Does this Mac is a Keylogger target?
I will explain some of this issue:
I'm not the owner of the device. As far as I know, the owner —someone who uses his computer to navigate in Netflix and write some letters in Word— is in the middle of legal issues where a lot of money is involved. That, and the lack of important information located in various of his email threads (from an hotmail account) are parts of this recipe. Also, as this person informed me, it is impossible to change the password of this account since another email was added as the parent of this child account and notified when this procedure has taken place.
As he told me, recently he has created a new hotmail account (outlook account?), with a totally different password and the same problem has come again.
I just made my research and tried to get a result based on the knowledge expressed in this post: I believe that I have a keylogger or some sort of spyware installed on my mac, please help!
And here, the results of the whole procedure stated in the referenced previous post (I've replaced the real name of the user with USR and USRNAME):
Device Specs:
OS El Capitan 10.11.2
Mac Book Air 13 inch, Mid 2011
1.7 GHz Intel Core i5
RAM 4gb 1333 mhz DDR3
MacBook-Air-de-USR:~ USRUSRNAME$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
com.rim.driver.BlackBerryUSBDriverInt (0.0.74)
MacBook-Air-de-USR:~ USRUSRNAME$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'
Password:
com.rim.BBDaemon
com.microsoft.office.licensing.helper
com.google.keystone.daemon
com.adobe.fpsaud
MacBook-Air-de-USR:~ USRUSRNAME$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
com.rim.BBLaunchAgent
com.microsoft.Word.8032
com.google.keystone.system.agent
com.rim.RimAlbumArtDaemon
com.microsoft.autoupdate.fba.67232
MacBook-Air-de-USR:~ USRUSRNAME$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null
/Library/Components:
/Library/Extensions:
ACS6x.kext
ATTOCelerityFC8.kext
ATTOExpressSASHBA2.kext
ATTOExpressSASRAID2.kext
ArcMSR.kext
BJUSBLoad.kext
CIJUSBLoad.kext
CalDigitHDProDrv.kext
HighPointIOP.kext
HighPointRR.kext
PromiseSTEX.kext
SoftRAID.kext
hp_io_enabler_compound.kext
/Library/Frameworks:
AEProfiling.framework
AERegistration.framework
AudioMixEngine.framework
NyxAudioAnalysis.framework
PluginManager.framework
RIM_VSP.framework
RimBlackBerryUSB.framework
iTunesLibrary.framework
/Library/Input Methods:
/Library/Internet Plug-Ins:
Default Browser.plugin
Disabled Plug-Ins
Flash Player.plugin
JavaAppletPlugin.plugin
Quartz Composer.webplugin
SharePointBrowserPlugin.plugin
SharePointWebKitPlugin.webplugin
flashplayer.xpt
googletalkbrowserplugin.plugin
o1dbrowserplugin.plugin
/Library/Keyboard Layouts:
/Library/LaunchAgents:
com.google.keystone.agent.plist
com.rim.BBAlbumArtCacher.plist
com.rim.BBLaunchAgent.plist
/Library/LaunchDaemons:
com.adobe.fpsaud.plist
com.google.keystone.daemon.plist
com.microsoft.office.licensing.helper.plist
com.rim.BBDaemon.plist
/Library/PreferencePanes:
Flash Player.prefPane
/Library/PrivilegedHelperTools:
com.microsoft.office.licensing.helper
/Library/QuickLook:
iBooksAuthor.qlgenerator
iWork.qlgenerator
/Library/QuickTime:
AppleIntermediateCodec.component
AppleMPEG2Codec.component
/Library/ScriptingAdditions:
/Library/Spotlight:
Microsoft Office.mdimporter
iBooksAuthor.mdimporter
iWork.mdimporter
/Library/StartupItems:
/etc/mach_init.d:
/etc/mach_init_per_login_session.d:
/etc/mach_init_per_user.d:
Library/Address Book Plug-Ins:
SkypeABDialer.bundle
SkypeABSMS.bundle
Library/Fonts:
Library/Input Methods:
.localized
Library/Internet Plug-Ins:
Library/Keyboard Layouts:
Library/LanguageModeling:
es-dynamic.lm
Library/PreferencePanes:
Library/Services:
.localized
MacBook-Air-de-USR:~ USRUSRNAME$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
iTunesHelper
MacBook-Air-de-USR:~ USRUSRNAME$
MacBook Air, OS X El Capitan (10.11.2)