πŸ“’ Newsroom Update

Apple’s new MacBook Pro features the incredibly powerful M4 family of chips and ushers in a new era with Apple Intelligence. Learn more >

πŸ“’ Newsroom Update

Apple introduces M4 Pro and M4 Max. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Spyware on my MacBook? Please Help

Hey all,



I have reasonable suspicion to believe that spyware/keylogger were installed on my MacBook I have followed the guide of I believe that I have a keylogger or some sort of spyware installed on my mac, please help!



Here are my results:


After output 1:


~ Shery$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.avg.Antivirus.OnAccess.kext (2016.0)




After output 2:


Shery$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

  1. com.microsoft.office.licensing.helper
  2. com.avg.Antivirus
  3. com.avg.Antivirus.crashpad
  4. com.microsoft.office.licensingV2.helper
  5. com.avg.Antivirus.infosd
  6. com.disc-soft.DAEMONTools.PrivilegedHelper
  7. com.adobe.fpsaud
  8. com.microsoft.autoupdate.helper





After output 3:


Shery$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

  1. com.microsoft.office.licensing.helper
  2. com.avg.Antivirus
  3. com.avg.Antivirus.crashpad
  4. com.microsoft.office.licensingV2.helper
  5. com.avg.Antivirus.infosd
  6. com.disc-soft.DAEMONTools.PrivilegedHelper
  7. com.adobe.fpsaud
  8. com.microsoft.autoupdate.helper

Muhammads-MacBook-Pro:~ Shery$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.dropbox.DropboxMacUpdate.agent.install.1407489442
  2. com.microsoft.Word.5620
  3. com.microsoft.Office365ServiceV2.1544
  4. com.bittorrent.uTorrent
  5. com.openssh.ssh-agent
  6. com.canon.MFManager
  7. com.simplexsolutionsinc.vpnguardhelperMac
  8. com.avg.Antivirus
  9. com.simplexsolutionsinc.vpnguardMac.6312
  10. com.rosettastone.rosettastonedaemon
  11. com.canon.SLRuntimeLoader.1424
  12. com.microsoft.autoupdate.fba.4164
  13. com.google.keystone.user.agent
  14. com.spigot.ApplicationManager
  15. com.dropbox.DropboxMacUpdate.agent




After output 4:


~ Shery$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ACS6x.kext

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

  1. ArcMSR.kext
  2. BJUSBLoad.kext
  3. CIJUSBLoad.kext
  4. CalDigitHDProDrv.kext
  5. HighPointIOP.kext
  6. HighPointRR.kext
  7. PromiseSTEX.kext
  8. SoftRAID.kext


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework
  3. AudioMixEngine.framework
  4. NyxAudioAnalysis.framework
  5. PluginManager.framework
  6. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

Disabled Plug-Ins

Flash Player.plugin

Quartz Composer.webplugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. flashplayer.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.avg.Antivirus.gui.plist
  2. com.canon.MFManager.plist
  3. com.rosettastone.rosettastonedaemon.plist


/Library/LaunchDaemons:

  1. com.adobe.fpsaud.plist
  2. com.avg.Antivirus.crashpad.plist
  3. com.avg.Antivirus.infosd.plist
  4. com.avg.Antivirus.services.plist
  5. com.disc-soft.DAEMONTools.PrivilegedHelper.plist
  6. com.microsoft.autoupdate.helper.plist
  7. com.microsoft.office.licensing.helper.plist
  8. com.microsoft.office.licensingV2.helper.plist


/Library/PreferencePanes:

Flash Player.prefPane


/Library/PrivilegedHelperTools:

  1. com.disc-soft.DAEMONTools.PrivilegedHelper
  2. com.microsoft.autoupdate.helper
  3. com.microsoft.office.licensing.helper
  4. com.microsoft.office.licensingV2.helper


/Library/QuickLook:

  1. iBooksAuthor.qlgenerator
  2. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

  1. iBooksAuthor.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

  1. SkypeABCaller.bundle
  2. SkypeABChatter.bundle
  3. SkypeABDialer.bundle
  4. SkypeABSMS.bundle


Library/Fonts:

Managed


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

SkypePlugin-7.29.0.72.bundle


Library/Keyboard:

en-dynamic.lm

fr-dynamic.lm


Library/Keyboard Layouts:


Library/KeyboardServices:

  1. TextReplacements.db
  2. TextReplacements.db-shm
  3. TextReplacements.db-wal


Library/LanguageModeling:

da-dynamic.lm

de-dynamic.lm

en-dynamic.lm

es-dynamic.lm

fi-dynamic.lm

fr-dynamic.lm

it-dynamic.lm

nb-dynamic.lm

nl-dynamic.lm

pl-dynamic.lm

pt-dynamic.lm

ru-dynamic.lm

sv-dynamic.lm

tr-dynamic.lm


Library/LaunchAgents:

