Level 1

5 points

Detect spyware and determine who is spying on my imac

I might be paranoid -- but need to know at this point if someone very close to me has installed spyware on my mac. I keep finding forums that say to back up files and just restart your system and wipe everything clean, change passwords, etc. But this won't work for me for a couple of reasons: 1) I really need to know if there is someone close to me who has installed this on my computer and would like to find the IP address that the information is headed to. and 2) the person in question still has access to my computer and almost all of my passwords.

Please can we not get into why I think this person is spying, etc. and if anyone knows anyway for me to detect spyware and determine where information is being sent that would be the most helpful.

Would greatly appreciate any help here as I am paranoid about even looking up these kinds of things of my home computer (which i am doing now) and my iphone. (which I also need help with determining if it has spyware on it).

Thanks very much for any help.

iMac, Mac OS X (10.7.5)

Posted on Mar 24, 2013 5:22 AM

96 replies

Mar 24, 2013 7:30 AM in response to neuegirl

Apple does have a service called the Genius Bar. Those folk are Apple employees, and their services are free. They deal with any and all Mac problems. You could take your iMac to a Apple store and have a "genius" look at it. You do have to make an appointment. In my opinion this is the safest way to deal with this problem, safe both for you and for your computer.

Linc Davis

Level 10

209,739 points

Mar 24, 2013 8:45 AM in response to neuegirl

Please read this whole message before doing anything.

This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

Step 1

Triple-click the line of text below to select it:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). Post the lines of output (if any) that appear below what you just entered. You can do that by copying and pasting as well. Omit the final line ending in “$”. No typing is involved in this step.

Step 2

Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time you'll be prompted for your login password, which you do have to type. It won't be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

Step 5

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output.

You can then quit Terminal.

ssls6

Level 4

2,879 points

Mar 24, 2013 8:54 AM in response to Linc Davis

That's some cool stuff Link. Way better way to get at it.

neuegirl Author

Level 1

5 points

Mar 25, 2013 7:44 AM in response to Linc Davis

Thanks Link -- This is what I got:

Last login: Sat Sep 29 09:27:03 on ttys001

Last login: Sun Mar 24 09:27:46 on console

ool-182fabae:~ Amanda$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

ool-182fabae:~ Amanda$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

ool-182fabae:~ Amanda$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

ool-182fabae:~ Amanda$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

com.adobe.versioncueCS4

com.adobe.versioncueCS3

com.adobe.SwitchBoard

com.adobe.fpsaud

ool-182fabae:~ Amanda$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.wacom.wacomtablet

com.adobe.CS5ServiceManager

com.adobe.CS4ServiceManager

com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9

com.adobe.AAM.Scheduler-1.0

ool-182fabae:~ Amanda$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

HPDeviceModel.framework

HPPml.framework

HPServicesInterface.framework

HPSmartPrint.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

Disabled Plug-Ins

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

WacomNetscape.plugin

WacomSafari.plugin

flashplayer.xpt

iPhotoPhotocast.plugin

npContributeMac.bundle

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.CS4ServiceManager.plist

com.adobe.CS5ServiceManager.plist

com.wacom.wacomtablet.plist

/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.adobe.versioncueCS3.plist

com.adobe.versioncueCS4.plist

com.apple.remotepairtool.plist

/Library/PreferencePanes:

Flash Player.prefPane

Growl.prefPane

HP Scanners.prefPane

VersionCueCS3.prefPane

VersionCueCS4.prefPane

WacomTablet.prefPane

/Library/PrivilegedHelperTools:

/Library/QuickLook:

GBQLGenerator.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

SoundboothScoreCodec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Linc Davis

Level 10

209,739 points

Mar 25, 2013 7:57 AM in response to neuegirl

You didn't post all the output from step 4, and you skipped step 5, but going by the information provided, I can say that no commercial software keylogger is installed. I can't rule out a more sophisticated attack by a forensic expert. If the person whom you suspect of spying on you is not an expert, he'd need a lot of help to carry out such an attack. There are also hardware keyloggers that don't involve software at all. They would look like a USB cable or connector, or they might be inside the computer enclosure.

