Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: meltymax
meltymax Author
User level: Level 1
9 points

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

I have many reasons to believe that my ex boyfriend installed a keylogger or spyware on my macbook. I have done a lot of research and cannot find the answers that I am looking for. I have taken a screenshot of my activity monitor in hopes that someone can let me know if anything looks suspicious. It appears fine to me, although I am confidant that I something is installed and being used regularly to snoop and creep my every move on my computer, please help me, any advice would be helpful. As a footnote I have installed macscan and completed a scan and it came up with nothing... I am not being paranoid my ex has basically confirmed my suspicions.




User uploaded file

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 26, 2012 6:41 PM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Posted on Aug 26, 2012 8:05 PM

Please read this whole message before doing anything.


The following procedure will help whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.


Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


Launch the Terminal application in any of the following ways:


☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.


When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


Step 1


Copy or drag — do not type — the line below into the Terminal window, then press return:


kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.


Step 2


Repeat with this line:


sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'


This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.


Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


Step 3


launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


Step 4


ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null


Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.


Step 5


osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to post the output.


You can then quit Terminal.

View in context
136 replies
User profile for user: rrahimi
rrahimi
User level: Level 3
615 points

Aug 26, 2012 9:07 PM in response to meltymax

I would say deleting the .plist file to at least prevent the agent from running but I suspect it will recreate it. I don't have experience with Keylogging software on Mac but on Windows they can be extremely hard to remove.


Since you are a regular user and not very technically savvy, I would recommend backing up your photos, videos, documents and other things you require and then wiping the disk clean and reinstalling OS X.


You don't know what other malicious software is installed on this machine. Better have a clean one.


Important Edit: As Linc says, Lawyer up!


Most important edit: I hope you're not doing all of this typing on the same machine.

Reply
User profile for user: meltymax
meltymax Author
User level: Level 1
9 points

Aug 28, 2012 7:22 AM in response to meltymax

Hey guys,

I have been in contact with Spector, and they have assured me that the eblaster software has now been disabled. They were unable to disclose any information about the person who installed it, in which I am confidant I know, although would like solid evidance. They informed me they need a court-order to disclose that information. I was wondering if any of you knew any code as provided by Linc to type into the terminal in which would provide me with the email address that was used to send the eblaster reports to? This may be a shot in the dark, although worth asking. Thank you again for your help previously, I finally have a piece of mind.


Thank you.

Reply
User profile for user: inpurehell
inpurehell
User level: Level 1
0 points

Sep 8, 2012 8:06 AM in response to Linc Davis

I am having a similar problem. All of the devices in my life have been attacked. passwrods all stolen, accounts impersonated etc.

I used the directed code below (mentioned above) and have been given error messages:


sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'



WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


entire machine has been wiped- three times- and still having issues. post is on the imac forum.

Reply
User profile for user: Ski2vail
Ski2vail
User level: Level 1
0 points

Dec 16, 2012 9:34 AM in response to Linc Davis

I have followed the steps Linc posted for detecting keylogger spyware on my Mac. Here are the responses I receive from each step. Could you please tell me if I have any keylogger ware on my Mac?


Step 1:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'


Response:

com.markspace.driver.RemoteNDIS (438)


Step 2:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


Response:

org.samba.smbd

org.samba.nmbd

com.sierrawireless.SierraReset.plist


Step 3:

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'


Response:

com.hp.launchurlagent

Step 4:

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null


Response:

Library/Address Book Plug-Ins:

  1. SkypeABDialer.bundle
  2. SkypeABSMS.bundle


/Library/Components:


/Library/Frameworks:

.DS_Store

Adobe AIR.framework

  1. HPDeviceModel.framework
  2. HPPml.framework
  3. HPServicesInterface.framework
  4. HPSmartPrint.framework
  5. HPSmartX.framework
  6. MacFUSE.framework
  7. MissingSyncWM.framework
  8. MissingSyncWMShared.framework
  9. Snapfish.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AmazonMP3DownloaderPlugin.plugin

Flash Player.plugin

JavaPluginCocoa.bundle

NP-PPC-Dir-Shockwave

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

QuickTime Plugin.webplugin

VerifiedDownloadPlugin.plugin

  1. ebldetect.bundle
  2. flashplayer.xpt
  3. iPhotoPhotocast.plugin
  4. nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

  1. com.hp.launchurlagent.plist
  2. com.sony.ReaderLibrary.RunReaderLibrary.plist


/Library/LaunchDaemons:

  1. com.sierrawireless.SWoCTool.plist
  2. com.sierrawireless.SierraReset.plist


/Library/PreferencePanes:

Flash Player.prefPane


/Library/QuickLook:

  1. GBQLGenerator.qlgenerator
  2. iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/Spotlight:

  1. AppleWorks.mdimporter
  2. GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

  1. iWeb.mdimporter
  2. iWork.mdimporter


/Library/StartupItems:

HP IO

HP Trap Monitor

MissingSyncListener


/etc/mach_init.d:

dashboardadvisoryd.plist


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

.DS_Store

BrowserPlus_2.9.8.plugin

KickStartPlugIn64.plugin

fbplugin_1_0_1.plugin

fbplugin_1_0_3.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:


Library/PreferencePanes:

BrowserPlusPrefs.prefPane


Step 5:

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null


Response:

iTunesHelper, AirPort Base Station Agent, Reader Library Launcher


Reply
User profile for user: thelisagee
thelisagee
User level: Level 1
0 points

Jan 11, 2013 8:45 PM in response to Linc Davis

Dear Linc:

Can you please let me know if you think I have a keylogger or spyware on my mac? I followed your steps but I am not sure how to interpret the results.


