Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

New Terminal Results 4 Spyware / Keylogger Detection Review

For Linc and all knowledgeable,


My MBPro webcam was taken over a few months ago and video was recorded of me without my knowledge. At the time I thought it was taken over from a website and was unaware of the potential of spyware that could be installed on my local harddrive. In just the last week I have reason to believe that there maybe a keylogger on my machine recording my writing in MS Word and otherwise. All of this is part of a greater and very serious stalking/harassment/surveilence threat I'm having to face down... So I'm in the process of overhauling my entire internet/Mac security set-up. I am thankful I'm on a Mac at least...


I followed the terminal scripts that Linc posted and here is the output I got.


Thanks to Linc and all who can respond with constructive help!


Step 1


  1. com.microsoft.driver.MicrosoftMouse (8.2)
  2. com.microsoft.driver.MicrosoftMouseUSB (8.2)
  3. com.avg.Antivirus.OnAccess.kext (14.0)



Step 2


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud



Step 3


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

new-host:~ MacBookPro$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.extensis.FMCore
  2. com.avg.Antivirus
  3. com.adobe.CS5ServiceManager
  4. com.adobe.CS4ServiceManager
  5. com.adobe.AdobeCreativeCloud
  6. com.zeobit.MacKeeper.Helper
  7. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
  8. com.adobe.AAM.Scheduler-1.0



Step 4


/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework

Adobe AIR.framework

  1. AudioMixEngine.framework
  2. EWSMac.framework
  3. ExtensisPlugins.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. TSLicense.framework
  7. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

  1. AdobeAAMDetect.plugin
  2. AdobeExManDetect.plugin
  3. AdobePDFViewer.plugin
  4. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. SurveillanceClient.plugin
  5. flashplayer.xpt
  6. iPhotoPhotocast.plugin
  7. npContributeMac.bundle
  8. nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.AdobeCreativeCloud.plist
  3. com.adobe.CS4ServiceManager.plist
  4. com.adobe.CS5ServiceManager.plist
  5. com.avg.Antivirus.gui.plist
  6. com.extensis.FMCore.plist


/Library/LaunchDaemons:

  1. com.adobe.SwitchBoard.plist
  2. com.adobe.fpsaud.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.microsoft.office.licensing.helper.plist
  6. com.raynersw.nshctldo.plist
  7. com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Microsoft Mouse.prefPane


/Library/PrivilegedHelperTools:

  1. com.microsoft.office.licensing.helper
  2. com.raynersw.nshctldo


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iBooksAuthor.qlgenerator
  3. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

SoundboothScoreCodec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Extensis:

Suitcase Fusion

com.extensis.FMCore-LaunchInfo.conf


Library/Fonts:


Library/Frameworks:

EWSMac.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

EMusic.plugin

RealPlayer Plugin.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  3. com.zeobit.MacKeeper.Helper.plist


Library/PreferencePanes:



Step 5


iTunesHelper

Posted on Jun 28, 2014 12:57 PM

Reply
49 replies
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jun 28, 2014 5:52 PM in response to Linc Davis

I love how a program designed to keep you private online can end up turning on you it's almost like there is no end to the potential to be spied on... George Orwell's vision has become a reality in this new world of crime...


If nothing looks bad on the terminal list, nothing came up via MacScan (other than tracking cookies), AVG AntiVirus (which is supposed to check for spyware), and MacKeeper AntiVirus do you think I'm safe?


I know that its been said the only foolproof way to be safe is to wipe the HD and do a complete fresh install of OSX. I guess I'm leaning towards that but the prospect of reinstalling all my apps and setting and app content is just so so time consuming. My system is running really smooth and has been for a while too under 10.8 and I've heard a lot of bad things about 10.9...


Thank you for your help!

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 28, 2014 6:25 PM in response to Linc Davis

I've been using NetShade infrequently for several months now. The developer is Rayners Software, LLC which was founded in 2011 and located in San Jose, CA. They have a well stated privacy policy. Servers are located in the US, Canada, UK, France, Czech Republic, Germany and the Netherlands.


