neuegirl

Q: Detect spyware and determine who is spying on my imac

I might be paranoid -- but need to know at this point if someone very close to me has installed spyware on my mac. I keep finding forums that say to back up files and just restart your system and wipe everything clean, change passwords, etc. But this won't work for me for a couple of reasons: 1) I really need to know if there is someone close to me who has installed this on my computer and would like to find the IP address that the information is headed to. and 2) the person in question still has access to my computer and almost all of my passwords.

 

Please can we not get into why I think this person is spying, etc. and if anyone knows anyway for me to detect spyware and determine where information is being sent that would be the most helpful.

 

Would greatly appreciate any help here as I am paranoid about even looking up these kinds of things of my home computer (which i am doing now) and my iphone. (which I also need help with determining if it has spyware on it).

 

Thanks very much for any help.

iMac, Mac OS X (10.7.5)

Posted on Mar 24, 2013 5:22 AM

Close

Q: Detect spyware and determine who is spying on my imac

  • All replies
  • Helpful answers

first Previous Page 4 of 5 last Next
  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 15, 2015 10:17 PM in response to drazek73
    Level 5 (4,791 points)
    Sep 15, 2015 10:17 PM in response to drazek73

    drazek73 wrote:

     

    there was no physical access that i'm aware of ..

    If there was no physical access and you didn't approve shared access over your network, then there is no spyware on the computer. There is no currently known malware for OS X that could surreptitiously install a key logger or similar.

    i don't want to explain who/what competitor/business partner knows what they shouldn't b/c it's irrelevant

    Not really, but you've said enough. If you plan on pursuing legal action you need to bring in a law enforcement official that is certified in computer forensics to conduct an examination of your network immediately.

    we're looking for ways to scan and eliminate any possibility of keyloggers or screen recorders on our network

     

    is there a software out there to accomplish this?

    If MacScan didn't find anything, then there is very close to zero chance that there is anything like you are looking for on the computer.  It's a lousy malware detector, but you won't find anything better at finding spyware.  The nmdb process is normally used to provide connectivity between Mac and Windows computers and 192.168.32.1 would appear to be a devise on your local network. Do you have Windows File Sharing turned on? What port was it using? It should be easy enough to identify what devise is using that IP address.

  • by drazek73,

    drazek73 drazek73 Sep 16, 2015 6:39 AM in response to MadMacs0
    Level 1 (0 points)
    Sep 16, 2015 6:39 AM in response to MadMacs0

    sharing is turned off

     

    I can send all the littlesnitch processes that it picks up .. will that be sufficient to diagnose/eliminate any possibility of spyware?

  • by 23david23,

    23david23 23david23 Jan 1, 2016 4:01 PM in response to Linc Davis
    Level 1 (9 points)
    Desktops
    Jan 1, 2016 4:01 PM in response to Linc Davis

    I also followed your instructions.  I have had this privacy problem since at least 2003 and probably before that.  The weird thing is, these coworkers of mine not only know everything I type on my computer, they also are privy to corded phone calls I have made from the "privacy" of my own home.  One of these coworkers gave me a floppy disk in about 1999 saying it was free email software.  Being a new computer owner/user, I took it home and tried it but nothing showed up on the screen besides a little guy with a smily face.  I clicked it and nothing seemed to happen until I realized in 2003 that they had access to everything I do on my computer.  It seems to me that they somehow have access to the DSL line (the phone line) somewhere between my house and the phone company/ISP.  After I discovered they had access to my phone calls I terminated my land line service and now only use Skype which is supposed to be encrypted.  The iMac I use now is my 3rd computer since that first one that I slipped that disk into.

     

    If you have the time and/or the inclination to look at it, here are the results of my diagnostic test:

    (thank you!)

     

     

    Last login: Thu Dec 31 17:09:20 on console

    My-iMac:~ dave$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    My-iMac:~ dave$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

    Password:

    com.opendns.osx.DNSCryptConfigUpdater

    net.tunnelblick.tunnelblick.tunnelblickd

    com.machangout.glims.loader

    com.zeobit.MacKeeper.AntiVirus

    com.google.keystone.daemon

    com.opendns.osx.DNSCryptProxy

    com.adobe.fpsaud

    net.tunnelblick.startup.vpnbook--us1--udp53

    com.teamviewer.Helper

    My-iMac:~ dave$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    net.mehlau.pastor.63392