Keep in mind also that there are other ways a motivated attacker could spy on you, for example by planting listening devices in your home or your car. If you have good reason to believe that you're the object of illegal surveillance, than you need the advice of a lawyer, not of strangers on a message board.

neuegirl Author

Level 1

5 points

Mar 25, 2013 7:46 PM in response to Linc Davis

Oooops; I ommitted the last part of the steps because I thought the end was just fonts, didn't realize there was info past them. Below is the whole thing.

But, just out of curiosity; one of the reasons I began to have suspicion of this in the first place was that my the person in question placed a USB in my computer and my imac instantly and completely crashed in a very odd way. I don't recall exactly what it did; but it was enough that it got my attention and seemed really peculiar. IT almost did feel for a minute like someone else had control over my computer. Especially when it did finally restart... it acted very strange, it auto-opened some very personal documents. It was very strange. My iMac always worked just fine before that incident. And, since then my computer has been glitchy, the weirdest is that I get weird rainbow stripes across my screen sometimes. What would I need to look for if something happened when he inserted the USB? Or does it have to be a device that is actually plugged into a USB hub?

Thanks very much for your continued help...

No results from Step 1...

Here are the rest:

com.adobe.versioncueCS4

com.adobe.versioncueCS3

com.adobe.SwitchBoard

com.adobe.fpsaud

ool-182fabae:~ Amanda$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.wacom.wacomtablet

com.adobe.CS5ServiceManager

com.adobe.CS4ServiceManager

com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9

com.adobe.AAM.Scheduler-1.0

ool-182fabae:~ Amanda$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

HPDeviceModel.framework

HPPml.framework

HPServicesInterface.framework

HPSmartPrint.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

Disabled Plug-Ins

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

WacomNetscape.plugin

WacomSafari.plugin

flashplayer.xpt

iPhotoPhotocast.plugin

npContributeMac.bundle

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.CS4ServiceManager.plist

com.adobe.CS5ServiceManager.plist

com.wacom.wacomtablet.plist

/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.adobe.versioncueCS3.plist

com.adobe.versioncueCS4.plist

com.apple.remotepairtool.plist

/Library/PreferencePanes:

Flash Player.prefPane

Growl.prefPane

HP Scanners.prefPane

VersionCueCS3.prefPane

VersionCueCS4.prefPane

WacomTablet.prefPane

/Library/PrivilegedHelperTools:

/Library/QuickLook:

GBQLGenerator.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

SoundboothScoreCodec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

Library/Fonts:

Adobe Kabel

AkzidGroBla

AkzidGroBol

AkzidGroLig

AkzidGroRom

AkzidenzGrotesk-Black.t1

AkzidenzGrotesk-Bold.t1

AkzidenzGrotesk-Light.t1

AkzidenzGrotesk-Roman.t1

AmericanTypewriter.dfont

AveniBla

AveniBlaObl

AveniBoo

AveniBooObl

AveniHea

AveniHeaObl

AveniLig

AveniLigObl

AveniMed

AveniMedObl

AveniObl

AveniRom

Avenir

Avenir.t1

BLANCH_CAPS.otf

BLANCH_CAPS_INLINE.otf

BLANCH_CAPS_LIGHT.otf

BLANCH_CONDENSED.otf

BLANCH_CONDENSED_INLINE.otf

BLANCH_CONDENSED_LIGHT.otf

BaskeBEIta

BaskeBEMed

BaskeBEMedIta

BaskeBEReg

BaskervilleBE-Italic

BaskervilleBE-Medium

BaskervilleBE-MediumItalic

BaskervilleBE-Regular

CaeciliaLTStd-Bold.otf

CaeciliaLTStd-BoldItalic.otf

CaeciliaLTStd-Heavy.otf

CaeciliaLTStd-HeavyItalic.otf

CaeciliaLTStd-Italic.otf

CaeciliaLTStd-Light.otf

CaeciliaLTStd-LightItalic.otf

CaeciliaLTStd-Roman.otf

Cubano-Regular.otf

DIN-Black

DIN-Bold

DIN-Light

DIN-Medium

DIN-Regular

DINBla

DINBol

DINConReg

DINCond-Regular

DINLig

DINMed

DINNeuGroLig

DINNeuzeitGrotesk-Light

DINReg

Duke Fill.otf

Duke Shadow.otf

Duke.otf

Edmondsans-Bold.otf

Edmondsans-Medium.otf

Edmondsans-Regular.otf

Futur

FuturBTBol

FuturBTBolCon

FuturBTBolConIta

FuturBTBolIta

FuturBTBoo

FuturBTBooIta

FuturBTExtBla

FuturBTExtBlaCon

FuturBTExtBlaConIta

FuturBTExtBlaIta

FuturBTHea

FuturBTHeaIta

FuturBTLig

FuturBTLigCon

FuturBTLigIta

FuturBTMed

FuturBTMedCon

FuturBTMedIta

FuturBol

FuturBolObl

FuturBoo

FuturBooObl

FuturCon

FuturConBol

FuturConBolObl

FuturConExtBol

FuturConExtBolObl

FuturConLig

FuturConLigObl

FuturConObl

FuturExtBol

FuturExtBolObl

FuturHea

FuturHeaObl

FuturLig

FuturLigObl

FuturObl

Futura-Bold.t1

Futura-BoldOblique.t1

Futura-Book.t1

Futura-BookOblique.t1

Futura-CondExtraBoldObl.t1

Futura-Condensed.t1

Futura-CondensedBold.t1

Futura-CondensedBoldOblique.t1

Futura-CondensedExtraBold.t1

Futura-CondensedLight.t1

Futura-CondensedLightOblique.t1

Futura-CondensedOblique.t1

Futura-ExtraBold.t1

Futura-ExtraBoldOblique.t1

Futura-Heavy.t1

Futura-HeavyOblique.t1

Futura-Light.t1

Futura-LightOblique.t1

Futura-Oblique.t1

Futura.t1

FuturaBT-Bold.t1

FuturaBT-BoldCondensed.t1

FuturaBT-BoldCondensedItalic.t1

FuturaBT-BoldItalic.t1

FuturaBT-Book.t1

FuturaBT-BookItalic.t1

FuturaBT-ExtraBlack.t1

FuturaBT-ExtraBlackCondItalic.t1

FuturaBT-ExtraBlackCondensed.t1

FuturaBT-ExtraBlackItalic.t1

FuturaBT-Heavy.t1

FuturaBT-HeavyItalic.t1

FuturaBT-Light.t1

FuturaBT-LightCondensed.t1

FuturaBT-LightItalic.t1

FuturaBT-Medium.t1

FuturaBT-MediumCondensed.t1

FuturaBT-MediumItalic.t1

FuturaVitra-Bold.otf

FuturaVitra-Light.otf

FuturaVitra-Medium.otf

GoodFoot.ttf

Gotham-Bold.otf

Gotham-Book.otf

Gotham-BookItalic.otf

Gotham-Light.otf

Gotham-Medium.otf

Gotham-MediumItalic.otf

Gotham-Thin.otf

JohnsITCBolSC

JohnsITCMedSC

JohnstonITC-BoldSC

JohnstonITC-MediumSC

JohnstonITCStd-Bold.otf

JohnstonITCStd-Light.otf

KabelBla

KabelBoo

KabelHea

KabelLig

Liberator.otf

Liberator.ttf

MemphBol

MemphBolIta

MemphExtBol

MemphLigIta

MemphMedIta

