morning sun
Level 1 (0 points)

Q: New Terminal Results 4 Spyware / Keylogger Detection Review

For Linc and all knowledgeable,

 

My MBPro webcam was taken over a few months ago and video was recorded of me without my knowledge. At the time I thought it was taken over from a website and was unaware of the potential of spyware that could be installed on my local harddrive. In just the last week I have reason to believe that there maybe a keylogger on my machine recording my writing in MS Word and otherwise. All of this is part of a greater and very serious stalking/harassment/surveilence threat I'm having to face down... So I'm in the process of overhauling my entire internet/Mac security set-up. I am thankful I'm on a Mac at least...

 

I followed the terminal scripts that Linc posted and here is the output I got.

 

Thanks to Linc and all who can respond with constructive help!

 

Step 1

 

  1. com.microsoft.driver.MicrosoftMouse (8.2)
  2. com.microsoft.driver.MicrosoftMouseUSB (8.2)
  3. com.avg.Antivirus.OnAccess.kext (14.0)

 

 

Step 2

 

  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

 

 

Step 3

 

  1. com.zeobit.MacKeeper.plugin.AntiTheft.daemon
  2. com.raynersw.nshctldo
  3. com.microsoft.office.licensing.helper
  4. com.avg.Antivirus
  5. com.avg.Antivirus.infosd
  6. com.adobe.SwitchBoard
  7. com.adobe.fpsaud

new-host:~ MacBookPro$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.extensis.FMCore
  2. com.avg.Antivirus
  3. com.adobe.CS5ServiceManager
  4. com.adobe.CS4ServiceManager
  5. com.adobe.AdobeCreativeCloud
  6. com.zeobit.MacKeeper.Helper
  7. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
  8. com.adobe.AAM.Scheduler-1.0

 

 

Step 4

 

/Library/Components:

 

/Library/Extensions:

 

/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework

Adobe AIR.framework

  1. AudioMixEngine.framework
  2. EWSMac.framework
  3. ExtensisPlugins.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. TSLicense.framework
  7. iTunesLibrary.framework

 

/Library/Input Methods:

 

/Library/Internet Plug-Ins:

  1. AdobeAAMDetect.plugin
  2. AdobeExManDetect.plugin
  3. AdobePDFViewer.plugin
  4. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

  1. JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. SurveillanceClient.plugin
  5. flashplayer.xpt
  6. iPhotoPhotocast.plugin
  7. npContributeMac.bundle
  8. nsIQTScriptablePlugin.xpt

 

/Library/Keyboard Layouts:

 

/Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.AdobeCreativeCloud.plist
  3. com.adobe.CS4ServiceManager.plist
  4. com.adobe.CS5ServiceManager.plist
  5. com.avg.Antivirus.gui.plist
  6. com.extensis.FMCore.plist

 

/Library/LaunchDaemons:

  1. com.adobe.SwitchBoard.plist
  2. com.adobe.fpsaud.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.microsoft.office.licensing.helper.plist
  6. com.raynersw.nshctldo.plist
  7. com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist

 

/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

Microsoft Mouse.prefPane

 

/Library/PrivilegedHelperTools:

  1. com.microsoft.office.licensing.helper
  2. com.raynersw.nshctldo

 

/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iBooksAuthor.qlgenerator
  3. iWork.qlgenerator

 

/Library/QuickTime:

  1. AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

  1. SoundboothScoreCodec.component

 

/Library/ScriptingAdditions:

Adobe Unit Types.osax

 

/Library/Spotlight:

  1. GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter

 

/Library/StartupItems:

 

/etc/mach_init.d:

 

/etc/mach_init_per_login_session.d:

 

/etc/mach_init_per_user.d:

  1. com.adobe.SwitchBoard.monitor.plist

 

Library/Extensis:

Suitcase Fusion

  1. com.extensis.FMCore-LaunchInfo.conf

 

Library/Fonts:

 

Library/Frameworks:

  1. EWSMac.framework

 

Library/Input Methods:

.localized

 

Library/Internet Plug-Ins:

  1. EMusic.plugin

RealPlayer Plugin.plugin

 

Library/Keyboard Layouts:

 

Library/LaunchAgents:

  1. com.adobe.AAM.Updater-1.0.plist
  2. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  3. com.zeobit.MacKeeper.Helper.plist

 

Library/PreferencePanes:

 

 

Step 5

 

iTunesHelper

Posted on Jun 28, 2014 12:57 PM

Close
morning sun

Q: New Terminal Results 4 Spyware / Keylogger Detection Review

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next

  • by morning sun,

    morning sun morning sun Jun 30, 2014 6:52 PM in response to thomas_r.
    Level 1 (0 points)
    Jun 30, 2014 6:52 PM in response to thomas_r.