It's certainly conceivable that a US based company in Silicon Valley is harvesting and selling privacy information, but unlikely IMHO.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 28, 2014 6:27 PM in response to morning sun

morning sun wrote:


I do have a surveillance camera system around my home yes I did install the app to view the cams from my mac. Could that plug in be spyware? I doubt they would name something that obvious...

I just noted that it is designed to work with almost thirty different surveillance systems so I suppose it could, but since you are the one that installed it I doubt that anybody would be able to adapt it's use to operating you camera and streaming it over your network.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 28, 2014 6:32 PM in response to morning sun

morning sun wrote:


I love how a program designed to keep you private online can end up turning on you it's almost like there is no end to the potential to be spied on...

Even if NetShade is all that they claim, it still only secures you as far as their servers. From that point to your final destination, everything you have not encrypted on your computer is in clear text. But a person would have to know that you are using a specific server and when in order to be able to have any chance of tracing it back to you. VPN / Proxy services such as these are not perfect, but they do serve to protect you against having your local network (public or private) hacked.

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Jun 29, 2014 8:05 AM in response to morning sun

MacScan is worthless. See MacScan disappoints.


AVG isn't much good at detecting Mac malware. See Mac anti-virus testing 2014.


MacKeeper is a scam product that is currently the subject of two separate class-action lawsuits.


None of these would be spying on you, but all should be removed.


As to the hacking, there is absolutely nothing that we can do to guarantee that your machine is clean. A Mac security expert with hands-on access to your machine might be able to make that determination... depending on how good he/she is. As Linc says, there's no sign of anything suspicious, but that could just mean something is well-hidden.


Personally, I think it's unlikely that you have actually been hacked. I've seen people overreact to strange problems, blaming them on hacking, countless times. Hacking of your computer to gain remote access would most typically require physical access or your cooperation in the installation of malware. Remote access could also be accomplished through a series of multiple vulnerabilities in how you have configured your computer - for example, if you have some kind of remote access enabled on your machine and have set up port forwarding in your router to make the computer accessible directly over the internet.


If you feel that any of these scenarios are likely, given your knowledge of the situation, then you should wipe the computer clean. See How to reinstall Mac OS X from scratch.


(Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.)

Reply
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jun 29, 2014 12:21 PM in response to thomas_r.

Unfortunately for me I am for sure facing a read surveillance threat and know my webcam was hijacked at one point. I believe it was probably done through a website and not installed malware. More recently I have reason to believe that my writings have been spied on but I'm not 100% sure about this as I am about the webcam.


The most suspicious activity that I HAVE seen actually occur on my MacBook Pro was after coming back to my Mac from dinner and waking my Mac up from sleep there was a dialog box saying that my computer had been booted off the network and another computer had been added to the network or something to that affect... I should have written it down. This plus the incident that made me think my writing was spied on have driven my security overhaul of my system. This should have happened a few months back after the webcam incident.


I've heard a lot of mixed things about Maverick but am thinking about taking the plunge into the long process of a clean install and upgrading to Maverick. I believe I read that Maverick itself has a anti keylogger feature that scrambles all keys entered at the root level of the software to prevent a keylogger program from producing any readable output. This is obviously a big additional reason to wipe my system and go for Maverick.


Thank you Thomas for your thoughtful reply... It's nice to know there are some good people out there in this new world of crime...

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Jun 29, 2014 1:14 PM in response to morning sun

know my webcam was hijacked at one point. I believe it was probably done through a website and not installed malware.


There is no known method for remotely accessing a modern Mac's webcam in this manner. Unless your Mac was one of a few specific models made in 2008 and earlier, which were found to have a webcam vulnerability, or unless you granted permission to a website that asked to access your webcam, it's not known to be possible to do what you say happened. A webcam hack would have to be delivered through malware or physical access to your Mac.


What specifically happened that makes you believe your webcam was accessed?


The most suspicious activity that I HAVE seen actually occur on my MacBook Pro was after coming back to my Mac from dinner and waking my Mac up from sleep there was a dialog box saying that my computer had been booted off the network and another computer had been added to the network


That sounds like a very common IP address conflict message, which occurs when one or more devices on your network are misconfigured. This is not indicative of any kind of hack, just a problem with the setup of your network. Probably, some device on your network is set to have a static IP address on your network, and that address is within the range of addresses reserved by the router to assign to devices that join the network. When your computer woke up, the router tried to assign it an address that should have been free, only to find that something was using it.