Memphis-Bold

Memphis-BoldItalic

Memphis-ExtraBold

Memphis-LightItalic

Memphis-MediumItalic

MrsEavAllPetCap

MrsEavAllSmaCap

MrsEavBol

MrsEavFra

MrsEavIta

MrsEavPetCap

MrsEavRom

MrsEavRomLin

MrsEavSmaCap

MrsEavesAllPetiteCaps

MrsEavesAllSmallCaps

MrsEavesBold

MrsEavesBold.t1

MrsEavesFractions

MrsEavesFractions.t1

MrsEavesItalic

MrsEavesItalic.t1

MrsEavesPetiteCaps

MrsEavesPetiteCaps.t1

MrsEavesRoman

MrsEavesRoman.t1

MrsEavesRomanLining

MrsEavesSmallCaps

MrsEavesSmallCaps.t1

Muncie.ttf

NixieOne.otf

NixieOne.ttf

P22JohUndBol

P22JohUndExt

P22JohUndReg

P22JohnstonUnderground-Bold.bmap

P22JohnstonUnderground-Extras.bmap

P22JohnstonUnderground-Regular.bmap

P22Underground-BkP.otf

P22Underground-BkS.otf

P22Underground-Book.otf

P22Underground-Demi.otf

P22Underground-DmP.otf

P22Underground-DmS.otf

P22Underground-Heavy.otf

P22Underground-HvP.otf

P22Underground-HvS.otf

P22Underground-Light.otf

P22Underground-LtP.otf

P22Underground-LtS.otf

P22Underground-Medium.otf

P22Underground-PCp.otf

P22Underground-SCp.otf

P22Underground-ThP.otf

P22Underground-ThS.otf

P22Underground-Thin.otf

P22UndergroundCE-Medium.otf

P22UndergroundCY-BkP.otf

P22UndergroundCY-BkS.otf

P22UndergroundCY-Book.otf

P22UndergroundCY-Demi.otf

P22UndergroundCY-DmP.otf

P22UndergroundCY-DmS.otf

P22UndergroundCY-Heavy.otf

P22UndergroundCY-HvP.otf

P22UndergroundCY-HvS.otf

P22UndergroundCY-Light.otf

P22UndergroundCY-LtP.otf

P22UndergroundCY-LtS.otf

P22UndergroundCY-Medium.otf

P22UndergroundCY-PCp.otf

P22UndergroundCY-SCp.otf

P22UndergroundCY-ThP.otf

P22UndergroundCY-ThS.otf

P22UndergroundCY-Thin.otf

P22UndergroundCYPro-Book.otf

P22UndergroundCYPro-Demi.otf

P22UndergroundCYPro-Heavy.otf

P22UndergroundCYPro-Light.otf

P22UndergroundCYPro-Medium.otf

P22UndergroundCYPro-Thin.otf

P22UndergroundGR-BkP.otf

P22UndergroundGR-BkS.otf

P22UndergroundGR-Book.otf

P22UndergroundGR-Demi.otf

P22UndergroundGR-DmP.otf

P22UndergroundGR-DmS.otf

P22UndergroundGR-Heavy.otf

P22UndergroundGR-HvP.otf

P22UndergroundGR-HvS.otf

P22UndergroundGR-Light.otf

P22UndergroundGR-LtP.otf

P22UndergroundGR-LtS.otf

P22UndergroundGR-Medium.otf

P22UndergroundGR-PCp.otf

P22UndergroundGR-SCp.otf

P22UndergroundGR-ThP.otf

P22UndergroundGR-ThS.otf

P22UndergroundGR-Thin.otf

P22UndergroundGRPro-Book.otf

P22UndergroundGRPro-Demi.otf

P22UndergroundGRPro-Heavy.otf

P22UndergroundGRPro-Light.otf

P22UndergroundGRPro-Medium.otf

P22UndergroundGRPro-Thin.otf

P22UndergroundPro-Book.otf

P22UndergroundPro-Demi.otf

P22UndergroundPro-Heavy.otf

P22UndergroundPro-Light.otf

P22UndergroundPro-Medium.otf

P22UndergroundPro-Thin.otf

P22UndergroundTitling-A.otf

P22UndergroundTitling-B.otf

P22UndergroundTitling-C.otf

P22UndergroundTitlingPro.otf

Pigeon.otf

SignPainter-HouseScript.otf

Sullivan-Bevel.otf

Sullivan-Fill.otf

Sullivan-Regular.otf

TTSlu.otf

TTSluBol.otf

VitraGrouch.otf

Wingdings.ttf

interstate-black.ttf

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

BrowserPlus_2.4.21.plugin

Library/Keyboard Layouts:

Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

SharedServices.Agent.plist

com.apple.SafariBookmarksSyncer.plist

Library/PreferencePanes:

AppTrap.prefPane

BrowserPlusPrefs.prefPane

ool-182fabae:~ Amanda$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Dropbox, HP Scanjet Manager, HP Scheduler

ool-182fabae:~ Amanda$

Linc Davis

Level 10

209,739 points

Mar 25, 2013 8:07 PM in response to neuegirl

I have nothing to add to my last comment.

WZZZ

Level 6

13,238 points

Mar 26, 2013 3:58 AM in response to neuegirl

May be useless, but try running MacScan demo, linked above. It's the only A-V, at least that I know of, that has keyloggers in its catalog. Might have been nothing, but I don't like the sound of whatever it was that happened when that USB device was connected.

the weirdest is that I get weird rainbow stripes across my screen sometimes.

That can be a hardware issue with the graphics card.

If you are really still concerned, the safest thing you can do is completely wipe the drive and reinstall everything from scratch.

... erase the hard drive completely, reinstall the system and any apps from scratch, and then restore your documents (and only documents, no settings files, applications or other such things!) from a backup.

Make sure you have everything in Sharing turned off, and if you are using WIFI, make sure the encryption is at least WPA (WPA2 is better) secured with a very long, random, all over the keyboard password. Turn the router firewill on, if it isn't already.

Mar 26, 2013 4:48 PM in response to neuegirl

see link - verticle lines accross mac https://discussions.apple.com/thread/1580232?start=540&tstart=0

sounds like hardware/graphics here is a page to apple hardware test

these are just to be used as thoughts or information http://support.apple.com/kb/index?page=search&q=%22Apple%20Hardware%20Test%22

Jun 24, 2013 11:07 PM in response to Linc Davis

Do you mind taking a look at my report out? My wife clicked on a link in an email the other day. Her sister said she received the same email and the person hacked their banking information. I ran ClamXav and found 3 corrupt files I deleted. Ran again with no results. Any feedback would be aprpeciated.

Last login: Wed May 1 19:06:26 on console

Jeremy-Myrlands-iMac-4:~ calicocali$

Jeremy-Myrlands-iMac-4:~ calicocali$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Jeremy-Myrlands-iMac-4:~ calicocali$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

com.agilebits.onepassword-osx-thumbs

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.adobe.fpsaud

Jeremy-Myrlands-iMac-4:~ calicocali$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.spotify.webhelper

com.agilebits.onepassword-osx-helper

com.google.keystone.system.agent

ws.agile.1PasswordAgent

Jeremy-Myrlands-iMac-4:~ calicocali$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

.DS_Store

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

GarminGpsControl.plugin

JavaAppletPlugin.plugin

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

huludesktop.webplugin

iPhotoPhotocast.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.google.keystone.agent.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

/Library/PrivilegedHelperTools:

Google Drive Icon Helper

com.microsoft.office.licensing.helper

/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

/Library/ScriptingAdditions:

/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

WebEx.plugin

WebEx64.plugin

Library/Keyboard Layouts:

Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.ABExchangeSource.90593927-3EC2-48D1-A106-F4E 56D578C71.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.9BF0ACAA-5C49-4F7F-B93B-8B8 EADC7DEC1.plist

com.apple.CSConfigDotMacCert-jeremymyrland@me.com-SharedServices.Agent.plist

com.apple.FolderActions.enabled.plist

com.apple.FolderActions.folders.plist

com.apple.MobileMeSyncClientAgent.plist

com.apple.SafariBookmarksSyncer.plist

com.spotify.webhelper.plist

ws.agile.1PasswordAgent.plist

Library/PreferencePanes:

MusicManager.prefPane

Library/ScriptingAdditions:

Jeremy-Myrlands-iMac-4:~ calicocali$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Music Manager, iTunesHelper, Solar Service, BetterSnapTool, Google Drive, Nike+ Connect Helper, Dropbox, Spotify

Jeremy-Myrlands-iMac-4:~ calicocali$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

MadMacs0

Level 5

5,233 points

Jun 25, 2013 1:05 AM in response to jpmyrland

jpmyrland wrote:

My wife clicked on a link in an email the other day. Her sister said she received the same email and the person hacked their banking information.