    com.opendns.OpenDNS_Updater.84512

    com.opendns.osx.DNSCryptMenuBar

    uk.co.markallan.clamxav.freshclam

    com.vimov.weatherhd.mac.menulauncher

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

    com.pandasystems.pandocalendar.84832

    com.eidac.smcFanControl2.13792

    com.google.keystone.system.agent

    jp.co.canon.ij.CNSSelectorAgent.93792

    com.macility.typinator2.68192

    com.jdibackup.ZipCloud.autostart

    com.skype.skype.672

    net.tunnelblick.tunnelblick.LaunchAtLogin

    com.jdibackup.ZipCloud.notify

    com.machangout.glims.agent

    net.culater.SIMBL.Agent

    com.zeobit.MacKeeper.Helper

    jp.co.canon.cijscannerregister.16992

    com.google.GoogleDrive.8992

    My-iMac:~ dave$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    BJUSBLoad.kext

    CIJUSBLoad.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    DivXInstallerUtilities.framework

    GlimsAdditions.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    TSLicense.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Disabled Plug-Ins

    EPPEX Plugin.plugin

    Flash Player.plugin

    Flip4Mac WMV Plugin.plugin

    Quartz Composer.webplugin

    Silverlight.plugin

    flashplayer.xpt

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

    com.google.keystone.agent.plist

    com.machangout.glims.agent.plist

    com.opendns.osx.DNSCryptMenuBar.plist

    com.oracle.java.Java-Updater.plist

    com.teamviewer.teamviewer.plist

    com.teamviewer.teamviewer_desktop.plist

    net.culater.SIMBL.Agent.plist

     

    /Library/LaunchDaemons:

    com.adobe.fpsaud.plist

    com.google.keystone.daemon.plist

    com.machangout.glims.loader.plist

    com.opendns.osx.DNSCryptConfigUpdater.plist

    com.oracle.java.Helper-Tool.plist

    com.teamviewer.Helper.plist

    com.teamviewer.teamviewer_service.plist

    com.zeobit.MacKeeper.AntiVirus.plist

    net.tunnelblick.tunnelblick.startup.vpnbook--us1--udp53.plist

    net.tunnelblick.tunnelblick.tunnelblickd.plist

     

    /Library/PreferencePanes:

    DNSCrypt.prefPane

    Flash Player.prefPane

    Flip4Mac WMV.prefPane

    JavaControlPanel.prefPane

     

    /Library/PrivilegedHelperTools:

    Google Drive Icon Helper

    com.teamviewer.Helper

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AC3MovieImport.component

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

    Flip4Mac WMV Advanced.component

    Flip4Mac WMV Export.component

    Flip4Mac WMV Import.component

    Perian.component

     

    /Library/ScriptingAdditions:

    Glims.osax

    SIMBL.osax

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iBooksAuthor.mdimporter

    iWeb.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Address Book Plug-Ins:

    SkypeABCaller.bundle

    SkypeABChatter.bundle

    SkypeABDialer.bundle

    SkypeABSMS.bundle

    YMsgrCallABPlugin.bundle

    YMsgrMsnABPlugin.bundle

    YMsgrSmsABPlugin.bundle

    YMsgrYimABPlugin.bundle

     

    Library/Fonts:

    CONEI___.TTF

    gorefont.ttf

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

    Google Earth Web Plug-in.plugin

     

    Library/Keyboard Layouts:

     

    Library/LanguageModeling:

    da-dynamic.lm

    de-dynamic.lm

    en-dynamic.lm

    es-dynamic.lm

    fi-dynamic.lm

    fr-dynamic.lm

    it-dynamic.lm

    nb-dynamic.lm

    nl-dynamic.lm

    pl-dynamic.lm

    pt-dynamic.lm

    sv-dynamic.lm

    tr-dynamic.lm

     

    Library/LaunchAgents:

    com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

    com.jdibackup.ZipCloud.autostart.plist

    com.jdibackup.ZipCloud.notify.plist

    com.zeobit.MacKeeper.Helper.plist

    net.tunnelblick.tunnelblick.LaunchAtLogin.plist

    uk.co.markallan.clamxav.freshclam.plist

     

    Library/PreferencePanes:

     

    Library/Services:

    .localized

    My-iMac:~ dave$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    smcFanControl, iTunesHelper, PandoCalendar, Canon IJ Network Scanner Selector EX, Typinator, Mail, Google Drive, Skype, iLauncherHelper, OpenDNS Updater, Stickies, Dave.pastor

    My-iMac:~ dave$

  • by MadMacs0,

    MadMacs0 MadMacs0 Jan 1, 2016 11:58 PM in response to 23david23
    Level 5 (4,791 points)
    Jan 1, 2016 11:58 PM in response to 23david23

    Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this almost three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.


