Dear Community,
I have been recently subjected to a hacker attack. Hacker does not have physical access to my Macbook Pro, however, the pc of my partner has been compromised. I am not certain whether my Macbook Pro has been compromised as well and would greatly appreciate your help in detecting any spyware that might have been installed, for example, a key-logger.
Thank you very much for your help.
MacBook Pro, iOS 10.3.3
EtreCheck version: 3.4.2 (436)
Report generated 2017-08-02 07:55:43
Download EtreCheck from https://etrecheck.com
Runtime: 2:55
Performance: Excellent
Click the [Lookup] links for more information from Apple Support Communities.
Click the [Details] links for more information about that line.
Problem: Other problem
Description:
Spyware
Malware
Viruses
Hardware Information:ⓘ
MacBook Pro (15-inch, 2.53GHz, Mid 2009)
[Technical Specifications] - [User Guide] - [Warranty & Service]
MacBook Pro - model: MacBookPro5,4
1 2.53 GHz Intel Core 2 Duo (Duo) CPU: 2-core
8 GB RAM Upgradeable - [Instructions]
BANK 0/DIMM0
4 GB DDR3 1067 MHz ok
BANK 1/DIMM0
4 GB DDR3 1067 MHz ok
Bluetooth: Old - Handoff/Airdrop2 not supported
Wireless:
en1: 802.11 a/b/g/n
Battery: Health = Normal - Cycle count = 1177
Video Information:ⓘ
NVIDIA GeForce 9400M - VRAM: 256 MB
Color LCD 1440 x 900
Disk Information:ⓘ
TOSHIBA MK2555GSXF disk0: (250.06 GB) (Rotational)
[Show SMART report]
(disk0s1) <not mounted>
[EFI]: 210 MB
(disk0s2) <not mounted>
[CoreStorage Container]: 249.20 GB
(disk0s3) <not mounted>
[Recovery]: 650 MB
MATSHITADVD-R
UJ-868
()
USB Information:ⓘ
USBBus
Apple Inc. BRCM2046 Hub
Apple Inc. Bluetooth USB Host Controller
USBBus
Apple Inc. Apple Internal Keyboard / Trackpad
Apple Computer, Inc. IR Receiver
USB20Bus
Apple Inc. Built-in iSight
Apple, Inc. Keyboard Hub
USB Optical Mouse
Apple Inc. Apple Keyboard
USB20Bus
Apple Card Reader
Virtual disks:ⓘ
Macintosh HD (disk1 - Journaled HFS+) /
[Startup]: 248.83 GB (164.38 GB free)
Encrypted AES-XTS Unlocked
Physical disk: disk0s2 249.20 GB Online
System Software:ⓘ
OS X El Capitan 10.11.6 (15G1108) - Time since boot: about one day
Configuration files:ⓘ
/etc/hosts - Count: 6
Gatekeeper:ⓘ
Mac App Store and identified developers
Kernel Extensions:ⓘ
/System/Library/Extensions
[loaded] com.nvidia.CUDA (1.1.0) [Lookup]
System Launch Agents:ⓘ
[not loaded] 8 Apple tasks
[loaded] 155 Apple tasks
[running] 76 Apple tasks
System Launch Daemons:ⓘ
[not loaded] 47 Apple tasks
[loaded] 152 Apple tasks
[running] 91 Apple tasks
Launch Agents:ⓘ
[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-10-25) [Lookup]
[failed] com.nvidia.CUDASoftwareUpdate.plist (NVIDIA Corporation - installed 2016-12-03) [Lookup]
Launch Daemons:ⓘ
[loaded] com.adobe.fpsaud.plist (? 2afb3af7 178755d7 - installed 2017-06-23) [Lookup]
[loaded] com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-05-15) [Lookup]
[loaded] com.nordvpn.NordVPN.Helper.plist (TEFINKOM & CO S.A - installed 2017-07-26) [Lookup]
[loaded] com.nvidia.cuda.launcher.plist (Shell Script 20f73770 - installed 2016-12-03) [Lookup]
[loaded] com.nvidia.cudad.plist (NVIDIA Corporation - installed 2016-12-03) [Lookup]
User Launch Agents:ⓘ
[loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-10-25) [Lookup]
[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-07-10) [Lookup]
[loaded] com.redgiantsoftware.updater.plist (? f08a426a 0 - installed 2017-07-12) [Lookup]
[loaded] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2017-06-22) [Lookup]
[loaded] com.valvesoftware.steamclean.plist (? e7743985 9280bbdd - installed 2017-08-01) [Lookup]
User Login Items:ⓘ
HotspotShieldHelper SMLoginItem - Hidden (AnchorFree Inc. - installed 2017-07-04)
(/Applications/Hotspot Shield.app/Contents/Library/LoginItems/HotspotShieldHelper.app)
Internet Plug-ins:ⓘ
FlashPlayer-10.6: 26.0.0.137 (installed 2017-07-12) [Lookup]
QuickTime Plugin: 7.7.3 (installed 2016-11-03)
Flash Player: 26.0.0.137 (installed 2017-07-12) [Lookup]