There is no way that simply clicking on a link could have caused anything to have happened to your computer. If your syster-in-law was hacked it's almost certainly because she went to a phishing site and entered privacy information about her banking account or she is on a Windows computer.

I ran ClamXav and found 3 corrupt files I deleted.

It might help to know what it found. The information will be still be contained in the scan logs, but again that e-mail could not have been responsible for anything more than a phishing expedition.

flaviod

Level 1

0 points

Dec 19, 2013 8:58 AM in response to Linc Davis

Hi Linc Davis,

I have the same problem: I have the doubt that some spy software, keystroke logger or similar sw are spying and sending outside infos about what I am doing. I am using Little Snitch in demo mode for few hours and I can't see nothing strange apparently. Is it possible that an hidden process creates a file (for example with keystroke history) and then send it occasionally?

I run test you suggested to neuegirl. Below the output.

I can't see anything strange, but I would like to have your opinion.

Thanks in advance for any answer.

Flavio.

Step 1. --------------------------------------------------------------------------

Alcyone:~ flavio$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

at.obdev.nke.LittleSnitch (4052)

net.kromtech.kext.Firewall (2.3.5)

Alcyone:~ flavio$

Step 2. --------------------------------------------------------------------------

Alcyone:~ flavio$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

org.macosforge.xquartz.privileged_startx

com.zeobit.MacKeeper.AntiVirus

com.prosofteng.DriveGenius.locum

com.oracle.java.Helper-Tool

com.google.keystone.daemon

com.DesignScience.DSMTTool

com.bombich.ccc

com.adobe.fpsaud

at.obdev.littlesnitchd

Alcyone:~ flavio$

Step 3. --------------------------------------------------------------------------

Alcyone:~ flavio$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

org.macosforge.xquartz.startx

com.oracle.java.Java-Updater

com.google.keystone.system.agent

com.divx.update.agent

com.divx.dms.agent

at.obdev.LittleSnitchUIAgent

com.zeobit.MacKeeper.Helper

com.spotify.webhelper

com.goacemjobhmmbdlbbfjgifjcojdfnjfm.updater

com.bombich.ccc-user-agent

Alcyone:~ flavio$

Step 4. --------------------------------------------------------------------------

Alcyone:~ flavio$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

DivX Toolkit.framework

DivXInstallerUtilities.framework

EWSMac-GC.framework

EWSMac.framework

HPSmartPrint.framework

MT6Lib.framework

NyxAudioAnalysis.framework

PluginManager.framework

iLifeFaceRecognition.framework

iLifeKit.framework

iLifePageLayout.framework

iLifeSQLAccess.framework

iLifeSlideshow.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

DivX Web Player.plugin

Flash Player.plugin

Google Earth Web Plug-in.plugin

JavaAppletPlugin.plugin

OVSHelper.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

Silverlight.plugin

Unity Web Player.plugin

Unused

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

at.obdev.LittleSnitchUIAgent.plist

com.divx.dms.agent.plist

com.divx.update.agent.plist

com.google.keystone.agent.plist

com.oracle.java.Java-Updater.plist

org.macosforge.xquartz.startx.plist

/Library/LaunchDaemons:

at.obdev.littlesnitchd.plist

com.DesignScience.DSMTTool.plist

com.adobe.fpsaud.plist

com.bombich.ccc.plist

com.bombich.ccc.scheduledtask.A8351FBA-00BF-468E-9959-20AFDF3EC4A1.plist

com.bombich.ccc.scheduledtask.E8FDE534-D11D-4827-A68E-701208718310.plist

com.google.keystone.daemon.plist

com.oracle.java.Helper-Tool.plist

com.prosofteng.DriveGenius.locum.plist

com.zeobit.MacKeeper.AntiVirus.plist

org.macosforge.xquartz.privileged_startx.plist

/Library/PreferencePanes:

Flash Player.prefPane

JavaControlPanel.prefPane

TeXDistPrefPane.prefPane

/Library/PrivilegedHelperTools:

com.DesignScience.DSMTTool

com.bombich.ccc

com.prosofteng.DriveGenius.locum

/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

DivX Decoder.component

DivX Encoder.component

/Library/ScriptingAdditions:

/Library/Spotlight:

GBSpotlightImporter.mdimporter

LogicPro.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

.DS_Store

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Frameworks:

EWSMac-GC.framework

EWSMac.framework

Library/Input Methods:

.localized

Library/Internet Accounts:

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.265A6276-4657-4D24-937D-311 B0228424D.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.DC9371FB-05F7-4E97-9F71-EB0 DE234BEF9.plist

com.apple.CSConfigDotMacCert-xxxxxxxxxx@yy.com-SharedServices.Agent.plist

com.apple.SafariBookmarksSyncer.plist

com.bombich.ccc-user-agent.plist

com.goacemjobhmmbdlbbfjgifjcojdfnjfm.updater.plist

com.spotify.webhelper.plist

com.zeobit.MacKeeper.Helper.plist

Library/PreferencePanes:

Library/QuickLook:

QuickLookiWatermark.qlgenerator

Library/Services:

Toggle Hidden Files.workflow

Alcyone:~ flavio$

Step 5. --------------------------------------------------------------------------

Alcyone:~ flavio$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Knox, HP Product Research, HPEventHandler, HP Scheduler

Alcyone:~ flavio$

pickyme

Level 1

0 points

Feb 6, 2014 12:38 AM in response to Linc Davis

can you please tell me if you see any problems Linc Davis. thanks

Last login: Sat Feb 1 18:53:33 on console

mys-MacBook-Pro:~ mymac$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

org.virtualbox.kext.VBoxDrv (4.3.6)

com.avatron.AVExVideo (1.4.2)

tc.tctechnologies.driver.PaeFireStudio (3.5.6

org.virtualbox.kext.VBoxUSB (4.3.6)

org.virtualbox.kext.VBoxNetFlt (4.3.6)

org.virtualbox.kext.VBoxNetAdp (4.3.6)

com.avatron.AVExFramebuffer (1.4.2)

com.vmware.kext.vmx86 (3.1.3)

com.vmware.kext.vmci (3.1.3)

com.vmware.kext.vmioplug (3.1.3)

com.vmware.kext.vmnet (3.1.3)

mys-MacBook-Pro:~ mymac$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

tc.tctechnologies.daemon.PaeFireStudio

com.WesternDigital.WDSmartWareD

com.wdc.WDDMservice

com.vmware.launchd.vmware

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.adobe.fpsaud

mys-MacBook-Pro:~ mymac$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.sierrawireless.SwitchTool

com.hp.messagecenter.launcher

com.hp.devicemonitor

com.google.keystone.system.agent

com.nero.HSMMonitor

com.nchsoftware.expresszip.schedule.LikeSurvey

mys-MacBook-Pro:~ mymac$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

ArcCon.framework

ArcSocketLib.framework

AudioMixEngine.framework

BaseFunction.framework

Cocoa2Carbon.framework

DivX Toolkit.framework

HPSmartPrint.framework

MagAppFramework.framework

MagCore.framework

MagImgTlsCtrl.framework

MagPCMac.framework

Maglib5.framework

MediaClub.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

TaskDLL.framework

WesternDigital

iLifeFaceRecognition.framework

iLifeKit.framework

iLifePageLayout.framework

iLifeSQLAccess.framework

iLifeSlideshow.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Intego:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

