I ran a file recovery software and it returned thousands of documents. I've spent a LOT of time digging through them to find out what was done to my iMac (without my permission).
Here is some history on the device in question:
- Admin access was originally hers and not mine
- Admin access was added to my account
- Her account was removed from admin
- Her account was given admin access again
- Her admin access was removed
- She deleted her data
- Her user account was deactivated
My information & data remained (all of it, I think).
I've cut & paste parts of a couple of the suspicious documents I retrieved during the file recovery below. Some of these documents were very long and after editing this post, it no longer fits. I cut some things out and have now posted & linked to the longer one on github.
A link to the (long) Plist is on github
here.
I’ve done many hours (cumulatively days or even week by now) of searching trying to figure out what many of these processes are. Some appear to be completely normal, some were difficult to identify, and some looked outright malicious (given the context). Some of these processes appear to be programs that would tell another person about my activity, what I’m doing with my files or give another person control of my files either on my local network and/or remotely.
One such example is Aventail. It looks like a program that monitors activity.
https://www.eventtracker.com/knowledge-center/aventail-ssl-vpn/
In the top right corner of my screen (next to my username, date, and other icons), there is a black rectangular shaped icon with white vertical lines going through it. When I click on it now, a drop down menu with "VPN is not configured" (not clickable), and "Open Network Preferences" appears. I am almost certain that this was not like this before (it said something different, but I don’t remember what it was). I don't know how or if that might be relevant. This was one of the original clues that made me investigate further.
My google research tells me that there are a few programs listed in the list that monitor activity. Strangely, I saw a few of them on lists that were posted in similar documents elsewhere on the internet. I’m not sure why that’s the case or what it means about my specific situation.
It looks like this program Aventail was, in fact, run on my computer. After a google search told me that it has the ability to monitor activity via SSL VPN, I did a search in Finder for the term Aventail and found a few documents generated through the file recovery that seems to be relevant here.
Nothing new in the system turned up for the search term "Aventail", only documents in the file recovery. I assume this is because these documents were deleted and then recovered and also that the term isn't currently in my system (other than what's been deleted & recovered).
The next two documents (below) turned up in my file recovery that show her username associated with the software in question. I redacted parts of it for obvious reasons.
#Uninstaller catalog, (c) Aventail Corporation
#Sat Jul 28 15:33:31 EDT 2007
https\://ex1500.n****************.com/postauthOnDemand/ondemand_daemon_pkg.jar=/Users/**********/Library/Application Support/Aventail/ondemand/
and then
#!/bin/bash
# Uninstaller script for Aventail OnDemand Daemon.
# This script removes all files associated with the Aventail OnDemand Daemon.
# Please copy this file to your home directory before executing it.
echo ""
echo "***Aventail OnDemand Daemon Uninstaller***"
echo ""
echo "You need to have Administrator privileges on this computer to"
echo "complete the operation."
#echo ""
#echo -n "Do you wish to proceed with the uninstallation [y/n]: "
#read RESPONSE
#if [ "$RESPONSE" != "y" ]; then
# exit 0
#fi
OSX_V4_STARTUP_DIR="/Library/StartupItems/OnDemand"
OSX_V3_STARTUP_DIR="/System/Library/StartupItems/OnDemand"
OD_EXEC_DIR="/var/Aventail/ondemand"
OD_HOME_DIR="$HOME/Library/Application Support/Aventail/ondemand"
INSTALL_FOUND="false"
# If the daemon is already running then stop it
DAEMON_PID=`ps -axww | grep -v grep | grep "ODService" | awk '{print $1}'`
if [ $DAEMON_PID ]; then
INSTALL_FOUND="true"
sudo kill $DAEMON_PID
fi
# Remove files from the /Library/StartupItems folder if on Mac OS X v4
if [ -d $OSX_V4_STARTUP_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OSX_V4_STARTUP_DIR
fi
# Remove files from the System/Library/StartupItems folder if on Mac OS X v3
if [ -d $OSX_V3_STARTUP_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OSX_V3_STARTUP_DIR
fi
# Remove files from the Aventail OnDemand Daemon execution directory
if [ -d $OD_EXEC_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OD_EXEC_DIR
fi
# Remove files from the Aventail OnDemand Daemon home directory
if [ -d "$OD_HOME_DIR" ]; then
INSTALL_FOUND="true"
sudo rm -rf "$OD_HOME_DIR"
fi
if [ "$INSTALL_FOUND" == "true" ]; then
# Expire sudo timestamp
sudo -k
else
echo ""
echo "No installation of Aventail OnDemand Daemon was found on your computer."
fi
The next document looks a little different than the Plist. This one turned up by searching for the term “hamachi”. Once again, this only turned up in recovered documents and nowhere else.
