Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

New Terminal Results 4 Spyware / Keylogger Detection Review

For Linc and all knowledgeable,


My MBPro webcam was taken over a few months ago and video was recorded of me without my knowledge. At the time I thought it was taken over from a website and was unaware of the potential of spyware that could be installed on my local harddrive. In just the last week I have reason to believe that there maybe a keylogger on my machine recording my writing in MS Word and otherwise. All of this is part of a greater and very serious stalking/harassment/surveilence threat I'm having to face down... So I'm in the process of overhauling my entire internet/Mac security set-up. I am thankful I'm on a Mac at least...


I followed the terminal scripts that Linc posted and here is the output I got.


Thanks to Linc and all who can respond with constructive help!


Step 1


  1. com.microsoft.driver.MicrosoftMouse (8.2)
  2. com.microsoft.driver.MicrosoftMouseUSB (8.2)
  3. com.avg.Antivirus.OnAccess.kext (14.0)



Step 2


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud



Step 3


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

new-host:~ MacBookPro$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.extensis.FMCore
  2. com.avg.Antivirus
  3. com.adobe.CS5ServiceManager
  4. com.adobe.CS4ServiceManager
  5. com.adobe.AdobeCreativeCloud
  6. com.zeobit.MacKeeper.Helper
  7. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
  8. com.adobe.AAM.Scheduler-1.0



Step 4


/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework

Adobe AIR.framework

  1. AudioMixEngine.framework
  2. EWSMac.framework
  3. ExtensisPlugins.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. TSLicense.framework
  7. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

  1. AdobeAAMDetect.plugin
  2. AdobeExManDetect.plugin
  3. AdobePDFViewer.plugin
  4. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. SurveillanceClient.plugin
  5. flashplayer.xpt
  6. iPhotoPhotocast.plugin
  7. npContributeMac.bundle
  8. nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.AdobeCreativeCloud.plist
  3. com.adobe.CS4ServiceManager.plist
  4. com.adobe.CS5ServiceManager.plist
  5. com.avg.Antivirus.gui.plist
  6. com.extensis.FMCore.plist


/Library/LaunchDaemons:

  1. com.adobe.SwitchBoard.plist
  2. com.adobe.fpsaud.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.microsoft.office.licensing.helper.plist
  6. com.raynersw.nshctldo.plist
  7. com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Microsoft Mouse.prefPane


/Library/PrivilegedHelperTools:

  1. com.microsoft.office.licensing.helper
  2. com.raynersw.nshctldo


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iBooksAuthor.qlgenerator
  3. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

SoundboothScoreCodec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Extensis:

Suitcase Fusion

com.extensis.FMCore-LaunchInfo.conf


Library/Fonts:


Library/Frameworks:

EWSMac.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

EMusic.plugin

RealPlayer Plugin.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  3. com.zeobit.MacKeeper.Helper.plist


Library/PreferencePanes:



Step 5


iTunesHelper

Posted on Jun 28, 2014 12:57 PM

Reply
49 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,227 points

Jun 30, 2014 7:07 PM in response to morning sun

morning sun wrote:


If the Malware was sophisticated enough to detect and turn off LittleSnitch wouldn't the user see that it had been disabled?

Most knowledgable users would eventually notice that LS wasn't working any more, but perhaps not right away. That's one of the reasons I keep the animated menu icon in place so that I can see that it's up and working.

Also what are the name types to be on the lookout for that LS would flag.

I know of no such list. As I said before, you need to look up each process that you are not familiar with and satisfy yourself that it's associated with a known app or OS X that's doing what it needs to do in order to be fully functional. Most apps need to be able to call home to see if there is an update available. Many Adobe apps need to verify your registration information in order to launch.


Malware likes to use names that are familiar but a little off the mark so that you'll think they are legit when they aren't. Flashback had a long list of such names that it would randomly use, so watch for that sort of thing.

Reply
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jul 1, 2014 1:54 PM in response to MadMacs0

So I was working on my Mac this morning with no Apps running at all just rearranging files and folders and I heard a mysterious ringtone come from my Mac that sounded very similar, from what I remember, to a ringtone I heard the time I was spied on via my MBpro webcam a few months ago. I didn't check it immediately but later in the morning I opened the LS network monitor and there was a process called "Imagent via IMRemoteURLConnectionAgent.xpc" I looked up the phrase "imagent" on Google and found it is related to facetime and a link to instructions on how to disable it. I wasn't using facetime at all this morning nor have I ever used facetime on my mac or even my iphone...


So it seems to me that "Imagent via IMRemoteURLConnectionAgent.xpc" could be OR IS a malware process. The one thing that gives me pause is that it is associated with an apple URL: init.ess.apple.com But I was thinking that could just be a fake apple affiliation or somehow the Malware uses an Apple URL in their process of hacking.


Any help is greatly appreciated...


User uploaded file

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,995 points

Jul 1, 2014 3:20 PM in response to morning sun

So it seems to me that "Imagent via IMRemoteURLConnectionAgent.xpc" could be OR IS a malware process.


No, you're doing exactly what I warned you not to do! The imagent process is a perfectly normal process, part of FaceTime and absolutely NOT malware. You uncovered that information yourself, yet you still seem to want to call it malware! I simply do not understand that.


Someone tried to call you on FaceTime, that's all. (Or maybe they tried to call someone else and got you instead by mistake.) This also causes FaceTime to open and the camera to activate (although no image is transmitted until you accept the connection).


This is painting the whole webcam hack in a very different light...

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,660 points

Jul 1, 2014 4:37 PM in response to morning sun

morning sun wrote:

Like here is a screenshot of something it caught but it is being sent out to macromedia which I believe is Adobe now so this one is safe right... Adobe can't be spying on me...


Adobe software like to stay up to date. It is normal, not malware.


Once again, thomas_r is correct, you are looking for monsters & finding them where non exist.

Good luck hunting them all down, you will find many if you keep looking in this manner.

Reply
User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

Jul 1, 2014 6:37 PM in response to thomas_r.

My iPhone didn't ring and when this happened this morning my Mac wasn't connected to the internet via WIFI or ethernet. I don't have Facetime set-up on my Mac at all and the one time I did get a friend trying to call me via Facetime there was no response on my Mac just on my iPhone. My concern is that there is some kind of Malware set to run periodically from my local drive to collect keylogs, screenshots or video/images with or without any network connection present then when there is a network connection present these keylogs, screenshots or video/images get sent out.


Does the "Imagent via IMRemoteURLConnectionAgent.xpc" Facetime plugin or data connect periodically with Apple even when Facetime isn't set up on the Mac? That seems like an odd process to be happening if Facetime isn't set up.

Reply

New Terminal Results 4 Spyware / Keylogger Detection Review

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up