Detect spyware and determine who is spying on my imac

eljeg wrote:

I believe my wifi continues to get compromised, but if you could let me know if you see any red flags, I'd appreciate it.

IdrisSeabright has already given you the correct response, but I'd like to add a couple of things.

Linc no longer participates in this Forum and nobody else is able to interpret his diagnostics well enough to give you a detailed answer. The rule of thumb around here is to read through any discussion that appears to match your circumstances and try any solutions proposed, but if that fails to solve your problem, don't post a "me too". That will almost never give you positive results since hardly anybody will ever see it here, especially in a four plus year old discussion that most are no longer following.

Whoever talked you into installing LogMeIn has a high probability of being the one responsible for the person that is "watching or recording" you. It's fine to use that app with a person you know well and trust, but always remove it after it has served it's purpose. Even if that person didn't somehow learn the password, it can most probably be easily hacked.

Linc no longer participates in the Forum. Nobody but Linc understands how to interpret the output of his diagnostics and when he was here he strenuously objected to anybody else who tried, so you did exactly the right thing by starting a new discussion topic as I may be the only other person still monitoring this 4-1/2 year old discussion.

Hello Linc Davis. Can you please please look at my information below and email me at nowforsale@me.com? Thank you very much!

Last login: Tue Nov 14 14:04:55 on ttys001

ME:~ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

ME:~ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.adobe.ARMDC.Communicator

com.prey.agent

com.oracle.java.Helper-Tool

com.adobe.fpsaud

com.adobe.ARMDC.SMJobBlessHelper

com.radiosilenceapp.nke.PrivateEye

ME:~ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

ws.agile.1PasswordAgent

com.openssh.ssh-agent

com.getdropbox.dropbox.2608

unknown

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

com.oracle.java.Java-Updater

com.dropbox.DropboxMacUpdate.agent

ME:~ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

hp_io_enabler_compound.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Disabled Plug-Ins

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist

com.apple.iCloudSync.plist

com.oracle.java.Java-Updater.plist

/Library/LaunchDaemons:

com.adobe.ARMDC.Communicator.plist

com.adobe.ARMDC.SMJobBlessHelper.plist

com.adobe.fpsaud.plist

com.oracle.java.Helper-Tool.plist

com.prey.agent.plist

com.radiosilenceapp.nke.PrivateEye.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

/Library/PrivilegedHelperTools:

com.adobe.ARMDC.Communicator

com.adobe.ARMDC.SMJobBlessHelper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

Script32.osax

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard:

en-dynamic.lm

Library/Keyboard Layouts:

Library/KeyboardServices:

TextReplacements.db

TextReplacements.db-shm

TextReplacements.db-wal

Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm

Library/LaunchAgents:

.DS_Store

com.dropbox.DropboxMacUpdate.agent.plist

ws.agile.1PasswordAgent.plist

Library/PreferencePanes:

Library/Services:

ME:~ $ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Dropbox

Candicemaries123 wrote:

Hello Linc Davis. Can you please please look at my information below and email me at nowforsale@me.com? Thank you very much!

Auoting the post immediately above yours by MadMacs0: Linc no longer participates in the Forum. Nobody but Linc understands how to interpret the output of his diagnostics and when he was here he strenuously objected to anybody else who tried, so you did exactly the right thing by starting a new discussion topic as I may be the only other person still monitoring this 4-1/2 year old discussion.

I suspect I have monitoring software on my computer: my output is:

com.dropbox.activityprovider

com.dropbox.foldertagger

com.fitbit.galileod

com.adobe.fpsaud

hayleysleodsmbp:~ mcleod$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

jp.co.canon.cijscannerregister.8480

com.getdropbox.dropbox.34000

com.arcsoft.Daemon.45264

com.epson.ews.launcher

com.divx.update.agent

com.divx.dms.agent

com.Affinegy.InstaLANa

com.dropbox.DropboxMacUpdate.agent

hayleysleodsmbp:~ mcleod$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

EPSONUSBPrintClass.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

ArcCon.framework

ArcSocketLib.framework

AudioMixEngine.framework

BaseFunction.framework

Cocoa2Carbon.framework

DivX Toolkit.framework

DivXInstallerUtilities.framework

EWSMac.framework

MagAppFramework.framework

MagCore.framework

MagImgTlsCtrl.framework

MagPCMac.framework

Maglib5.framework

MediaClub.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

TaskDLL.framework

XSKey.framework

iLifeFaceRecognition.framework

iLifeSQLAccess.framework

iLifeSlideshow.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Default Browser.plugin

Disabled Plug-Ins

DivX Web Player.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

OVSHelper.plugin

Quartz Composer.webplugin

Silverlight.plugin

Unity Web Player.plugin

Unused

VeetleBroadcast-0.9.16

VeetleTVCore-0.9.16

VeetleTVPlayer-0.9.16

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt

version.txt

/Library/Internet Plug-Ins (Disabled):