  1. com.bittorrent.uTorrent.plist
  2. com.dropbox.DropboxMacUpdate.agent.plist
  3. com.google.keystone.agent.plist
  4. com.spigot.ApplicationManager.plist


Library/PreferencePanes:


Library/Services:



After output 5:


~ Shery$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Dropbox










Please help

Posted on Mar 12, 2017 7:46 AM

Reply
13 replies

Mar 12, 2017 8:20 AM in response to OGELTHORPE

EtreCheck version: 3.1.5 (343)

Report generated 2017-03-12 21:15:38

Download EtreCheck from https://etrecheck.com

Runtime 3:22

Performance: Good


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Remove] links to remove adware.


Problem: No problem - just checking


Hardware Information: β“˜

MacBook Pro (Retina, 13-inch, Mid 2014)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro11,1

1 2.6 GHz Intel Core i5 (i5-4278U) CPU: 2-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 269


Video Information: β“˜

Intel Iris

Color LCD 2560 x 1600


System Software: β“˜

macOS Sierra 10.12.3 (16D32) - Time since boot: about 25 days


Disk Information: β“˜

APPLE SSD SM0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

BOOTCAMP (disk0s4) /Volumes/BOOTCAMP : 20.82 GB (300 MB free)

Macintosh HD (disk1) / [Startup]: 228.98 GB (34.12 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 229.32 GB Online


USB Information: β“˜

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: β“˜

Apple Inc. thunderbolt_bus


Configuration files: β“˜

/etc/sysctl.conf - File exists but not expected


Gatekeeper: β“˜

Mac App Store and identified developers


Adware: β“˜

~/Library/LaunchAgents/com.bittorrent.uTorrent.plist

~/Library/LaunchAgents/com.spigot.ApplicationManager.plist

2 adware files found. [Remove]


Kernel Extensions: β“˜

/Applications/AVG AntiVirus.app

[loaded] com.avg.Antivirus.OnAccess.kext (4822 - SDK 10.8 - 2017-03-12) [Support]


/Applications/DAEMON Tools/DAEMON Tools.app

[not loaded] com.disc-soft.DAEMONTools.VirtualSCSIBus (1.0.2 - SDK 10.8 - 2015-10-08) [Support]


/Applications/SmartSwitch.app

[not loaded] com.devguru.driver.SamsungACMControl (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungACMData (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungComposite (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungMTP (1.4.32 - SDK 10.5 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungSerial (1.4.32 - SDK 10.6 - 2015-11-24) [Support]


System Launch Agents: β“˜

[not loaded] 7 Apple tasks

[loaded] 166 Apple tasks

[running] 101 Apple tasks

[killed] 6 Apple tasks

6 processes killed due to insufficient RAM


System Launch Daemons: β“˜

[failed] com.apple.csrutil.report.plist (2017-01-13)

[not loaded] 41 Apple tasks

[loaded] 157 Apple tasks

[running] 106 Apple tasks

[killed] 6 Apple tasks

6 processes killed due to insufficient RAM


Launch Agents: β“˜

[running] com.avg.Antivirus.gui.plist (2017-03-12) [Support]

[running] com.canon.MFManager.plist (2016-03-31) [Support]

[running] com.rosettastone.rosettastonedaemon.plist (2016-01-28) [Support]


Launch Daemons: β“˜

[loaded] com.adobe.fpsaud.plist (2016-06-29) [Support]

[loaded] com.avg.Antivirus.crashpad.plist (2015-11-22) [Support]

[running] com.avg.Antivirus.infosd.plist (2015-11-22) [Support]

[running] com.avg.Antivirus.services.plist (2016-10-31) [Support]

[loaded] com.disc-soft.DAEMONTools.PrivilegedHelper.plist (2016-01-18) [Support]

[running] com.microsoft.autoupdate.helper.plist (2016-12-11) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2015-03-25) [Support]

[loaded] com.microsoft.office.licensingV2.helper.plist (2016-04-11) [Support]


User Launch Agents: β“˜

[loaded] com.bittorrent.uTorrent.plist (2017-01-13) Adware! [Remove]

/usr/bin/open

[loaded] com.dropbox.DropboxMacUpdate.agent.plist (2017-03-10) [Support]

[loaded] com.google.keystone.agent.plist (2017-01-14) [Support]

[failed] com.spigot.ApplicationManager.plist (2015-11-19) Adware! [Remove]


User Login Items: β“˜

iTunesHelper Application (2017-01-24)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application

(/Applications/Dropbox.app)