    "On the other hand, though, malware can potentially disable Little Snitch, if it is able to achieve sufficient privileges."

     

    If the Malware was sophisticated enough to detect and turn off LittleSnitch wouldn't the user see that it had been disabled?

     

    Also what are the name types to be on the lookout for that LS would flag. From what I assume so far outbound processes that happen randomly, when I'm not triggering a process to communicate outbound, to destinations that are generic/unknown are the ones to look out for. Like here is a screenshot of something it caught but it is being sent out to macromedia which I believe is Adobe now so this one is safe right... Adobe can't be spying on me...

     

    LS_WARNING.jpg

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 30, 2014 7:07 PM in response to morning sun
    Level 5 (4,791 points)
    Jun 30, 2014 7:07 PM in response to morning sun

    morning sun wrote:

     

    If the Malware was sophisticated enough to detect and turn off LittleSnitch wouldn't the user see that it had been disabled?

    Most knowledgable users would eventually notice that LS wasn't working any more, but perhaps not right away. That's one of the reasons I keep the animated menu icon in place so that I can see that it's up and working.

    Also what are the name types to be on the lookout for that LS would flag.

    I know of no such list. As I said before, you need to look up each process that you are not familiar with and satisfy yourself that it's associated with a known app or OS X that's doing what it needs to do in order to be fully functional. Most apps need to be able to call home to see if there is an update available. Many Adobe apps need to verify your registration information in order to launch.

     

    Malware likes to use names that are familiar but a little off the mark so that you'll think they are legit when they aren't. Flashback had a long list of such names that it would randomly use, so watch for that sort of thing.

  • by morning sun,

    morning sun morning sun Jul 1, 2014 1:54 PM in response to MadMacs0
    Level 1 (0 points)
    Jul 1, 2014 1:54 PM in response to MadMacs0

    So I was working on my Mac this morning with no Apps running at all just rearranging files and folders and I heard a mysterious ringtone come from my Mac that sounded very similar, from what I remember, to a ringtone I heard the time I was spied on via my MBpro webcam a few months ago. I didn't check it immediately but later in the morning I opened the LS network monitor and there was a process called "Imagent via IMRemoteURLConnectionAgent.xpc" I looked up the phrase "imagent" on Google and found it is related to facetime and a link to instructions on how to disable it. I wasn't using facetime at all this morning nor have I ever used facetime on my mac or even my iphone...

     

    So it seems to me that "Imagent via IMRemoteURLConnectionAgent.xpc" could be OR IS a malware process. The one thing that gives me pause is that it is associated with an apple URL: init.ess.apple.com But I was thinking that could just be a fake apple affiliation or somehow the Malware uses an Apple URL in their process of hacking.

     

    Any help is greatly appreciated...

     

    monitor.jpg

  • by thomas_r.,

    thomas_r. thomas_r. Jul 1, 2014 3:20 PM in response to morning sun
    Level 7 (30,924 points)
    Mac OS X
    Jul 1, 2014 3:20 PM in response to morning sun

    So it seems to me that "Imagent via IMRemoteURLConnectionAgent.xpc" could be OR IS a malware process.

     

    No, you're doing exactly what I warned you not to do! The imagent process is a perfectly normal process, part of FaceTime and absolutely NOT malware. You uncovered that information yourself, yet you still seem to want to call it malware! I simply do not understand that.

     

    Someone tried to call you on FaceTime, that's all. (Or maybe they tried to call someone else and got you instead by mistake.) This also causes FaceTime to open and the camera to activate (although no image is transmitted until you accept the connection).

     

    This is painting the whole webcam hack in a very different light...

