Keystroke logger and/or spyware, help please!

Question

Level 1

0 points

Keystroke logger and/or spyware, help please!

I have serious reasons of suspecting someone who looks like a friend but is really hostile to my interests, of spying on my iMac by a keylogger or a spying software installed on it. I found and applied the 5 steps stated in the post https://discussions.apple.com/thread/4243511?tstart=0. The results are below; could someone tell me if there is any spyware running? Thanks very much for any help!

Step 1:

Last login: Wed Sep 23 22:33:18 on console

Pats-iMac:~ patforgione$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.spsys.driver.NKEDriver (1.3)

com.spsys.driver.IOKitDriver (1.3)

Pats-iMac:~ patforgione$ /Applications/Firefox.app/Contents/MacOS/firefox-bin -safe-mode

Step 2:

Pats-iMac:~ patforgione$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

com.spsecure.rdaemon

com.oracle.java.JavaUpdateHelper

com.oracle.java.Helper-Tool

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.adobe.fpsaud

Step 3:

Pats-iMac:~ patforgione$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.evernote.EvernoteHelper

com.spsecure.useragent

com.oracle.java.Java-Updater

com.google.keystone.system.agent

com.spotify.webhelper

com.spigot.ApplicationManager

com.plexapp.helper

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

Step 5:

Pats-iMac:~ patforgione$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/**,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

CS ChemDraw Pro.plugin

DirectorShockwave.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

com.google.keystone.agent.plist

com.oracle.java.Java-Updater.plist

com.spsecure.useragent.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

com.oracle.java.JavaUpdateHelper.plist

com.spsecure.daemon.plist

/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

JavaControlPanel.prefPane

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

com.oracle.java.JavaUpdateHelper

/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.ABExchangeSource.1DCA2DC0-427F-4184-86B4-3AA B02FC1662.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.9D84AFD1-0DBA-4C41-A309-7C9 BB8597809.plist

com.plexapp.helper.plist

com.spigot.ApplicationManager.plist

com.spotify.webhelper.plist

Library/PreferencePanes:

Step 5:

Pats-iMac:~ patforgione$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Dropbox, Macs Fan Control, AdobeResourceSynchronizer, Spotify

Pats-iMac:~ patforgione$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iMac

Posted on Sep 23, 2015 8:08 PM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Sep 23, 2015 8:58 PM in response to forgione05

The "Spector Pro" keylogger is installed.

If you're an adult, and the keylogger was installed on your personal computer without your permission, then the computer may be evidence of a crime or a civil wrong. Consider the legal implications before you do anything. Assume that everything you've done with the computer since the keylogger was installed—including all the passwords you've typed—is known to the party who installed it.

In the event that the computer was tampered with by an unknown party, and you just want to clean it up, see below.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the state it was in before the attack. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be practical, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which could be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

The above being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Reply