Flash Player.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.Affinegy.InstaLANa.plist

com.divx.dms.agent.plist

com.divx.update.agent.plist

com.epson.ews.launcher.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.apple.aelwriter.plist

com.fitbit.galileod.plist

/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Growl.prefPane

Perian.prefPane

/Library/PrivilegedHelperTools:

/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AC3MovieImport.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Perian.component

/Library/ScriptingAdditions:

/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

HWNetMgr

HWPortDetect

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABCaller.bundle

SkypeABChatter.bundle

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

waltograph42.otf

waltographUI.ttf

Library/Input Methods:

.localized

Library/Keyboard Layouts:

Library/LaunchAgents:

com.apple.CSConfigDotMacCert-hayleymcleod@me.com-SharedServices.Agent.plist

com.dropbox.DropboxMacUpdate.agent.plist

Library/PreferencePanes:

Library/Services:

ENService.app

Library/Spotlight:

EndNote.mdimporter

hayleysleodsmbp:~ mcleod$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Steam, iTunesHelper, Skype, EndNote X2, GrowlHelperApp, Belkin Router Monitor, Fitbit Connect Menubar Helper, Dropbox, Garmin Express Service, ConnectService

As I keep telling everyone, Linc no longer participates in this Forum and nobody else can interpret his diagnostics. And since very few of us are even monitoring this very old discussion, you need to start a new one and instead of posting all that information nobody wants, give us a detailed explanation of what you are seeing and why you believe monitoring software is involved. Better yet, report it to the local authorities and have a trained forensic technician examine your computer.

start a new thread

describe your issue and what you have tired to do to resolve it if any.

post an etrcheck report.

www.etrecheck.com

do not add your issue to an existing post as it will complicate things. This post began in 2013, the person you are asking to read your terminal output may no longer be active on these forms.

for your own sanity - please change your home computers password and then go to apple and change your apple password. http://support.apple.com/kb/HT5624?viewlocale=en_US and make certain remote login is not on

system preferences - sharing - remote login is off.

but what makes you believe this is occurring ? facts ?

there is also a good article on protecting ones self http://www.reedcorner.net/mmg/

but the most important thing is what is happening

If this is happening, the most likely possibility is that a keylogger needing physical access to the computer has been installed. Get the free demo of MacScan. It's pretty worthless for any other kind of malware, but it does have a relatively good listing of known keyloggers. A keylogger does just what the name suggests; it logs all your keystrokes.

Of course, it may not show up if it's not in their catalog of keyloggers.

http://macscan.securemac.com/

If, a backdoor (an automatic, invisible program set to connect elsewhere) has been installed--and this is doubtful--you might be able to see it happening using Little Snitch, which can check for unauthorized outbound connections. But you'll have a bit of a learning curve in order to use it.

http://www.obdev.at/products/littlesnitch/

Both have free demos.

the reason for the what is happening question is the fact that by changing your passwords, you may resolve the situation.......but not having an idea of what is making you believe there is spyware eliminates the possibility of giving you a quality answer..... is it text related, email related, facebook related, twitter related, picture related, document related, phone call related... also in the reedcorner you can down load sophos free to scan for issues

but more info is needed

WZZZ

We may be going out of scope and need a little more information. Allow me to explain, we dont know what the indicators or reasons are. Allow me to explain

EG

One person had reported in the past that some one was monitoring them, it turns out that the person had every password user id combination that the individual used and was pulling info that way.

Another person reported, similiar issue and it turned out to be a friend sharing information with a person.

the question is what is the reason --- facts

First thing, turn off remote sharing (system preference, sharing, remote sharing). This means you cannot remote access your mac but no one else can either.

You can also install little snitch and watch if some background process is sending packets out to strange IPs. If the person in question has access to the console, then logging could be local and not IP based. Next time you're on the computer, redirect ps -ax to a file "ps -ax > process.txt" just to capture all processes.

You can study that list or ask questions about it. If something is running in the background locally it will be in the process list.

ssls6

the individual has a person who is close to them has access to all userids/passwords and computer

by turning off remote as we both suggested that will take care of one aspect (remote review) but if its

reading text messages, knowing where the person is, emails and things along those lines it maybe self evident to what is occuring. If its social site information (facebook) self evident too. people at times go to extremes without thinking it through macs are pretty secure and if i have every password i can see alot of information (as you would agree, im sure) there are also products along the lines of http://www.webwatcher.com/webwatcher-mac.html which can really mess with some one. but in having no facts, reasons we can through a lot of stuff out here and possibly hurt the person with applications or changes we suggest if they are novices

Apple does have a service called the Genius Bar. Those folk are Apple employees, and their services are free. They deal with any and all Mac problems. You could take your iMac to a Apple store and have a "genius" look at it. You do have to make an appointment. In my opinion this is the safest way to deal with this problem, safe both for you and for your computer.

Please read this whole message before doing anything.

Triple-click the line of text below to select it:

Repeat with this line:

You can then quit Terminal.