    You will always be better off posting a new topic with a clear statement of the problem you are seeing and why you suspect it might be spyware, without posting any diagnostics until requested.


    That's just the way this forum works best.

  • by memsmith,

    memsmith memsmith Jan 14, 2016 4:42 PM in response to Linc Davis
    Level 1 (0 points)
    Jan 14, 2016 4:42 PM in response to Linc Davis

    Hey linc iv been looking for some information like this for a couple days now, i was wondering if you could help me with a few things.

    Im dealing with the same kind of problem on a professional scale, but i have no knowledge of these things. is there some way i can contact you through apple or otherwise?

     

    my name is coco ! :}

  • by MadMacs0,

    MadMacs0 MadMacs0 Jan 14, 2016 4:45 PM in response to memsmith
    Level 5 (4,791 points)
    Jan 14, 2016 4:45 PM in response to memsmith

    Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this almost three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.


    You will always be better off posting a new topic with a clear statement of the problem you are seeing and why you suspect it might be spyware, without posting any diagnostics until requested.


    That's just the way this forum works best.

  • by PropaneKelli,

    PropaneKelli PropaneKelli Jan 14, 2016 4:46 PM in response to WZZZ
    Level 1 (0 points)
    Jan 14, 2016 4:46 PM in response to WZZZ

    My Mac os was working well with the Yosemite and I installed boot camp and installed windows 7 on the other partition. All was well until I upgraded my Mac OS to El Capitan. Whenever I press and hold Alt to go to the windows 7 partition I see a recovery partition which won't boot to windows. Please what can I do? I need to resolve it.

  • by PropaneKelli,

    PropaneKelli PropaneKelli Jan 14, 2016 4:47 PM in response to michaelsip4
    Level 1 (0 points)
    Jan 14, 2016 4:47 PM in response to michaelsip4

    My Mac os was working well with the Yosemite and I installed boot camp and installed windows 7 on the other partition. All was well until I upgraded my Mac OS to El Capitan. Whenever I press and hold Alt to go to the windows 7 partition I see a recovery partition which won't boot to windows. Please what can I do? I need to resolve it.

  • by memsmith,

    memsmith memsmith Jan 14, 2016 4:51 PM in response to MadMacs0
    Level 1 (0 points)
    Jan 14, 2016 4:51 PM in response to MadMacs0

    im just not really one for making a public spectacle of my life

    thanks for this though.

  • by ihatemyphoneatm,

    ihatemyphoneatm ihatemyphoneatm Jan 17, 2016 3:40 AM in response to neuegirl
    Level 1 (0 points)
    Jan 17, 2016 3:40 AM in response to neuegirl

    Last login: Sun Jan 17 10:58:19 on ttys000

    Iains-MacBook-Pro:~ iain$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    Iains-MacBook-Pro:~ iain$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

    Password:

    com.malwarebytes.MBAMHelperTool

    Iains-MacBook-Pro:~ iain$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    Iains-MacBook-Pro:~ iain$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

    /Library/Components:

     

    /Library/Extensions:

    ACS6x.kext

    ATTOCelerityFC8.kext

    ATTOExpressSASHBA2.kext

    ATTOExpressSASRAID2.kext

    ArcMSR.kext

    BJUSBLoad.kext

    CIJUSBLoad.kext

    CalDigitHDProDrv.kext

    HighPointIOP.kext

    HighPointRR.kext

    PromiseSTEX.kext

    SoftRAID.kext

     

    /Library/Frameworks:

    AEProfiling.framework

    AERegistration.framework

    AudioMixEngine.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iTunesLibrary.framework

     

    /Library/Input Methods:

     

    /Library/Internet Plug-Ins:

    Default Browser.plugin

    Disabled Plug-Ins

    Quartz Composer.webplugin

     

    /Library/Keyboard Layouts:

     

    /Library/LaunchAgents:

     

    /Library/LaunchDaemons:

    com.malwarebytes.MBAMHelperTool.plist

     

    /Library/PreferencePanes:

     

    /Library/PrivilegedHelperTools:

    com.malwarebytes.MBAMHelperTool

     

    /Library/QuickLook:

    iBooksAuthor.qlgenerator

    iWork.qlgenerator

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

    /Library/ScriptingAdditions:

     

    /Library/Spotlight:

    Microsoft Office.mdimporter

    iBooksAuthor.mdimporter

    iWork.mdimporter

     

    /Library/StartupItems:

     

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

     

    Library/Fonts:

     

    Library/Input Methods:

    .localized

     

    Library/Internet Plug-Ins:

     

    Library/Keyboard Layouts:

     

    Library/LanguageModeling:

    de-dynamic.lm

    en-dynamic.lm

    es-dynamic.lm

    it-dynamic.lm

    pt-dynamic.lm

     

    Library/LaunchAgents:

     

    Library/PreferencePanes:

     

    Library/Services:

    Iains-MacBook-Pro:~ iain$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    Console

    Iains-MacBook-Pro:~ iain$

  • by MadMacs0,

    MadMacs0 MadMacs0 Jan 17, 2016 3:43 AM in response to ihatemyphoneatm
    Level 5 (4,791 points)
    Jan 17, 2016 3:43 AM in response to ihatemyphoneatm

    I'm quite sure that neuegirl can't help you with that and Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this almost three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.


    You will always be better off posting a new topic with a clear statement of the problem you are seeing and why you suspect it might be spyware, without posting any diagnostics until requested.


    That's just the way this forum works best.

  • by Truthistruth247,

    Truthistruth247 Truthistruth247 Feb 7, 2016 7:43 PM in response to morning sun
    Level 1 (8 points)
    iCloud
    Feb 7, 2016 7:43 PM in response to morning sun

    I  understand that you often say to start a new thread for my issues which I can but  won in all thes posts I don't see the suggestion of what was and is a big part of my computer and iPhone issues. Identity theft has caused someone to comprise my Microsoft and Google accounts and because they had access to my information they were able to create a shadow ID,apps phone etc . It is taking a long time to figure out how and what was causing all the issues but it wasn't physical access, it was just computer access to my accounts . Simple software issues on top of security issues causes a big big nightmare .

  • by khandelk,

    khandelk khandelk Apr 13, 2016 8:58 PM in response to Linc Davis
    Level 1 (8 points)
    Notebooks
    Apr 13, 2016 8:58 PM in response to Linc Davis

    Hi Linc,

     

    Someone just had unauthorised access to my mac for 2 days, and they knew the admin password. I've pasted the output to your commands, below. Please suggest if there seems to be a spyware, key logger etc installed. Thanks !!

     

     

    Last login: Thu Apr 14 09:04:20 on ttys000

    KUNALs-MacBook-Pro:~ kunal$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

    com.rim.driver.BlackBerryUSBDriverInt (0.0.97)

    KUNALs-MacBook-Pro:~ kunal$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

     

    We trust you have received the usual lecture from the local System

    Administrator. It usually boils down to these three things:

     

        #1) Respect the privacy of others.

        #2) Think before you type.

        #3) With great power comes great responsibility.

     

    Password:

    Sorry, try again.

    Password:

    com.rim.BBDaemon

    com.huawei.HWNetMgr.plist

    com.adobe.ARMDC.Communicator

    com.adobe.SwitchBoard

    com.adobe.fpsaud

    com.adobe.ARMDC.SMJobBlessHelper

    KUNALs-MacBook-Pro:~ kunal$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

    com.rim.BBLaunchAgent

    com.rim.RimAlbumArtDaemon

    ouc.plist

    com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d

    com.adobe.AAM.Scheduler-1.0

    com.huawei.HWPortCfg.plist

    com.adobe.PDApp.AAMUpdatesNotifier.73304.3F59AD06-8B3D-44BA-8B54-ECDDD9A1AEBF

    com.google.keystone.user.agent

    KUNALs-MacBook-Pro:~ kunal$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta

    ls: /L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta: No such file or directory

    ls: L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta: No such file or directory

    /etc/mach_init.d:

     

    /etc/mach_init_per_login_session.d:

     

    /etc/mach_init_per_user.d:

    com.adobe.SwitchBoard.monitor.plist

    KUNALs-MacBook-Pro:~ kunal$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

    TomTom MySports Connect, iTunesHelper, Viber

    KUNALs-MacBook-Pro:~ kunal$

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 13, 2016 9:11 PM in response to khandelk
    Level 5 (4,791 points)
    Apr 13, 2016 9:11 PM in response to khandelk

    Linc doesn't normally respond to "me too" requests and almost certainly isn't monitoring this three year old discussion. He often changes his diagnostics routines, so what your have posted may be meaningless now and certainly should not be interpreted by anybody but Linc.


    You will always be better off posting a new topic without posting any diagnostics until requested.


    That's just the way this forum works best.

  • by khandelk,

    khandelk khandelk Apr 13, 2016 9:17 PM in response to MadMacs0
    Level 1 (8 points)
    Notebooks
    Apr 13, 2016 9:17 PM in response to MadMacs0

    Ok thanks!

first Previous Page 4 of 5 last Next