need advise on spyware

[nottechsavy]

Hello everyone

Im not sure if this is where I would post this or not I have a problem that is on going and Ill say that for a different time but it getting very frustrating what my girlfriend and I have been going through. I am not good with all the terms and such I do not do this more a living or fun. lol so please go easy on me. I was able to get the info on what i believe are things running on the hard drive or where ever that stuff goes on this computer. here is what I got and if someone could just see if something is a miss that be great

sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$
sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
Password:
com.adobe.fpsaud
sh-3.2$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
com.openssh.ssh-agent
org.mozilla.firefox.20128
com.getdropbox.dropbox.20112
com.citrixonline.GoToMeeting.G2MUpdate
com.google.GoogleUpdater.wake
com.dropbox.DropboxMacUpdate.agent
com.hp.PSDrMonitorHelper
sh-3.2$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
/Library/Components:

/Library/Extensions:
ACS6x.kext
ATTOCelerityFC8.kext
ATTOExpressSASHBA2.kext
ATTOExpressSASRAID2.kext
AppleMobileDevice.kext
ArcMSR.kext
CalDigitHDProDrv.kext
HighPointIOP.kext
HighPointRR.kext
PromiseSTEX.kext
SoftRAID.kext

/Library/Frameworks:
PluginManager.framework
iTunesLibrary.framework

/Library/Input Methods:

/Library/InstallerSandboxes:
.PKInstallSandboxManager
.metadata_never_index

/Library/Internet Plug-Ins:
Flash Player.plugin
JavaAppletPlugin.plugin
flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:
com.adobe.fpsaud.plist

/Library/PreferencePanes:
Flash Player.prefPane

/Library/QuickLook:
iWork.qlgenerator

/Library/QuickTime:
AppleIntermediateCodec.component

/Library/ScriptingAdditions:

/Library/Spotlight:
iBooksAuthor.mdimporter

/Library/StagedDriverExtensions:

/Library/StagedExtensions:
Library

/Library/StartupItems:

Library/Fonts:

Library/Input Methods:
.localized

Library/Internet Plug-Ins:
CitrixOnlineWebDeploymentPlugin.plugin
thinkorswim plugin_x86_64.plugin
tossc plugin_x86_64.plugin

Library/Keyboard:
de-dynamic.lm
en-dynamic.lm
user_model_database.sqlite
user_model_database.sqlite-shm
user_model_database.sqlite-wal

Library/Keyboard Layouts:

Library/KeyboardServices:
TextReplacements.db
TextReplacements.db-shm
TextReplacements.db-wal

Library/LanguageModeling:
da-dynamic.lm
de-dynamic.lm
en-dynamic.lm
es-dynamic.lm
fr-dynamic.lm
hu-dynamic.lm
it-dynamic.lm
nb-dynamic.lm
nl-dynamic.lm
pl-dynamic.lm
pt-dynamic.lm
sv-dynamic.lm
tr-dynamic.lm

Library/LaunchAgents:
com.citrixonline.GoToMeeting.G2MUpdate.plist
com.dropbox.DropboxMacUpdate.agent.plist
com.google.GoogleUpdater.wake.plist
com.google.keystone.agent.plist
com.google.keystone.xpcservice.plist

Library/PersonalizationPortrait:

Library/PreferencePanes:

Library/Services:
sh-3.2$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
Dropbox
sh-3.2$

please any advise would be great that you

 

[za9ra22]

It would help, I think, if you could give us a description of what you're experiencing with the computer. There's a bunch of things that would concern me about the stuff in your list of processes, such as anything at all related to FlashPlayer for example, which is riddled with vulnerabilities and has been widely exploited, but we could well do with knowing what symptoms you see and are concerned about.

 

[nottechsavy]

Ok so like three months ago I started getting text messages from someone that “knows” my girlfriend. And knows stuff we talk about where she goes etc. I think something is on her laptop too which we will get too. But I know this person has been in her iCloud and mine. I get messages of stuff and people she has talked to before we were together. And she gets the same thing. It has been never ending.

Some of the stuff is related right to stuff we texted.

I got rid of those old numbers and phones cause I just didn’t know. I got two burner phones. Things were peaceful. I told her to not connect her phone to anything cloud wise. And to delete everything she didn’t listen. She at this point has a normal pixel 8 and I’m a on a burner this person somehow text me. This tells me he is in her computer seeing what she is doing. Knows where she goes sends me emails she gets. I know am back on a iPhone with no iCloud and they texted me. They are getting the info from her computer or something.

It is beyond frustrating but also very exhausting on our relationship. I just want to live in peace I don’t know what vengeance this person has on me or her but I honestly can’t take it anymore

 

[Bigwaff]

If you have changed passwords and deactivated old and switched phone numbers, it’s unlikely someone has “hacked” phones or computers. You are describing some sophisticated hacking, especially if using Apple devices.