<key>BuildMachineOSBuild</key>
<string>15E55</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>AMD7000Controller</string>
<key>CFBundleGetInfoString</key>
<string>AMD7000Controller 1.42.6 16644</string>
<key>CFBundleIdentifier</key>
<string>com.apple.kext.AMD7000Controller</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>Radeon HD 7000 Controller</string>
<key>CFBundlePackageType</key>
<string>KEXT</string>
<key>CFBundleShortVersionString</key>
<string>1.42.6</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>1.4.2</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>7D129b</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>15E55</string>
<key>DTSDKName</key>
<string>macosx10.11internal</string>
<key>DTXcode</key>
<string>0730</string>
<key>DTXcodeBuild</key>
<string>7D129b</string>
<key>IOKitPersonalities</key>
<dict>
<key>Controller</key>
<dict>
<key>ATY,Hamachi</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_USE_SM</key>
<true/>
</dict>
</dict>
<key>ATY,Ikura</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFQAAABQAAAATAAAAEgAAABEAAAAQAAA
ADwAAAA4AAAANgAAADQAAAAyAAAAMAAAAC4A
AAAsAAAAKgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,IkuraS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFQAAABQAAAATAAAAEgAAABEAAAAQAAA
ADwAAAA4AAAANgAAADQAAAAyAAAAMAAAAC4A
AAAsAAAAKgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,Kani</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFYAAABVAAAAVAAAAFMAAABSAAAAUQAA
AFAAAABPAAAATgAAAE0AAABMAAAASwAAAEoA
AABJAAAASAAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,KaniS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFYAAABVAAAAVAAAAFMAAABSAAAAUQAA
AFAAAABPAAAATgAAAE0AAABMAAAASwAAAEoA
AABJAAAASAAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,Maguro</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
XQAAAEsAAABIAAAARQAAAEIAAAA/AAAAPAAA
ADYAAAAzAAAAMAAAAC0AAAAqAAAAJwAAACQA
AAAhAAAAHgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,MaguroS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
XQAAAEsAAABIAAAARQAAAEIAAAA/AAAAPAAA
ADYAAAAzAAAAMAAAAC0AAAAqAAAAJwAAACQA
AAAhAAAAHgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,Namako</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_DEF_DITH</key>
<integer>0</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_USE_AGDC</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_ActivitySamplingInterval</key>
<integer>1300</integer>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,Ramen</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_FB_LIMIT</key>
<integer>6</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_PTPL2_TBL</key>
<data>
GwAAABoAAAAZAAAAGAAAABcAAAAWAAAAFQAA
ABQAAAATAAAAEgAAABEAAAAQAAAADwAAAA4A
AAANAAAACgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_STUTTER</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_EnableLoadPostProductionFirmware</key>
<integer>1</integer>
</dict>
</dict>
<key>ATY,Tako</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_DEF_DITH</key>
<integer>0</integer>
<key>CFG_FB_LIMIT</key>
<integer>6</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_USE_AGDC</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_EnableLoadPostProductionFirmware</key>
<integer>1</integer>
<key>PP_Falcon_QuickTransition_Enable</key>