Internet Plug-ins: β“˜

Silverlight: 5.1.10411.0 - SDK 10.6 (2016-03-31) [Support]

FlashPlayer-10.6: 22.0.0.209 - SDK 10.9 (2016-09-09) [Support]

QuickTime Plugin: 7.7.3 (2017-02-09)

Flash Player: 22.0.0.209 - SDK 10.9 (2016-09-09) Outdated! Update

SharePointBrowserPlugin: 14.6.3 - SDK 10.6 (2016-04-26) [Support]


Safari Extensions: β“˜

Translate - SideTree.com - Apps for Mac and Web - http://SideTree.com/extensions.html#Translate (2015-11-21)


3rd Party Preference Panes: β“˜

Flash Player (2016-06-29) [Support]


Time Machine: β“˜

Time Machine not configured!


Top Processes by CPU: β“˜

25% Mail

11% Safari

8% kernel_task

6% com.apple.WebKit.WebContent(10)

4% hidd


Top Processes by Memory: β“˜

1.70 GB com.apple.WebKit.WebContent(10)

1.21 GB kernel_task

188 MB mdworker(9)

156 MB Safari

131 MB Mail


Virtual Memory Information: β“˜

1.31 GB Available RAM

20 MB Free RAM

6.69 GB Used RAM

1.29 GB Cached files

1.60 GB Swap Used









I will remove BitTorrent now and should I remove AVG antivirus? Is it not important to have antivirus? Sorry for the stupid questions.

Mar 12, 2017 8:48 AM in response to shery2017

Use the "Remove" function within EtreCheck to rid your computer of the Adware. After removal, Restart the computer and check for improved performance. yes, you should remove the Anti Virus software. Use instructions from the developers site to do so.



Adware: β“˜

~/Library/LaunchAgents/com.bittorrent.uTorrent.plist

~/Library/LaunchAgents/com.spigot.ApplicationManager.plist

2 adware files found. [Remove]

Mar 12, 2017 10:54 AM in response to shery2017

Thank you, I have deleted uTorrent and also used Eltrecheck to remove the 2 items it flagged and rebooted the Mac.


Here is the report now:


EtreCheck version: 3.1.5 (343)

Report generated 2017-03-12 23:48:16

Download EtreCheck from https://etrecheck.com

Runtime 2:32

Performance: Excellent


Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.


Problem: No problem - just checking


Hardware Information: β“˜

MacBook Pro (Retina, 13-inch, Mid 2014)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro11,1

1 2.6 GHz Intel Core i5 (i5-4278U) CPU: 2-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 269


Video Information: β“˜

Intel Iris

Color LCD 2560 x 1600


System Software: β“˜

macOS Sierra 10.12.3 (16D32) - Time since boot: less than an hour


Disk Information: β“˜

APPLE SSD SM0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

BOOTCAMP (disk0s4) /Volumes/BOOTCAMP : 20.82 GB (300 MB free)

Macintosh HD (disk1) / [Startup]: 228.98 GB (39.39 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 229.32 GB Online


USB Information: β“˜

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: β“˜

Apple Inc. thunderbolt_bus


Configuration files: β“˜

/etc/sysctl.conf - File exists but not expected


Gatekeeper: β“˜

Mac App Store and identified developers


Kernel Extensions: β“˜

/Applications/AVG AntiVirus.app

[loaded] com.avg.Antivirus.OnAccess.kext (4822 - SDK 10.8 - 2017-03-12) [Support]


/Applications/DAEMON Tools/DAEMON Tools.app

[not loaded] com.disc-soft.DAEMONTools.VirtualSCSIBus (1.0.2 - SDK 10.8 - 2015-10-08) [Support]


/Applications/SmartSwitch.app

[not loaded] com.devguru.driver.SamsungACMControl (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungACMData (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungComposite (1.4.32 - SDK 10.6 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungMTP (1.4.32 - SDK 10.5 - 2015-11-24) [Support]

[not loaded] com.devguru.driver.SamsungSerial (1.4.32 - SDK 10.6 - 2015-11-24) [Support]


System Launch Agents: β“˜

[not loaded] 7 Apple tasks

[loaded] 179 Apple tasks

[running] 94 Apple tasks


System Launch Daemons: β“˜

[not loaded] 40 Apple tasks

[loaded] 167 Apple tasks

[running] 104 Apple tasks


Launch Agents: β“˜

[running] com.avg.Antivirus.gui.plist (2017-03-12) [Support]

[running] com.canon.MFManager.plist (2016-03-31) [Support]

[running] com.rosettastone.rosettastonedaemon.plist (2016-01-28) [Support]


Launch Daemons: β“˜

[loaded] com.adobe.fpsaud.plist (2016-06-29) [Support]