 

[nottechsavy]

I know this but this person who ever the hell it is keeps getting info. When she went to a Pixel 8 I still had a burner as soon as she started using that phone and connecting it to her Mac this person texted me. The stuff they send me of some guy she use to talk to was a picture from her iCloud she didn’t even have that phone anymore that it was on.

She got an email Tuesday morning!!!! And this person texted me about it at around lunch time

And before anyone thinks it’s her I have
gone down that road already with her. This person knows where her kids go to school know what our house looks like.

Easter weekend for example I was down the shore at my house she was up north were we live full time she was going to come she put the address in her phone or computer

This person texted me now they now I have another house and the address

I haven’t scanned her computer yet but
I’m going too. They are always texting from different number from an app. I got the police involved but they are useless

I was going to just get her another laptop and have her change all her words and such just to get that out of the picture and whip her lap top clean but honestly I’m at the point where this person if it’s someone I or her know they need some punishment

 

[Apple_Robert]

Ok so like three months ago I started getting text messages from someone that “knows” my girlfriend. And knows stuff we talk about where she goes etc. I think something is on her laptop too which we will get too. But I know this person has been in her iCloud and mine. I get messages of stuff and people she has talked to before we were together. And she gets the same thing. It has been never ending.

Some of the stuff is related right to stuff we texted.

I got rid of those old numbers and phones cause I just didn’t know. I got two burner phones. Things were peaceful. I told her to not connect her phone to anything cloud wise. And to delete everything she didn’t listen. She at this point has a normal pixel 8 and I’m a on a burner this person somehow text me. This tells me he is in her computer seeing what she is doing. Knows where she goes sends me emails she gets. I know am back on a iPhone with no iCloud and they texted me. They are getting the info from her computer or something.

It is beyond frustrating but also very exhausting on our relationship. I just want to live in peace I don’t know what vengeance this person has on me or her but I honestly can’t take it anymore

It isn’t possible for “this person” to do what you said in your post.

The only way a stranger could have your burner number is if your girlfriend gave it to them.

 

[nottechsavy]

It isn’t possible for “this person” to do what you said in your post.

The only way a stranger could have your burner number is if your girlfriend gave it to them.

What I’m saying is if she was on a pixel 8 and I still had a burner and my number was in there and she made a new Gmail account and backed up her stuff and this person is in there they couldn’t have gotten it?

 

[za9ra22]

Let's say that someone has got in to some system or device, or an iCloud account, so that what you're describing is actually happening exactly as you describe.

The first thing to do is go entirely dark. Log out of any and all online accounts, and quit using your devices as they are right now. Look at all the components in your current arrangements which remain in place as you have switched things around. This will be stuff like your wifi, iCloud accounts, Apple ID, and even computers... these are your primary risks, and these are the things to avoid powering up or using.

Replace your current wifi/router with a new one, use a new SSID and ensure you set a new password. Preferably set the SSID to hidden, so you actually have to know the name of your wifi network to attempt to connect to it. Wipe your phones and computers, switch your phone numbers, set up new email accounts. Install only basic software, stay off iCloud or any other sharing/cloud service.

I'd recommend you get a couple of cheap laptops for the time being, staying away from all previous accounts and resources.

Best guess is you may have someone sniffing your present wifi network. There is a possibility that someone has hacked into a computer, but this isn't likely because that's an awful lot of trouble to go to for no obvious purpose. Just in case, grab a copy of MalwareBytes reboot the system(s), disconnect from your network and run the software to find anything obvious.

 

[nottechsavy]

I changed my router and password when I got rid of my old numbers. This whole thing has been a complete nightmare honestly it doesn’t make any sense and I really don’t know what the end game here is.

The report I ran is on my work computer I have another one which I will swap it with. I am never use my laptop that I have.

Just them know where she goes and all this stuff does not sit easy with me. And I’m talking pin point location stuff I thought at first it was environmental guesses but that not possible some of the stuff I get.

It just feels like it will never end and I’m not even sure what to do anymore

 

[za9ra22]

I changed my router and password when I got rid of my old numbers. This whole thing has been a complete nightmare honestly it doesn’t make any sense and I really don’t know what the end game here is.

The report I ran is on my work computer I have another one which I will swap it with. I am never use my laptop that I have.

Just them know where she goes and all this stuff does not sit easy with me. And I’m talking pin point location stuff I thought at first it was environmental guesses but that not possible some of the stuff I get.

It just feels like it will never end and I’m not even sure what to do anymore

You really should avoid using ANY device you currently have in use. Turn them all off, change them all - all at the same time. Don't keep any existing numbers, emails accounts or cloud/data services. Switch everything all at once.

This is the only way to ensure that whomever is responsible can't be inside your stuff.