DivXBrowserPlugin.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

Google Earth Web Plug-in.plugin

JavaAppletPlugin.plugin

OVSHelper.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

iPhotoPhotocast.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.google.keystone.agent.plist

com.hp.devicemonitor.plist

com.hp.messagecenter.launcher.plist

com.sierrawireless.SwitchTool.plist

com.teamviewer.teamviewer.plist

com.teamviewer.teamviewer_desktop.plist

/Library/LaunchDaemons:

com.WesternDigital.WDSmartWareD.plist

com.adobe.fpsaud.plist

com.apple.remotepairtool.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

com.teamviewer.teamviewer_service.plist

com.vmware.launchd.vmware.plist

com.wdc.WDDMservice.plist

org.virtualbox.startup.plist

tc.tctechnologies.PaeFireStudio.plist

/Library/PreferencePanes:

Air Display Preferences.prefPane

DivX.prefPane

Flash Player.prefPane

Flip4Mac WMV.prefPane

Growl.prefPane

Perian.prefPane

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

/Library/QuickLook:

VMware Fusion QuickLook.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AC3MovieImport.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

CanonMJPEGAVI.component

CanonMJPEGAVIDec.component

CanonText.component

DivX Decoder.component

DivX Encoder.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

Perian.component

/Library/ScriptingAdditions:

/Library/Services:

/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

YMsgrCallABPlugin.bundle

YMsgrMsnABPlugin.bundle

YMsgrSmsABPlugin.bundle

YMsgrYimABPlugin.bundle

Library/Fonts:

Arizonia-Regular.ttf

CANDY___.otf

CURJTRIAL.otf

CURJTRIAL.ttf

Concbv2.ttf

ErsatzQuality.ttf

Hemmet_Personal_Use_Only.ttf

Masterics_Personal_Use.ttf

PhoenixScriptFLF.ttf

Phraell_Demo.ttf

SANTO___.TTF

SF Americana Dreams Bold.ttf

SF Americana Dreams Extended Bold.ttf

SF Americana Dreams Extended.ttf

SF Americana Dreams SC Bold.ttf

SF Americana Dreams SC Upright Bold.ttf

SF Americana Dreams SC Upright.ttf

SF Americana Dreams SC.ttf

SF Americana Dreams Upright Bold.ttf

SF Americana Dreams Upright.ttf

SF Americana Dreams.ttf

**** Happens trial__.otf

Signerica_Fat.ttf

Signerica_Medium.ttf

Signerica_Thin.ttf

Sunday&Monday.ttf

Trufla Words.ttf

Ventography_Personal_Use_Only.ttf

WEDDI___.otf

concav2.ttf

concv2.ttf

concv2b.ttf

concv2c.ttf

concv2e.ttf

concv2l.ttf

concv2s.ttf

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

doubleTwistWebPlugin.bundle

Library/Keyboard Layouts:

Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.1142212D-7ACA-4802-8A0E-F8C CD9ACDE2C.plist

com.nchsoftware.expresszip.schedule.LikeSurvey.plist

com.nero.HSMMonitor.plist

org.virtualbox.vboxwebsrv.plist

Library/PreferencePanes:

.isoftreg

uSeesoft

mys-MacBook-Pro:~ mymac$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, AirDisplayStatusItem, ScreenCapture, SpeechSynthesisServer, Canon IJ Network Scanner Selector EX, Dropbox, Genieo, Android File Transfer Agent, StatusMenu, Launch Nikon Message Center 2

mys-MacBook-Pro:~ mymac$

MadMacs0

Level 5

5,233 points

Feb 6, 2014 3:40 AM in response to pickyme

pickyme wrote:

can you please tell me if you see any problems Linc Davis.

Not sure what kind of problems you are having, but Linc hasn't been back in the last nine months, nor responded to either of the two previous users posting ahead of you, so your best bet is always to post a new topic and describe your setup and problems in detail. That will attract many more folks with answers than will stumble across what you posted.

Apr 26, 2014 8:25 AM in response to Linc Davis

I have the same problem and could use your help. Is there a way to get in touch or bring my computer to you?

Thanks

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Detect spyware and determine who is spying on my imac