Detect spyware and determine who is spying on my imac

miss.lex1 wrote:

Hey.. have seen ur comments across a few forums and all seem to be amazingly helpful 🙂
I did the procedure on my Mac as am concerned that the contents are being accessed elsewhere.

i have posted the output below if you wouldnt mind having a look over to see if there was anything that shows it might be at risk?

Please read the post immediately above yours by MadMacs0 dated April 25, 2017

Last login: Tue May 30 20:35:55 on ttys000

Andrews-MacBook-Pro:~ palazzo_living$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Andrews-MacBook-Pro:~ palazzo_living$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

Sorry, try again.

Password:

Sorry, try again.

Password:

com.google.keystone.daemon

com.smithmicro.netwise.osx.helper

Andrews-MacBook-Pro:~ palazzo_living$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.openssh.ssh-agent

com.google.keystone.system.agent

com.paragon-software.facebook.agent

com.grammarly.DesktopEditor.7280

com.smithmicro.netwise.osx.comcast.7568

Andrews-MacBook-Pro:~ palazzo_living$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Disabled Plug-Ins

Flash Player.plugin

Quartz Composer.webplugin

flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.google.keystone.agent.plist

com.paragon-software.facebook.agent.plist

/Library/LaunchDaemons:

com.google.keystone.daemon.plist

com.smithmicro.netwise.osx.helper.plist

/Library/PreferencePanes:

Flash Player.prefPane

/Library/PrivilegedHelperTools:

com.malwarebytes.HelperTool

com.smithmicro.netwise.osx.helper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleMXFImport.component

AppleProResCodec.component

CFHDCompressor.component

CFHDDecompressor.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABCaller.bundle

SkypeABChatter.bundle

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

WebEx64.plugin

Library/Keyboard:

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

Library/Keyboard Layouts:

Library/KeyboardServices:

TextReplacements.db

TextReplacements.db-shm

TextReplacements.db-wal

Library/LanguageModeling:

1007-dynamic.lm

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

.DS_Store

Library/PreferencePanes:

Library/Services:

Andrews-MacBook-Pro:~ palazzo_living$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

XFINITY WiFi

Andrews-MacBook-Pro:~ palazzo_living$

I'm afraid you are in the wrong place to get help with this issue.

Linc no longer participates in the Forum and nobody else knows how to interpret what you have posted.

This discussion is over four years old and I doubt that anybody else is following it any more, so chances of anybody else seeing your posting are close to zero.

If you have reason to suspect that your computer has been illegally compromised then you should stop using it and inform law enforcement before trying to go any further.

Otherwise, your best bet here would be to start a new discussion with a detailed description of your issue and why you believe your computer is compromised.

It doesn't hurt to check to check to see if anybody else has this problem and to try any recommended solutions, but if that doesn't help it's always best to start a new discussion so that current troubleshooters will notice it and respond quickly. That's just the way this Forum works best for folks.

JenniferDD wrote:

Hello,

I am not sure if I have a spyware problem, but a few things have started to pop up on my mac one tryed to download a font to my computer. It first started out with popups telling me I need to run a system scan. which I never had before. So I looked up the system scan in line and looked in my applications for it and It was just installed by date it reflected I knew I did not install it. So I uninstalled it. Long story short I got a strange message when trying to log into facebook and lead me to you. I ran the Terminal as listed and this is what I got. Not sure what any of it means. But do I need to do anything else to protect my computer and my personal data?

Please help!

Neither the original poster nor Linc Davis are going to be able to help you. Please start your own thread. Explain what is happening on your computer that makes you think something might be wrong. Download Etrecheck, run it and paste the results into your post.

https://etrecheck.com/

Best of luck.

I believe my wifi continues to be compromised, but if you could let me know if you see any red flags, I'd appreciate it. Remote sharing is of course off, but I am consistently watched or recorded on all my devices no matter where I go.

Many Thanks

$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.oracle.oss.mysql.mysqld

com.adobe.fpsaud

green:~ x$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.logmein.GoToMeeting.G2MUpdate

com.openssh.ssh-agent

com.citrixonline.GoToMeeting.G2MUpdate

com.spotify.webhelper

$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Disabled Plug-Ins

Flash Player.plugin

Quartz Composer.webplugin

flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.oracle.oss.mysql.mysqld.plist

/Library/PreferencePanes:

Flash Player.prefPane

MySQL.prefPane

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

.DS_Store

DISH Anywhere Player.plugin

WebEx64.plugin

Library/Keyboard:

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

pt-dynamic.lm

Library/Keyboard Layouts:

Library/KeyboardServices:

TextReplacements.db

TextReplacements.db-shm

TextReplacements.db-wal

Library/LanguageModeling:

245-dynamic.lm

256-dynamic.lm

2441-dynamic.lm

3938-dynamic.lm

5802-dynamic.lm

11626-dynamic.lm

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

ru-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

com.citrixonline.GoToMeeting.G2MUpdate.plist

com.logmein.GoToMeeting.G2MUpdate.plist

com.spotify.webhelper.plist

Library/PreferencePanes:

Library/Services:

$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Spotify, DISHAnywherePlayer_Launcher

I believe my wifi continues to get compromised, but if you could let me know if you see any red flags, I'd appreciate it. Remote sharing is of course off, but I am consistently watched or recorded on all my devices no matter where I go, it's been years & I am not doing or watching anything that would warrant this type of monitoring. It is invasive and creepy and I want to kill myself because these people can hide behind computers, watching your activity and listening to your life, knowing where you and your family are, and you don't know who or why or where.