Switching things one by one makes it possible for them to move from device to device, service to service, if they're in there at all.

 

[nottechsavy]

Ok thank you very much for responding

 

[benwiggy]

It's much more likely that there's a 'human' explanation for what's going on than a technical one.

If you've scanned for malware, changed your iCloud password; checked the list of associated devices; and changed your physical phone, (and your girlfriend has done the same): then it's very unlikely that someone has still got access to your data. And by "very unlikely", I mean a rogue CIA agent or something.

He could have put an AirTag in your girlfriend's bag, possibly.

 

[nottechsavy]

So I do not have my iCloud anymore my new number I haven’t made an Apple ID I haven’t connected to anything cloud based

She does not have an iCloud anymore
I told her to keep her new number and phone disconnected from everything but she didn’t listen she got rid out all her email accounts and started a new one

She didn’t remember her old iCloud password so she is in contact with apple to delete but it’s crazy how hard that actually is.

I changed all my passwords and new router with a password a computer would have a hard time figuring out.

If there was an air tag around my phone would pick it up. I have checked her car for anything tracking related or mic related I haven’t found anything

I talked to my buddy at is in IT and he said that what I’m describing is not an easy thing to do. I at first thought maybe an old girl I use to chill with or her ex but honestly none of them would be this smart


I’m going to scan her computer tonight and see if there is something there but everything leads back to her laptop IMO

I feel like I’m in a real time show of like NCIS it’s not fun and this really just makes me hate all the connectivity more than I already did

 

[xari]

The way you are describing this I started to believe that one of your devices might have been rooter(rootkit). Sometimes these types of malware are known to persist and are hard to get rid of. I would suggest to run a malware scan by some of the better known antivirus software's like BitDefender etc.. After the attacker gains access to your computer he probably is able to monitor other devices on the network and he is probably conducting network attacks to gain access to other devices on the network. Then again it is super weird to me for someone to go to this extent. The best solution is like mentioned above if possible to change all the devices, and get a new IP address assigned from the ISP also new modem and stuff..

 

[nottechsavy]

Yeah I don’t know why someone is doing this.

Her and I are having a baby in August and I just want ****ing peace and it’s draining honestly.

I appreciate everyone’s input when I do a scan of her laptop like I did my work computer I’ll post it and hopefully there is something there that can lead me to what the hell os going on

 

[casperes1996]

Hello everyone

Im not sure if this is where I would post this or not I have a problem that is on going and Ill say that for a different time but it getting very frustrating what my girlfriend and I have been going through. I am not good with all the terms and such I do not do this more a living or fun. lol so please go easy on me. I was able to get the info on what i believe are things running on the hard drive or where ever that stuff goes on this computer. here is what I got and if someone could just see if something is a miss that be great

sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$
sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
sh-3.2$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
Password:
com.adobe.fpsaud
sh-3.2$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
com.openssh.ssh-agent
org.mozilla.firefox.20128
com.getdropbox.dropbox.20112
com.citrixonline.GoToMeeting.G2MUpdate
com.google.GoogleUpdater.wake
com.dropbox.DropboxMacUpdate.agent
com.hp.PSDrMonitorHelper
sh-3.2$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
/Library/Components:

/Library/Extensions:
ACS6x.kext
ATTOCelerityFC8.kext
ATTOExpressSASHBA2.kext
ATTOExpressSASRAID2.kext
AppleMobileDevice.kext
ArcMSR.kext
CalDigitHDProDrv.kext
HighPointIOP.kext
HighPointRR.kext
PromiseSTEX.kext
SoftRAID.kext

/Library/Frameworks:
PluginManager.framework
iTunesLibrary.framework

/Library/Input Methods:

/Library/InstallerSandboxes:
.PKInstallSandboxManager
.metadata_never_index

/Library/Internet Plug-Ins:
Flash Player.plugin
JavaAppletPlugin.plugin
flashplayer.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:
com.adobe.fpsaud.plist

/Library/PreferencePanes:
Flash Player.prefPane

/Library/QuickLook:
iWork.qlgenerator

/Library/QuickTime:
AppleIntermediateCodec.component

/Library/ScriptingAdditions:

/Library/Spotlight:
iBooksAuthor.mdimporter

/Library/StagedDriverExtensions:

/Library/StagedExtensions:
Library

/Library/StartupItems:

Library/Fonts:

Library/Input Methods:
.localized

Library/Internet Plug-Ins:
CitrixOnlineWebDeploymentPlugin.plugin
thinkorswim plugin_x86_64.plugin
tossc plugin_x86_64.plugin

Library/Keyboard:
de-dynamic.lm
en-dynamic.lm
user_model_database.sqlite
user_model_database.sqlite-shm
user_model_database.sqlite-wal