I believe I read that Maverick itself has a anti keylogger feature that scrambles all keys entered at the root level of the software to prevent a keylogger program from producing any readable output.


That's not something that I've ever heard of. I think you must have misinterpreted something, perhaps a story about address space layout randomization (ASLR), a security feature that randomizes data storage in RAM. ASLR has been in place in limited fashion in Mac OS X as far back as 10.5 (Leopard), and became system-wide in 10.8 (Mountain Lion). It would not protect you against a keylogger.


Mac OS X also has basic anti-malware protections built in, but that is also not new to Mavericks. See How does Mac OS X protect me?.


(Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.)

Reply
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jun 29, 2014 1:50 PM in response to thomas_r.

I can't get into details of the webcam incident but it did happen. I never had any file sharing turned on my Mac at all but my Firewall was turned off on my Mac. I do have a WiFi signal running so that is how I was thinking that my Mac could be accessed to install spyware.


I did find out that my internet access router does have a firewall built in and was set to medium grade protection.


It is possible that my Mac did come into physical contact of a hacker but not likely.


I read that there was anti keylogger protection on Mavericks built in on a designers blog from England... They also said that Adobe CS6 wouldn't work on Mavericks and I later heard that was false from many sources.


I did a complete overhaul of my Router networks settings with a strong user/pass, the highest firewall protection setting, and wep2 wireless signal protection and I've turned my Mac Firewall on.

Reply
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jun 29, 2014 2:09 PM in response to thomas_r.

Recently my Mail accounts got switched to be associated with the "notepad" app instead of my Mail app in the Mail, Contacts & Calendars System Prefs. There was a new dialog box added that specifies "Use With" then the Mail App icon and Notes App icon show up with a selection box next to them to either select them or not... This is very strange...

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 29, 2014 5:06 PM in response to morning sun

morning sun wrote:


I can't get into details of the webcam incident but it did happen. I never had any file sharing turned on my Mac at all but my Firewall was turned off on my Mac. I do have a WiFi signal running so that is how I was thinking that my Mac could be accessed to install spyware.


I did find out that my internet access router does have a firewall built in and was set to medium grade protection.

Medium protection is almost certainly as good as it would be to have your Mac Firewall on. Many routers have been found to have backdoors or left set to allow access from the Internet with the default login/password which has been used mostly to redirect users to ad sites, but could potentially allow a firewall to be turned off or other changes. I believe the majority of these vulnerable routers have been identified and firmware updates provided to prevent this, but you'd have to check on yours.

morning sun wrote:


I read that there was anti keylogger protection on Mavericks built in on a designers blog from England...

I have not run across that either, so let us know if you come across a link.

I did a complete overhaul of my Router networks settings with a strong user/pass, the highest firewall protection setting, and wep2 wireless signal protection

Then I would have to agree that there is a finite chance that somebody close by could have gotten into your local network before you did all that. Hacking even the original WPA networks can be done in just a few minutes by a knowledgable hacker with the right tools. But even with your firewall off, you would still have to have some sort of shared access enabled in order for the hacker to have gained access to the computer itself.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 29, 2014 5:13 PM in response to morning sun

morning sun wrote:


Recently my Mail accounts got switched to be associated with the "notepad" app instead of my Mail app in the Mail, Contacts & Calendars System Prefs. There was a new dialog box added that specifies "Use With" then the Mail App icon and Notes App icon show up with a selection box next to them to either select them or not... This is very strange...

I take it this is on some sort of iDevice as there is no such System Preference Pane for the Mac?


On a Mac this sort of thing happens all the time as various apps decide to hijack documents owned by other apps. I've not observed the same thing with my wife's iPad, but can see how it could happen.


As you probably know there is no currently known way to hack an iDevice that hasn't been jailbroken.

Reply

New Terminal Results 4 Spyware / Keylogger Detection Review

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up