Actually, the first time I ran the steps i followed them too literally and after my password did not work I "skipped the next step," which I took to mean Step 3, and pasted the code for Step 4 and then thought better of it, closed the terminal, re-read your steps, re-opened the terminal, and did it right the second time, but I hope I did not screw it up in doing so.


Thank you in advance for your help, and thank you for the steps in the first place!

Lisa


Last login: Fri Jan 11 21:34:04 on console

L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

L1:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

Sorry, try again.

Password:

Sorry, try again.

Password:

Sorry, try again.

sudo: 3 incorrect password attempts

L1:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.google.keystone.agent.plist


/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.apple.remotepairtool.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane


/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper


/Library/QuickLook:

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D426CCF7-7BE4-4E03-8A20-5CC 59986AF40.plist


Library/Mail/Bundles:

SpamSieve.mailbundle


Library/PreferencePanes:

L1:~ myname$

Last login: Fri Jan 11 22:04:25 on ttys000

L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

L1:~ myname$

L1:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

L1:~ myname$

L1:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.adobe.SwitchBoard

com.adobe.fpsaud

L1:~ myname$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.google.keystone.system.agent

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

L1:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.google.keystone.agent.plist


/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.fpsaud.plist

com.apple.remotepairtool.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane


/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper


/Library/QuickLook:

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:

com.adobe.SwitchBoard.monitor.plist


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D426CCF7-7BE4-4E03-8A20-5CC 59986AF40.plist


Library/Mail/Bundles:

SpamSieve.mailbundle


Library/PreferencePanes:

L1:~ myname$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, AdobeResourceSynchronizer

L1:~ myname$

Reply
User profile for user: fathergene
fathergene
User level: Level 1
0 points

Feb 5, 2013 6:48 PM in response to meltymax

Linc,

I need a hand too bud! My ex is "monitoring" me some how. I have done a seven pass zero, and a single pass zero before I ran this. Somehow she is still seeing me.


This was after step 4


Step 4



/Library/Components:


/Library/Extensions:


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:


/Library/LaunchDaemons:


/Library/PreferencePanes:


/Library/PrivilegedHelperTools:


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Plug-Ins:


Library/Keyboard Layouts:


Library/LaunchAgents:


Library/PreferencePanes:



That is the only step that produced any results. Any help out would be awesome!!!

Reply
User profile for user: Friend 2 Apple
Friend 2 Apple
User level: Level 1
4 points

Feb 12, 2013 7:20 PM in response to meltymax

Hi Linc,


One more please? My soon to be ex knows things he could only get from accessing my Mac (or maybe my iPhone?) Since moving out I've repeatedly changed passwords to very difficult ones. If he hasn't installed anything on my Mac, could he access it from the parking lot of my apartment with his Mac? My wireless is locked, but my Mac seems to want to occasionally join some stupid unlocked LinkSys nearby. I can't figure it out, but he is pretty sophisticated with surveillence equipment like cameras in the house, recording devices, a tracking device on my vehicle, etc. He hasn't been in this apartment, though.


Anyway, here are my results:


Last login: Tue Feb 12 21:29:11 on ttys000

myname-MacBook-Pro:~ myname$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

myname-MacBook-Pro:~ myname$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'


WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.


To proceed, enter your password, or type Ctrl-C to abort.


Password:

  1. com.microsoft.office.licensing.helper
  2. com.google.keystone.daemon
  3. com.adobe.fpsaud

myname-MacBook-Pro:~ myname$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

  1. com.google.keystone.system.agent
  2. com.spotify.webhelper
  3. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

myname-MacBook-Pro:~ myname$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:


/Library/Frameworks:

  1. AEProfiling.framework
  2. AERegistration.framework
  3. AudioMixEngine.framework
  4. EWSMac.framework
  5. EpsonInformationService.framework
  6. NyxAudioAnalysis.framework
  7. PluginManager.framework
  8. TSLicense.framework
  9. iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

  1. AdobePDFViewer.plugin
  2. AdobePDFViewerNPAPI.plugin

Flash Player.plugin

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

  1. SharePointBrowserPlugin.plugin
  2. SharePointWebKitPlugin.webplugin
  3. Silverlight.plugin
  4. flashplayer.xpt
  5. googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.google.keystone.agent.plist


/Library/LaunchDaemons:

  1. com.adobe.fpsaud.plist
  2. com.apple.remotepairtool.plist
  3. com.google.keystone.daemon.plist
  4. com.microsoft.office.licensing.helper.plist


/Library/PreferencePanes:

Flash Player.prefPane

Flip4Mac WMV.prefPane

JavaControlPanel.prefpane


/Library/PrivilegedHelperTools:

Google Drive Icon Helper

com.microsoft.office.licensing.helper


/Library/QuickLook:

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/ScriptingAdditions:


/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

  1. SkypeABDialer.bundle
  2. SkypeABSMS.bundle


Library/Fonts:


Library/Frameworks:

EWSMac.framework


Library/LaunchAgents:

  1. com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
  2. com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.17702FE6-AA35-416A-8C82-FAC 5124BE8A8.plist
  3. com.spotify.webhelper.plist


Library/Services:

myname-MacBook-Pro:~ myname$ sascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

myname-MacBook-Pro:~ myname$

Reply

I believe that I have a keylogger or some sort of spyware installed on my mac, please help!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up