Library/Keyboard Layouts:

Library/KeyboardServices:
TextReplacements.db
TextReplacements.db-shm
TextReplacements.db-wal

Library/LanguageModeling:
da-dynamic.lm
de-dynamic.lm
en-dynamic.lm
es-dynamic.lm
fr-dynamic.lm
hu-dynamic.lm
it-dynamic.lm
nb-dynamic.lm
nl-dynamic.lm
pl-dynamic.lm
pt-dynamic.lm
sv-dynamic.lm
tr-dynamic.lm

Library/LaunchAgents:
com.citrixonline.GoToMeeting.G2MUpdate.plist
com.dropbox.DropboxMacUpdate.agent.plist
com.google.GoogleUpdater.wake.plist
com.google.keystone.agent.plist
com.google.keystone.xpcservice.plist

Library/PersonalizationPortrait:

Library/PreferencePanes:

Library/Services:
sh-3.2$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
Dropbox
sh-3.2$

please any advise would be great that you

What I don't get is that you say you're not tech savvy, don't do this for fun or work - Yet the commands you're running are A) Run in a bash shell, but the default zsh, and 2) numerous with fairly complex globs in awk.

Where did you find these commands and to what extend do you understand any. of the results?
And like others have said, Flash stands out - but more so - SSH-Agent? Are you using SSH? If you're not a techy person that seems strange. Now SSH-agent is primarily used the other direction, holding keys for you to log into other machines from your machines but it's still curious to me.

In a situation like this though my first intuition would be to guess social engineering

 

[za9ra22]

...Now SSH-agent is primarily used the other direction, holding keys for you to log into other machines from your machines but it's still curious to me...

This could be an exploit calling upstream, though it's a bit of an odd way to engineer a data leak.

 

[nottechsavy]

What I don't get is that you say you're not tech savvy, don't do this for fun or work - Yet the commands you're running are A) Run in a bash shell, but the default zsh, and 2) numerous with fairly complex globs in awk.

Where did you find these commands and to what extend do you understand any. of the results?
And like others have said, Flash stands out - but more so - SSH-Agent? Are you using SSH? If you're not a techy person that seems strange. Now SSH-agent is primarily used the other direction, holding keys for you to log into other machines from your machines but it's still curious to me.

In a situation like this though my first intuition would be to guess social engineering

I am not good with this at all. But the internet has a lot of info and sources. So I did my research and found how to run that. It was all a different language but i figured it out. No I have zero idea what I’m looking at that’s way I’m here and hopefully can learn something or at least figure out my problem

I have no idea what an ssh agent is or means

 

[bogdanw]

@nottechsavy There are no cybersecurity experts on this forum to help you with spyware.
Contact The Citizen Lab, they specialize in dealing with this kind of attack https://citizenlab.ca

 

[TracerAnalog]

Why would someone go through the hassle of stalking you or your girlfriend? Who has a possible interest? That’s where I would start looking. And talk to the police, this sounds serious. I doubt you’ll be able to solve this on your own.

Escalate this! Don’t try to solve this on this forum…

 

[TracerAnalog]

/edit double post

 

[nottechsavy]

Why would someone go through the hassle of stalking you or your girlfriend? Who has a possible interest? That’s where I would start looking. And talk to the police, this sounds serious. I doubt you’ll be able to solve this on your own.

Escalate this! Don’t try to solve this on this forum…

The cops do not care at all I have tried so many times they just keep telling me there is nothing they can do it’s never end it’s everyday

I honestly am at my breaking point

 

[bogdanw]

@nottechsavy Contact Google Threat Analysis Group (TAG), they specialize in spyware.

Buying Spying: How the commercial surveillance industry works and what can be done about it

This report documents the rise of commercial surveillance vendors and the industry that threatens free speech, the free press and the open internet.

blog.google

 

[darkpaw]

Have you thought of just blocking the number those text messages are coming from?

Sign out of everything. Change your passwords for various services, like iCloud, Apple etc. Wipe your computers, and reinstall from scratch.

Then, if you're still being harassed, go to the police. I know you say they don't care, but there are laws against electronic harassment, and the police must act.

 

[nottechsavy]

Have you thought of just blocking the number those text messages are coming from?

Sign out of everything. Change your passwords for various services, like iCloud, Apple etc. Wipe your computers, and reinstall from scratch.

Then, if you're still being harassed, go to the police. I know you say they don't care, but there are laws against electronic harassment, and the police must act.

Blocking the number?!?!?!? I have blocked over 60 numbers I have changed everything password and deleted everything

Not the computer yet cause if someone is there I need proof and to find them. I’m not letting this go. I have lost sleep days of work a million fights with my girl and we have a baby coming this should be a happy time for us and instead im dealing with this every day and it’s literally killing me

I can see how people get bullied until they killing themselves