Detect spyware and determine who is spying on my imac

Last login: Sun Jan 17 10:58:19 on ttys000

Iains-MacBook-Pro:~ iain$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Iains-MacBook-Pro:~ iain$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.malwarebytes.MBAMHelperTool

Iains-MacBook-Pro:~ iain$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Iains-MacBook-Pro:~ iain$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

BJUSBLoad.kext

CIJUSBLoad.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Default Browser.plugin

Disabled Plug-Ins

Quartz Composer.webplugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.malwarebytes.MBAMHelperTool.plist

/Library/PreferencePanes:

/Library/PrivilegedHelperTools:

com.malwarebytes.MBAMHelperTool

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LanguageModeling:

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

it-dynamic.lm

pt-dynamic.lm

Library/LaunchAgents:

Library/PreferencePanes:

Library/Services:

Iains-MacBook-Pro:~ iain$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Console

Iains-MacBook-Pro:~ iain$

I'm quite sure that neuegirl can't help you with that and Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this almost three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.

You will always be better off posting a new topic with a clear statement of the problem you are seeing and why you suspect it might be spyware, without posting any diagnostics until requested.

That's just the way this forum works best.

I understand that you often say to start a new thread for my issues which I can but won in all thes posts I don't see the suggestion of what was and is a big part of my computer and iPhone issues. Identity theft has caused someone to comprise my Microsoft and Google accounts and because they had access to my information they were able to create a shadow ID,apps phone etc . It is taking a long time to figure out how and what was causing all the issues but it wasn't physical access, it was just computer access to my accounts . Simple software issues on top of security issues causes a big big nightmare .

Hi Linc,

Someone just had unauthorised access to my mac for 2 days, and they knew the admin password. I've pasted the output to your commands, below. Please suggest if there seems to be a spyware, key logger etc installed. Thanks !!

Last login: Thu Apr 14 09:04:20 on ttys000

KUNALs-MacBook-Pro:~ kunal$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.rim.driver.BlackBerryUSBDriverInt (0.0.97)

KUNALs-MacBook-Pro:~ kunal$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

Password:

Sorry, try again.

Password:

com.rim.BBDaemon

com.huawei.HWNetMgr.plist

com.adobe.ARMDC.Communicator

com.adobe.SwitchBoard

com.adobe.fpsaud

com.adobe.ARMDC.SMJobBlessHelper

KUNALs-MacBook-Pro:~ kunal$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.rim.BBLaunchAgent

com.rim.RimAlbumArtDaemon

ouc.plist

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

com.adobe.AAM.Scheduler-1.0

com.huawei.HWPortCfg.plist

com.adobe.PDApp.AAMUpdatesNotifier.73304.3F59AD06-8B3D-44BA-8B54-ECDDD9A1AEBF

com.google.keystone.user.agent

KUNALs-MacBook-Pro:~ kunal$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta

ls: /L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta: No such file or directory

ls: L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta: No such file or directory

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist

KUNALs-MacBook-Pro:~ kunal$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

TomTom MySports Connect, iTunesHelper, Viber

KUNALs-MacBook-Pro:~ kunal$

Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.

You will always be better off posting a new topic without posting any diagnostics until requested.

That's just the way this forum works best.

Ok thanks!

Hi Davis,

I followed your instruction and this is the results:

Andrie:~ andrierov$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.rim.driver.BlackBerryUSBDriverInt (0.0.97)

com.hzsystems.terminus.driver (4)

Andrie:~ andrierov$

Andrie:~ andrierov$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.rim.tunmgr

com.macpaw.CleanMyMac3.Agent

com.rim.BBDaemon

com.adobe.ARMDC.Communicator

com.microsoft.office.licensing.helper

com.adobe.SwitchBoard

com.adobe.fpsaud

com.adobe.ARMDC.SMJobBlessHelper

Andrie:~ andrierov$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.yourcompany.ejectUdisk

com.rim.blackberrylink.BlackBerry-Link-Helper-Agent

com.rim.BBLaunchAgent

com.omnigroup.OmniCrashCatcher.i1

com.bittorrent.uTorrent

com.paragon.ntfs.trial

com.canon.MFManager

com.valvesoftware.steamclean

com.rim.RimAlbumArtDaemon

com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

com.rim.PeerManager

com.paragon.ntfs.upd

com.google.keystone.user.agent

com.spigot.ApplicationManager

Andrie:~ andrierov$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

EOS Utility, Flickr Uploadr, CleanMyMac 3 Menu

Andrie:~ andrierov$

Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.

You will always be better off posting a new topic without posting any diagnostics until requested.

That's just the way this forum works best.

I do see that you have been infected with Spigot Adware. You need to get rid of CleanMyMac3 before it does any more damage to your system and uTorrent will only get you in more trouble.

i did everything you said for that person to do what am I looking for that would tell me someones been looking?

I wanted to thank you before I start. I hope this eases my paranoia. I tried your suggestion and this is what I got:

Last login: Thu Aug 11 18:15:04 on console

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

Sorry, try again.

Password:

com.microsoft.office.licensing.helper

com.adobe.fpsaud

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.microsoft.autoupdate.fba.66912

com.getdropbox.dropbox.76512

com.google.keystone.user.agent

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

hp_io_enabler_compound.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iLifeFaceRecognition.framework

iLifeKit.framework

iLifePageLayout.framework

iLifeSQLAccess.framework

iLifeSlideshow.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

Default Browser.plugin

Disabled Plug-Ins

Flash Player.plugin

Quartz Composer.webplugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

iPhotoPhotocast.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.microsoft.office.licensing.helper.plist

/Library/PreferencePanes:

Flash Player.prefPane

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleAVCIntraCodec.component

AppleHDVCodec.component

AppleIntermediateCodec.component

AppleMPEG2Codec.component

AppleMXFImport.component

AppleProResCodec.component

DVCPROHDCodec.component

FCP Uncompressed 422.component

IMXCodec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

GBSpotlightImporter.mdimporter

LogicPro.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Dropbox

Mac-Users-MacBook-Pro:AppleVNCServer.bundle theresarusnak$

I guess you missed my earlier comment.

Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.

You will always be better off posting a new topic, fully explaining whatever issues you are experiencing without jumping to conclusions about what might be causing them and without posting any diagnostics until requested.

That's just the way this forum works best.

Thank you. It was my first post in a setting like this and didn't even

think to look at the date. I appreciate the pointer.

On Aug 12, 2016 3:24 AM, "Apple Support Communities Updates" <

Thank you. It was my first post in a setting like this and didn't even think to look at the date. I appreciate the pointer.

Hi Linc!

Thanks so much for this info! I've followed the steps but I don't know what "post output" means, so i obviously haven't done that! Please advise? I would really appreciate your help! Is "Activity Monitor" a tracking app? If so, how do I remove it? Also, since I've done that, I can't relaunch Finder?!!

Pinkalmond wrote:

Hi Linc!

Thanks so much for this info! I've followed the steps but I don't know what "post output" means, so i obviously haven't done that! Please advise? I would really appreciate your help! Is "Activity Monitor" a tracking app? If so, how do I remove it? Also, since I've done that, I can't relaunch Finder?!!

From MadMacs0's comment above:

Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.

You will always be better off posting a new topic, fully explaining whatever issues you are experiencing without jumping to conclusions about what might be causing them and without posting any diagnostics until requested.

That's just the way this forum works best.