PepperFlashPlayer: 26.0.0.137 (installed 2017-07-12) [Lookup]
AdobeAAMDetect: AdobeAAMDetect 1.0.0.0 (installed 2016-10-25) [Lookup]
Default Browser: 601 (installed 2016-07-09)
3rd Party Preference Panes:ⓘ
CUDA Preferences (installed 2016-12-03) [Lookup]
Flash Player (installed 2017-06-23) [Lookup]
Time Machine:ⓘ
Time Machine not configured!
Top Processes by CPU:ⓘ
8%
WindowServer
3%
kernel_task
2%
Google Chrome
1%
Google Chrome Helper
1%
Steam Helper
Top Processes by Memory:ⓘ
717 MB kernel_task
433 MB softwareupdated
205 MB Steam Helper
194 MB Google Chrome Helper
185 MB Google Chrome
Top Processes by Energy Use:ⓘ
72.40 Google Chrome Helper
19.00 WindowServer
14.42 Google Chrome
2.40 steam_osx
Virtual Memory Information:ⓘ
4.36 GB
Available RAM
2.07 GB
Free RAM
3.64 GB
Used RAM
2.29 GB
Cached files
0 B Swap Used
Software installs:ⓘ
Adobe Flash Player:
(installed 2017-07-12)
Adobe Pepper Flash Player:
(installed 2017-07-12)
Install information may not be complete.
I'm not sure how you came to the conclusion that your MBP might have been subjected to a hacker attack, so if you can give us a better feel for exactly what you have observed to lead you to that conclusion, it would certainly help. The fact that your partner's PC was compromised would not be a reason to think that yours has been.
Most of us here rely on EtreCheck to give us clues as to what might be going on with your Mac, so you can start with that for now.
You might also want to run MalwareBytes Anti-Malware for Mac. It's not optimized for detecting Key-Loggers, but it's free and could come up with something.
I suspect the best A-V software for detecting key-loggers / spyware is still MacScan (30-day trial), but in general it has been one of the lowest performing product for detecting other types of Mac malware in a timely manner.
Hello Maria,
I wrote a little diagnostic program to help show what software is running in the background. Download EtreCheck from https://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID. When you are done, EtreCheck can be thrown in the trash.
Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.
Not seeing any obvious signs there. You appear to have a very clean setup, compared to many we see here.
And it appears you have already run MalwareBytes, so we can check that off.
I see you have Pepper Flash Player installed. Very few users will ever need it and it's just something else to have to keep up-to-date. It's built in to the Google Chrome browser, if you use that and the only other's that I'm aware of that might require it are Opera and Vivaldi, if you insist on needing to use Flash on those. Adobe announced the end of Flash in 2020 and it should have been much earlier.
Hello MadMacs0,
I have been receiving threats since over 2 months ago by some religious fanatic who has been using several facebook accounts. my self and my partner are activists. This person has gathered information on me through a bit of a social engineering work, for certain motives, the person was actively gathering information and saving my pictures. This person was actively trying to log into one of my emails, As seen on the recent activity section, multiple attempts for over 2 months of attempting to log in and synch, Linux based system with firefox (my assumption would be Kali Linux)
Now, this person managed to break into my partner's computer, log into both his facebook accounts, changed emails and passwords for his twitter, spotify, and facebook accounts using YOPmail disposable email address. My partner's computer switches on by it self. The reason why the hacker went through my partner is because he is not so well versed in securing his computer. My bet is, since the person threatened to hack me, they would guess I wouldn't be keeping secrets on my device, so they did it via my partner. in terms of social engineering work, they knew I would trust to click whatever link my partner would send me.
