Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: morning sun
morning sun Author
User level: Level 1
0 points

New Terminal Results 4 Spyware / Keylogger Detection Review

For Linc and all knowledgeable,


My MBPro webcam was taken over a few months ago and video was recorded of me without my knowledge. At the time I thought it was taken over from a website and was unaware of the potential of spyware that could be installed on my local harddrive. In just the last week I have reason to believe that there maybe a keylogger on my machine recording my writing in MS Word and otherwise. All of this is part of a greater and very serious stalking/harassment/surveilence threat I'm having to face down... So I'm in the process of overhauling my entire internet/Mac security set-up. I am thankful I'm on a Mac at least...


I followed the terminal scripts that Linc posted and here is the output I got.


Thanks to Linc and all who can respond with constructive help!


Step 1


  1. com.microsoft.driver.MicrosoftMouse (8.2)
  2. com.microsoft.driver.MicrosoftMouseUSB (8.2)
  3. com.avg.Antivirus.OnAccess.kext (14.0)



Step 2


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud



Step 3


  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

new-host:~ MacBookPro$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.extensis.FMCore
  2. com.avg.Antivirus
  3. com.adobe.CS5ServiceManager
  4. com.adobe.CS4ServiceManager
  5. com.adobe.AdobeCreativeCloud
  6. com.zeobit.MacKeeper.Helper
  7. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
  8. com.adobe.AAM.Scheduler-1.0



Step 4


/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework

Adobe AIR.framework

  1. AudioMixEngine.framework
  2. EWSMac.framework
  3. ExtensisPlugins.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. TSLicense.framework
  7. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

  1. AdobeAAMDetect.plugin
  2. AdobeExManDetect.plugin
  3. AdobePDFViewer.plugin
  4. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. SurveillanceClient.plugin
  5. flashplayer.xpt
  6. iPhotoPhotocast.plugin
  7. npContributeMac.bundle
  8. nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.AdobeCreativeCloud.plist
  3. com.adobe.CS4ServiceManager.plist
  4. com.adobe.CS5ServiceManager.plist
  5. com.avg.Antivirus.gui.plist
  6. com.extensis.FMCore.plist


/Library/LaunchDaemons:

  1. com.adobe.SwitchBoard.plist
  2. com.adobe.fpsaud.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.microsoft.office.licensing.helper.plist
  6. com.raynersw.nshctldo.plist
  7. com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Microsoft Mouse.prefPane


/Library/PrivilegedHelperTools:

  1. com.microsoft.office.licensing.helper
  2. com.raynersw.nshctldo


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iBooksAuthor.qlgenerator
  3. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

SoundboothScoreCodec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Extensis:

Suitcase Fusion

com.extensis.FMCore-LaunchInfo.conf


Library/Fonts:


Library/Frameworks:

EWSMac.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

EMusic.plugin

RealPlayer Plugin.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  3. com.zeobit.MacKeeper.Helper.plist


Library/PreferencePanes:



Step 5


iTunesHelper

Posted on Jun 28, 2014 12:57 PM

Reply
49 replies
User profile for user: drzaritsky
drzaritsky
User level: Level 1
0 points

Jul 18, 2014 7:35 PM in response to MadMacs0

RESULT OF KEYLOGGING = gaining the ability to take over my machine

take over control of the WebCam on my Mac air — I know about this because a recording Was recovered using software from Stella.

at the time I was inside a large university library to get help to

erase my Mac air and reinstalling OS X – – worked done by the technology support staff


Complete control includes what’s been happening with my machine, here is a issue items from my large and frightening list:

Prevented me from listing an RV for sale:

by degrading pictures of the RV--> solved by reverting to original photos in iPhoto

Deleting pictures out of my iPhoto library

Reading emails

---> block mail some sending to interested buyers

Reply
User profile for user: GreenMamba
GreenMamba
User level: Level 1
19 points

Jan 17, 2016 7:33 PM in response to thomas_r.

Little Snitch is a great product and I use it, however it does make people who don't know how to use their terminal or are familiar with OS X processes a little paranoid. It even made me paranoid my first few times using it. But mainly everything Little Snitch asks for if it is in a format like that, its ok. It's just random IP's you need to look out for. By the way most of these connections (if they were malicious) are most likely using your computer to try and infect a windows machine. Unless you have all firewall/firevault/protections turned off they they can ssh in and maybe gain root access to your mac if you don't have a strong password. Just my 2 cents.


-xo

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,660 points

Jan 17, 2016 9:21 PM in response to GreenMamba

GreenMamba wrote:

But mainly everything Little Snitch asks for if it is in a format like that, its ok. It's just random IP's you need to look out for. By the way most of these connections (if they were malicious) are most likely using your computer to try and infect a windows machine. Unless you have all firewall/firevault/protections turned off they they can ssh in and maybe gain root access to your mac if you don't have a strong password. Just my 2 cents.


You may want to read up on the OS X firewall. Applications like iTunes can open up network access (for Home sharing etc), if you enable those features.

The Apple firewall will allow ports for services you enable. The same is true for other services like file sharing, screen sharing etc.

ssh is off by default so no one can just 'ssh in' to anything on your Mac unless an admin enables it, I doubt you can 'get root' via ssh on a default 10.11 install either (I have not tried). Some services will even request ports are opened on the gateway (UPnP, NAT/PMP), which can make them visible to all outside the network (like game servers, bittorrent clients etc).


Firewalls can be confusing because they are also used to protect networks as well as machines.


Filevault also offers no protection against malicious software, it will still run if you opt to install malware. It just requires you to decrypt the disk to install it, which is how the Mac runs all the time when logged in. Filevault only protects data 'at rest' (when shutdown).


I'm not sure how you filter out 'random IP's' either, are you real managing every request that the Mac makes? I suspect you end up making wide exceptions to Little Snitch just to make the OS work, the trouble is that IP addresses & DNS names change hands all day long, so much is hidden behind huge networks you real can't really tell who owns what.

Reply

New Terminal Results 4 Spyware / Keylogger Detection Review

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up