[loaded] com.avg.Antivirus.crashpad.plist (2015-11-22) [Support]

[running] com.avg.Antivirus.infosd.plist (2015-11-22) [Support]

[running] com.avg.Antivirus.services.plist (2016-10-31) [Support]

[loaded] com.disc-soft.DAEMONTools.PrivilegedHelper.plist (2016-01-18) [Support]

[loaded] com.microsoft.autoupdate.helper.plist (2016-12-11) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2015-03-25) [Support]

[loaded] com.microsoft.office.licensingV2.helper.plist (2016-04-11) [Support]


User Launch Agents: β“˜

[loaded] com.dropbox.DropboxMacUpdate.agent.plist (2017-03-10) [Support]

[loaded] com.google.keystone.agent.plist (2017-01-14) [Support]


User Login Items: β“˜

iTunesHelper Application (2017-01-24)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)


Internet Plug-ins: β“˜

Silverlight: 5.1.10411.0 - SDK 10.6 (2016-03-31) [Support]

FlashPlayer-10.6: 22.0.0.209 - SDK 10.9 (2016-09-09) [Support]

QuickTime Plugin: 7.7.3 (2017-02-09)

Flash Player: 22.0.0.209 - SDK 10.9 (2016-09-09) Outdated! Update

SharePointBrowserPlugin: 14.6.3 - SDK 10.6 (2016-04-26) [Support]


Safari Extensions: β“˜

Translate - SideTree.com - Apps for Mac and Web - http://SideTree.com/extensions.html#Translate (2015-11-21)


3rd Party Preference Panes: β“˜

Flash Player (2016-06-29) [Support]


Time Machine: β“˜

Time Machine not configured!


Top Processes by CPU: β“˜

51% com.apple.WebKit.WebContent(2)

15% WindowServer

14% kernel_task

12% com.apple.WebKit.Networking

9% Safari


Top Processes by Memory: β“˜

671 MB kernel_task

492 MB com.apple.WebKit.WebContent(2)

180 MB mds_stores

115 MB WindowServer

98 MB mdworker(12)


Virtual Memory Information: β“˜

4.59 GB Available RAM

1.66 GB Free RAM

3.41 GB Used RAM

2.93 GB Cached files

0 B Swap Used


Diagnostics Information: β“˜

Mar 12, 2017, 11:44:39 PM Self test - passed

Mar 12, 2017, 09:23:10 PM /Library/Logs/DiagnosticReports/com.apple.WebKit.WebContent_2017-03-12-212310_[ redacted].cpu_resource.diag [Details]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.We bKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent


Files deleted by EtreCheck: β“˜

Mar 12, 2017, 09:59:58 PM - ~/Library/LaunchAgents/com.bittorrent.uTorrent.plist

Mar 12, 2017, 09:59:58 PM - ~/Library/LaunchAgents/com.spigot.ApplicationManager.plist





In terms of the AVG antivirus should I uninstall on this Mac OS and only install on the windows?


Can I sure that my mac doesn't have spyware on it?

Mar 12, 2017 11:45 AM in response to shery2017

shery2017 wrote


In terms of the AVG antivirus should I uninstall on this Mac OS and only install on the windows?


Can I sure that my mac doesn't have spyware on it?

The AV should only be installed for Windows. Macs do not perform well with almost all AV applications.


I see no evidence of any spyware on your Mac. What phenomenon is occurring that makes you believe that there is spyware?


Ciao.

Mar 13, 2017 10:05 AM in response to shery2017

Hey,


Thank you everyone for the help. I suspected spyware as someone I knew all knew what I was doing such as what flight I've booked. I have 2 step verification for both hotmail and gmail and I regularly check both to see if any other devices are accessing the accounts.


Also where I am running low on memory, how can i increase/upgrade this? I am happy to stick a good SSD to the mac externally if it can work this way. I use Windows on bootcamp for certain this that can't be done on Mac and setting up certain devices that require windows. So I need extra hard drive space on both Mac and Windows. Although Windows is rarely but is needed.



Avg Uninstalled now

Mar 13, 2017 12:04 PM in response to shery2017

shery2017 wrote:


I suspected spyware as someone I knew all knew what I was doing such as what flight I've booked.


Nahh, since it's someone you know, I'm sure that they could have easily been on the same wireless network as you at some point, in which case there are ways they could have read the text of every e-mail message you sent and received. (E-mail is like a postcard, anyone who is in a position to intercept it can read it. Sending e-mail while you're on an unsecured wireless network is like tacking that postcard up on a public bulletin board where the postman will pick it up later.)


There are plenty of explanations that don't require spyware, and few scenarios (most of which would require the party in question to have physical access to your Mac) where spyware would actually be the right answer.

Spyware on my MacBook? Please Help

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.