, you can see EVERYTHING they do, in the EXACT order they do it, Step-by-Step.
  • clintonfrombirmingham Level 7 (29,995 points)

    There should be a law banning software like that - I'm sure that they fly under the parental control radar, but still...


    Good find - I hope that the OP doesn't have to buy the software to uninstall it.



  • meltymax Level 1 (0 points)

    Wow, ok thank you very much. Any ideas how to get rid of it?

  • Linc Davis Level 10 (184,770 points)

    Don't get rid of it at all until you have consulted a lawyer and/or informed the police. Your computer may be evidence of a crime or an actionable wrong.


    When the time comes to remove it, you'll do so by backing up your data, erasing the boot volume, and restoring only your documents and settings. All your third-party software will have to be reinstalled from fresh copies.

  • rrahimi Level 3 (615 points)

    I would say deleting the .plist file to at least prevent the agent from running but I suspect it will recreate it. I don't have experience with Keylogging software on Mac but on Windows they can be extremely hard to remove.


    Since you are a regular user and not very technically savvy, I would recommend backing up your photos, videos, documents and other things you require and then wiping the disk clean and reinstalling OS X.


    You don't know what other malicious software is installed on this machine. Better have a clean one.


    Important Edit: As Linc says, Lawyer up!


    Most important edit: I hope you're not doing all of this typing on the same machine.

  • rrahimi Level 3 (615 points)

    Yeah, as usual these things can be used for good or bad.


    Parents, Security sensitive corporate environments, Gov agencies, Law enforcement...


    If the guy is caught he's gonna be in loads of trouble. He probably bought this on Credit Card so should be pretty **** easy to trace back.

  • clintonfrombirmingham Level 7 (29,995 points)

    Linc offered some good advice - I would call the police immediately. They should be able to make a case against the jerk. I'd go to the police first -- even before contacting a lawyer.



  • meltymax Level 1 (0 points)

    Thank you guys for your expertise. I am relieved that I know for certain now. All of your help has been great.

  • meltymax Level 1 (0 points)

    Hey guys,

    I have been in contact with Spector, and they have assured me that the eblaster software has now been disabled. They were unable to disclose any information about the person who installed it, in which I am confidant I know, although would like solid evidance. They informed me they need a court-order to disclose that information. I was wondering if any of you knew any code as provided by Linc to type into the terminal in which would provide me with the email address that was used to send the eblaster reports to? This may be a shot in the dark, although worth asking. Thank you again for your help previously, I finally have a piece of mind.


    Thank you.

  • Linc Davis Level 10 (184,770 points)

    That should be determined by a qualified forensic investigator, not by random strangers on a public message board. This is a serious matter.

Previous 1 2 3 Next