Many thanks

$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.oracle.oss.mysql.mysqld

com.adobe.fpsaud

green:~ x$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.logmein.GoToMeeting.G2MUpdate

com.openssh.ssh-agent

com.citrixonline.GoToMeeting.G2MUpdate

com.spotify.webhelper

$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Disabled Plug-Ins

Flash Player.plugin

Quartz Composer.webplugin

flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.oracle.oss.mysql.mysqld.plist

/Library/PreferencePanes:

Flash Player.prefPane

MySQL.prefPane

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

.DS_Store

DISH Anywhere Player.plugin

WebEx64.plugin

Library/Keyboard:

en-dynamic.lm

es-dynamic.lm

fr-dynamic.lm

pt-dynamic.lm

Library/Keyboard Layouts:

Library/KeyboardServices:

TextReplacements.db

TextReplacements.db-shm

TextReplacements.db-wal

Library/LanguageModeling:

245-dynamic.lm

256-dynamic.lm

2441-dynamic.lm

3938-dynamic.lm

5802-dynamic.lm

11626-dynamic.lm

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

ru-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

com.citrixonline.GoToMeeting.G2MUpdate.plist

com.logmein.GoToMeeting.G2MUpdate.plist

com.spotify.webhelper.plist

Library/PreferencePanes:

Library/Services:

$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Spotify, DISHAnywherePlayer_Launcher

eljeg wrote:

I believe my wifi continues to get compromised, but if you could let me know if you see any red flags, I'd appreciate it. Remote sharing is of course off, but I am consistently watched or recorded on all my devices no matter where I go, it's been years & I am not doing or watching anything that would warrant this type of monitoring.

Neither the original poster nor Linc Davis are going to be able to help you. Please start your own thread. Explain what is happening on your computer that makes you think something might be wrong. Download Etrecheck, run it and paste the results into your post.

https://etrecheck.com/

Best of luck.

eljeg wrote:

I believe my wifi continues to get compromised, but if you could let me know if you see any red flags, I'd appreciate it.

IdrisSeabright has already given you the correct response, but I'd like to add a couple of things.

Linc no longer participates in this Forum and nobody else is able to interpret his diagnostics well enough to give you a detailed answer. The rule of thumb around here is to read through any discussion that appears to match your circumstances and try any solutions proposed, but if that fails to solve your problem, don't post a "me too". That will almost never give you positive results since hardly anybody will ever see it here, especially in a four plus year old discussion that most are no longer following.

Whoever talked you into installing LogMeIn has a high probability of being the one responsible for the person that is "watching or recording" you. It's fine to use that app with a person you know well and trust, but always remove it after it has served it's purpose. Even if that person didn't somehow learn the password, it can most probably be easily hacked.

Linc no longer participates in the Forum. Nobody but Linc understands how to interpret the output of his diagnostics and when he was here he strenuously objected to anybody else who tried, so you did exactly the right thing by starting a new discussion topic as I may be the only other person still monitoring this 4-1/2 year old discussion.

for your own sanity - please change your home computers password and then go to apple and change your apple password. http://support.apple.com/kb/HT5624?viewlocale=en_US and make certain remote login is not on

system preferences - sharing - remote login is off.

but what makes you believe this is occurring ? facts ?

there is also a good article on protecting ones self http://www.reedcorner.net/mmg/

but the most important thing is what is happening

If this is happening, the most likely possibility is that a keylogger needing physical access to the computer has been installed. Get the free demo of MacScan. It's pretty worthless for any other kind of malware, but it does have a relatively good listing of known keyloggers. A keylogger does just what the name suggests; it logs all your keystrokes.

Of course, it may not show up if it's not in their catalog of keyloggers.

http://macscan.securemac.com/

If, a backdoor (an automatic, invisible program set to connect elsewhere) has been installed--and this is doubtful--you might be able to see it happening using Little Snitch, which can check for unauthorized outbound connections. But you'll have a bit of a learning curve in order to use it.

http://www.obdev.at/products/littlesnitch/

Both have free demos.

the reason for the what is happening question is the fact that by changing your passwords, you may resolve the situation.......but not having an idea of what is making you believe there is spyware eliminates the possibility of giving you a quality answer..... is it text related, email related, facebook related, twitter related, picture related, document related, phone call related... also in the reedcorner you can down load sophos free to scan for issues

but more info is needed

WZZZ

We may be going out of scope and need a little more information. Allow me to explain, we dont know what the indicators or reasons are. Allow me to explain

EG

One person had reported in the past that some one was monitoring them, it turns out that the person had every password user id combination that the individual used and was pulling info that way.

Another person reported, similiar issue and it turned out to be a friend sharing information with a person.

the question is what is the reason --- facts

First thing, turn off remote sharing (system preference, sharing, remote sharing). This means you cannot remote access your mac but no one else can either.

You can also install little snitch and watch if some background process is sending packets out to strange IPs. If the person in question has access to the console, then logging could be local and not IP based. Next time you're on the computer, redirect ps -ax to a file "ps -ax > process.txt" just to capture all processes.

You can study that list or ask questions about it. If something is running in the background locally it will be in the process list.

ssls6

the individual has a person who is close to them has access to all userids/passwords and computer

by turning off remote as we both suggested that will take care of one aspect (remote review) but if its

reading text messages, knowing where the person is, emails and things along those lines it maybe self evident to what is occuring. If its social site information (facebook) self evident too. people at times go to extremes without thinking it through macs are pretty secure and if i have every password i can see alot of information (as you would agree, im sure) there are also products along the lines of http://www.webwatcher.com/webwatcher-mac.html which can really mess with some one. but in having no facts, reasons we can through a lot of stuff out here and possibly hurt the person with applications or changes we suggest if they are novices