  • by Drew Reece,

    Drew Reece Drew Reece Jul 1, 2014 4:37 PM in response to morning sun
    Level 5 (7,679 points)
    Notebooks
    Jul 1, 2014 4:37 PM in response to morning sun

    morning sun wrote:

    Like here is a screenshot of something it caught but it is being sent out to macromedia which I believe is Adobe now so this one is safe right... Adobe can't be spying on me...

     

    Adobe software like to stay up to date. It is normal, not malware.

     

    Once again, thomas_r is correct, you are looking for monsters & finding them where non exist.

    Good luck hunting them all down, you will find many if you keep looking in this manner.

  • by morning sun,

    morning sun morning sun Jul 1, 2014 6:37 PM in response to thomas_r.
    Level 1 (0 points)
    Jul 1, 2014 6:37 PM in response to thomas_r.

    My iPhone didn't ring and when this happened this morning my Mac wasn't connected to the internet via WIFI or ethernet. I don't have Facetime set-up on my Mac at all and the one time I did get a friend trying to call me via Facetime there was no response on my Mac just on my iPhone. My concern is that there is some kind of Malware set to run periodically from my local drive to collect keylogs, screenshots or video/images with or without any network connection present then when there is a network connection present these keylogs, screenshots or video/images get sent out.

     

    Does the "Imagent via IMRemoteURLConnectionAgent.xpc" Facetime plugin or data connect periodically with Apple even when Facetime isn't set up on the Mac? That seems like an odd process to be happening if Facetime isn't set up.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jul 1, 2014 8:16 PM in response to morning sun
    Level 5 (4,791 points)
    Jul 1, 2014 8:16 PM in response to morning sun

    morning sun wrote:

     

    I looked up the phrase "imagent" on Google and found it is related to facetime

    It's also used by Messages (aka iMessage).

  • by MadMacs0,

    MadMacs0 MadMacs0 Jul 2, 2014 1:19 AM in response to morning sun
    Level 5 (4,791 points)
    Jul 2, 2014 1:19 AM in response to morning sun

    morning sun wrote:

     

    Does the "Imagent via IMRemoteURLConnectionAgent.xpc" Facetime plugin or data connect periodically with Apple even when Facetime isn't set up on the Mac? That seems like an odd process to be happening if Facetime isn't set up.

    I don't know, but as long as it's only connecting to Apple, I don't care.

  • by morning sun,

    morning sun morning sun Jul 11, 2014 5:03 PM in response to morning sun
    Level 1 (0 points)
    Jul 11, 2014 5:03 PM in response to morning sun

    I have some cracked versions of MS Word, Adobe Creative Suite & Logic Studio that I use is there a way of scanning them to see if they have Malware in them before I install? Or any other way of determining if there is Malware in them?

  • by Csound1,

    Csound1 Csound1 Jul 11, 2014 5:08 PM in response to morning sun
    Level 9 (50,831 points)
    Desktops
    Jul 11, 2014 5:08 PM in response to morning sun

    No-one here can help with cracked software.

  • by morning sun,

    morning sun morning sun Jul 11, 2014 5:15 PM in response to Csound1
    Level 1 (0 points)
    Jul 11, 2014 5:15 PM in response to Csound1

    Does anyone have any good suggestions for FREE word processing programs that read and write to MS Word format?

  • by Csound1,

    Csound1 Csound1 Jul 11, 2014 5:21 PM in response to morning sun
    Level 9 (50,831 points)
    Desktops
    Jul 11, 2014 5:21 PM in response to morning sun

    Libre Office or Open Office.

  • by drzaritsky,

    drzaritsky drzaritsky Jul 16, 2014 1:48 PM in response to morning sun
    Level 1 (0 points)
    Jul 16, 2014 1:48 PM in response to morning sun

    Would you provide context and /or the original post please. i am spend hours each defending myself from a hacker.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jul 16, 2014 2:22 PM in response to drzaritsky
    Level 5 (4,791 points)
    Jul 16, 2014 2:22 PM in response to drzaritsky

    Not sure exactly what you are looking for, but perhaps here.

  • by morning sun,

    morning sun morning sun Jul 18, 2014 2:35 PM in response to morning sun
    Level 1 (0 points)
    Jul 18, 2014 2:35 PM in response to morning sun

    I've been getting this: "ScopedBookmarkAgent" function wanting me to enter my keychain password out of no where does anyone know if this is a legit AppleOS process?

first Previous Page 3 of 4 last Next