How to Detect Spyware on a Mac

Please read this whole guide before doing anything.

Only follow these instructions if you have already scanned your Mac with Macware Spyware Cleaner.

The following procedure will help identify whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. After you have executed each command copy/paste the result into a text file.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

terminal
Terminal Command Prompt

Step 1
Copy or drag — do not type — the line below into the Terminal window, then press return:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.

Step 2
Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time, you’ll be prompted for your login password, which won’t be displayed when you type it. You may get a one-time warning not to screw up. You don’t need to post the warning.

Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Step 5

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to paste the output into a text file.

You can then quit Terminal.

Step 6

Post your results here;

Our staff will review the results as soon as possible and inform you of any potential spyware found.

How to Remove MacCaptain

What is MacCaptain?
MacCaptain is advertised as a program that displays coupons for sites you are visiting and competitive prices when you are viewing product pages at sites like Amazon. Though this may sound like a useful service, the MacCaptain program can be intrusive and will display ads whether you want them to or not.

When installed, the MacCaptain browser extension will display advertising banners, pop-up advertisements and in-text ads, stating that they are brought to you by “MacCaptain”. These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the MacCaptain publisher can generate pay-per-click revenue.

MacCaptain
MacCaptain Homepage

When infected with MacCaptain the common symptoms include:
– Advertising banners are injected with the web pages that you are visiting.
– Random web page text is turned into hyperlinks.
– Browser popups appear which recommend fake updates or other software.
– Other unwanted adware programs might get installed without the user’s knowledge.

How to quickly remove MacCaptain?
Scan your computer with Macware Adware Cleaner for Mac. Adware Cleaner will free your computer from annoying adware (e.g MacCapitan), malicious hijacker programs and unwanted toolbars.

How to remove MacCaptain?
If there’s an item named “vindinstaller” in the Applications folder, or any other item that you don’t recognise, delete it.

Uninstall MacCaptain Safari Extension;
You can uninstall the  extension by selecting Safari > Preferences > Extensions > Select the MacCaptain Extension (it may be listed as another name) > Uninstall > Restart Safari. (See Remove Extensions from Safari for more detailed instructions)

Uninstall MacCaptain Firefox Extension;
You can uninstall the MacCaptain extension by selecting: Firefox > Tools > Add-ons > Extensions > Find the MacCaptain Extension (it may be listed as another name) > Remove > Restart Firefox. (See Remove Extensions from Firefox for more detailed instructions)

Uninstall MacCaptain Google Chrome Extension;
You can easily uninstall the the MacCaptain extension by selecting Window > Extensions > Find the MacCaptain Extension (it may be listed as another name) > click the Trash Can icon.(See Remove Extensions from Chrome for more detailed instructions)

 

 


Remove Extensions from FireFox

To remove Extensions from Mozilla FireFox:

  1. Click the menu button New Fx Menu and choose Add-ons. The Add-ons Manager tab will open.
    firefox-step1
  2. In the Add-ons Manager tab, select the Extensions or Appearance panel.
    firefox-step2
  3. Select the extension add-on you wish to remove.
    firefox-step3
  4. Click the Remove button.
    firefox-step4
  5. Click Restart now if it pops up. Your tabs will be saved and restored after the restart.

Remove Adware from FireFox

To remove Adware Extensions from Mozilla FireFox:

  1. Click the menu button New Fx Menu and choose Add-ons. The Add-ons Manager tab will open.
    firefox-step1
  2. In the Add-ons Manager tab, select the Extensions or Appearance panel.
    firefox-step2
  3. Select the adware extension add-on you wish to remove.
    firefox-step3
  4. Click the Remove button.
    firefox-step4
  5. Click Restart now if it pops up. Your tabs will be saved and restored after the restart.

How to Remove MacVX

What is MacVX?
MacVX is an application that should enable faster streaming of online videos. At least that is what developers of this program are claiming. Moreover, this application is compatible with all major browsers. However, there are a couple of interesting facts that you should know about this program. In fact, MacVX is recognized as an adware for a couple of reasons. Firstly, this program is free; therefore, in order to make money, its developers are cooperating with various advertisers. Secondly, this questionable application may travel as an extra attachment together with other freewares. Thirdly, MacVX ads may redirect you to an unsafe website that you do not want to visit. Finally, this program may track your online activities and use this information for various commercial purposes.

How to remove MacVX?
Scan your computer with MacWare Adware Cleaner for Mac. Adware Cleaner will free your computer from annoying adware, malicious hijacker (e.g. MacVX) programs and unwanted toolbars.

How to Remove Celipsow

What is Celipsow?
Celipsow is a program that is used to monetized software installation. It is a platform that generates revenue for developer and helps in the distribution of other program. The bad thing about Celipsow is some adware authors are utilizing this program to deploy malicious application to Mac OS X systems.

To be able to spread adware, authors of potentially unwanted program uses Celipsow to bundle their software into legitimate ones. In most cases, users are not aware that installing desired programs may contaminate their computers with various adware. Celipsow are commonly linked to freeware and third-party software.

Once Celipsow gets installed on your Mac, it will install the host program and deliberately load other adware in the background. It installs unknown software without asking for user’s permission. Celipsow also alters various browser settings without the user’s permission.

How to remove Celipsow?
Scan your computer with MacWare Adware Cleaner for Mac. Adware Cleaner will free your computer from annoying adware (e.g. Celipsow), malicious hijacker programs and unwanted toolbars.

How to manually remove Celipsow?

STEP 1: Remove the Celipsow Browser extension
1. Locate the add-on or extension that is relevant to Celipsow. To do this, please follow the following depending on the affected browsers.

Uninstall Celipsow Safari Extension;
You can easily uninstall the Celipsow extension by selecting Safari > Preferences > Extensions > Select Celipsow Extension (it may be listed as another name) > Uninstall > Restart Safari. (See Remove Extensions from Safari for helpful instructions)

Uninstall Celipsow Google Chrome Extension;
You can easily uninstall the Celipsow extension by selecting Window > Extensions > Find Celipsow Extension (it may be listed as another name) > click the Trash Can icon. (See Remove Extensions from Chrome for helpful instructions)

Uninstall Celipsow Firefox Extension;
You can uninstall the Celipsow extension by selecting: Firefox > Tools > Add-ons > Extensions > Find Celipsow Extension (it may be listed as another name) > Remove > Restart Firefox. (See Remove Extensions from Firefox for more detailed instructions)

2. Once you have located Celipsow, click on Remove or Uninstall, to get rid of it.

3. Close the browser and proceed to the next steps.

STEP 2: Delete Malicious Files that have installed Celipsow

Locate and delete the following files from ~/Library/LaunchAgents and ~/Library/Application Support;

unknown.download.plist
unknown.ltvbit.plist
unknown.update.plist

The term unknown is just a representation of the actual malware name. It is normally an unfamiliar file name such as the following; Celipsow, InstallMac, Manroling, Genieo, Gwenrose, Montageobox, Nariabox, Epolife, Feelbegin, Inkeeper, Javeview, Jakecares, or Leperdvil.

If you cannot find the specified file, please look for any unfamiliar or suspicious files/browser extensions. It may be the one causing the Celipsow to be present on your Mac. Arranging all items to see the most recent ones may also help you identify recently installed unfamiliar files.