Thanks for the rundown. Somebody attempted to log into my iCloud e-mail account three times in rapid succession this weekend, and I received immediate notifications, so I know that's common even though I have no reason to believe that I was specifically targeted. And I receive phishing e-mails almost every day, often concerning financial institutions I've never heard of, in hopes of hooking someone.
From everything you have said, there are grounds to take legal action against this person, so if you have any desire to do so you need to stop using both computers and notify authorities now. A well trained cyber-security law enforcement officer may be able to help you with this, but only if you refrain from disturbing any evidence that remains.
That being said, there is no known way to infect your computer by simply reading an e-mail, visiting a web site or even clicking on a link to a web site. In order to place any type of malware on your computer you would have to open an attachment designed specifically to run on a Mac or download a similar file from a web site. Of course you also would not want to ever enter login credentials on a web site you were directed to. If you have not done any of that and never entered your admin password in a dialog you didn't expect, (and you already told us that nobody else has physical access to your MBP) then you can be confident your computer has not been compromised.
MadMacs0,
Thank you for your response.
There are many other indications, which I didn't list. I can confidently say this is a targeted attack with lots of social engineering effort put into it, and not some phishing link. The messages I have been receiving are well-crafted and now others have been targeted as well. It is very unfortunate that some people believe one must be killed for expressing different views..
I would like to ask if you may suggest other ways to detect any possible Malware?
Many thanks.
I'm afraid I'm way out of time for today, so I'll have to make this quick....
I had no doubt that you were targeted, just wanted to let you know that even non-targeted users are hacked at on a daily basis.
OS X 10.11.6 already protects you against all the most serious, common malware with XProtect, MRT (Malware Removal Tool) and GateKeeper. MalwareBytes knows about Adware and most other malware that has been around for the last decade. EtreCheck has modest capabilities in that department, as well.
Have you opened any e-mail attachments from unknown users? Downloaded software from sketchy or fake web sites? Allowed anybody physical or shared access over a network to your computer? If not, then I don't see any reason to spend time looking for malware.
Having spent a few years giving uncompensated tech support on the ClamXAV Forum, I'm a bit partial to ClamXAV as a relatively non-intrusive 3rd party Anti-malware application. Although the included ClamAV scanning engine was originally designed as an e-mail server scanner, ClamXAV includes more than 989,000 OS X unique virus signatures and a real-time capability to watch folders and external disks where new files are first introduced, without unnecessarily impacting your computer. As a bonus, it's will find any Windows malware that might impact your partner.
Hello Maria,
The only thing I can add is that people often misunderstand where the risks like with these kinds of hacking attempts. Your Mac is one of the least vulnerable devices you have. Only your iPhone or iPad would be more secure. It is online services that are much bigger risks. Their customer support people can be easily manipulated by someone skilled in that area. I strongly suggest you enable Apple's two-factor authentication if you haven't already done so. For any non-Apple accounts, make sure you have strong passwords and that you never share passwords online.
MadMacs0 wrote:
You might also want to run MalwareBytes Anti-Malware for Mac. It's not optimized for detecting Key-Loggers, but it's free and could come up with something.
It actually should detect and remove any keyloggers that might possibly be found on a modern Mac.
That's not spyware of any kind, it's malware designed to inject ads and redirects into your web browsing, solely for the purpose of scamming money out of advertisers (by generating fake ad views and affiliate site visits). You are not the direct victim for this kind of infection. This malware is definitely not targeted nor being used to spy on you.
Further, if those are the only things it detected, the malware wasn't still active. If it were, there would have been one or more .plist files detected as well. Those were simply remnants, and the .plist files were removed somehow previously.
I ran Malwarebytes scan and this is what I found. Please advice.
Thanks!
Detection of Spyware on Macbook Pro