<integer>1</integer>
</dict>
</dict>
<key>CFBundleIdentifier</key>
<string>com.apple.kext.AMD7000Controller</string>
<key>IOClass</key>
<string>AMD7000Controller</string>
<key>IOMatchCategory</key>
<string>IOFramebuffer</string>
<key>IOName</key>
<string>AMD7000Controller</string>
<key>IOPCIMatch</key>
<string>0x26001002 0x22001002 0x67901002 0x67981002 0x679A1002 0x679E1002 0x67801002 0x68201002 0x68211002 0x68231002 0x68251002 0x68271002 0x682B1002 0x682D1002 0x682F1002 0x68351002 0x68391002 0x683B1002 0x683D1002 0x683F1002 0x68001002 0x68011002 0x68061002 0x68081002 0x68101002 0x68181002 0x68191002</string>
<key>IOProbeScore</key>
<integer>65050</integer>
<key>IOProviderClass</key>
<string>IOPCIDevice</string>
<key>aty_config</key>
<dict>
<key>CFG_APER_MODE</key>
<integer>1</integer>
<key>CFG_CAA</key>
<integer>0</integer>
<key>CFG_FB_LIMIT</key>
<integer>0</integer>
<key>CFG_FORCE_HDMI</key>
<false/>
<key>CFG_FORCE_MAX_DPS</key>
<false/>
<key>CFG_GEN_FLAGS</key>
<integer>0</integer>
<key>CFG_INT_SSPC</key>
<integer>25</integer>
<key>CFG_NODM</key>
<true/>
<key>CFG_NO_HDCP</key>
<false/>
<key>CFG_NO_MST</key>
<false/>
<key>CFG_NO_PP</key>
<false/>
<key>CFG_NO_SLS</key>
<false/>
<key>CFG_PTPL2_MAX</key>
<integer>70</integer>
<key>CFG_PTPL2_MIN</key>
<integer>16</integer>
<key>CFG_USE_AGDC</key>
<false/>
<key>CFG_USE_FBC</key>
<false/>
<key>CFG_USE_FEDS</key>
<true/>
<key>CFG_USE_STUTTER</key>
<false/>
<key>DALReadDelayStutterOff</key>
<integer>4</integer>
<key>DALUseUrgencyWaterMarkOffset</key>
<integer>0</integer>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_ActivitySamplingInterval</key>
<integer>1000</integer>
<key>PP_DALPowerLevel</key>
<integer>1</integer>
<key>PP_DisableCAC</key>
<integer>0</integer>
<key>PP_DisableDTE</key>
<integer>1</integer>
<key>PP_DisablePowerContainment</key>
<integer>0</integer>
<key>PP_DisableSMUUVDHandshake</key>
<integer>0</integer>
<key>PP_DisableSQRamping</key>
<integer>0</integer>
<key>PP_DisableULV</key>
<integer>0</integer>
<key>PP_DriverCalculateCACLeakage</key>
<integer>1</integer>
<key>PP_EnableLoadFalconSmcFirmware</key>
<integer>1</integer>
<key>PP_HighSamplingInterval</key>
<integer>200000</integer>
<key>PP_MCLKStutterModeThreshold</key>
<integer>40000</integer>
<key>PP_PowerGatingDisable</key>
<integer>0</integer>
<key>PP_SISLANDSVotingRightsClients</key>
<integer>12583475</integer>
<key>PP_UserMaxClockForMultiDisplays</key>
<integer>1</integer>
</dict>
</dict>
</dict>
<key>OSBundleLibraries</key>
<dict>
<key>com.apple.iokit.IOACPIFamily</key>
<string>1.2</string>
<key>com.apple.iokit.IOGraphicsFamily</key>
<string>1.3</string>
<key>com.apple.iokit.IOPCIFamily</key>
<string>1.2</string>
<key>com.apple.kext.AMDSupport</key>
<string>1.4.2</string>
<key>com.apple.kpi.bsd</key>
<string>8.0.0</string>
<key>com.apple.kpi.iokit</key>
<string>8.0.0</string>
<key>com.apple.kpi.libkern</key>
<string>8.0.0</string>
<key>com.apple.kpi.mach</key>
<string>8.0.0</string>
</dict>
<key>OSBundleRequired</key>
<string>Safe Boot</string>
And I think Part 5 confirms my suspicions of some/all of the other parts, but I’m not sure.
016-04-24 at 19.06.12</string>
<key>LAST_USED</key>
<date>2016-04-25T10:28:00Z</date>
<key>URL</key>
<string>file:///Users/**********/Library/Messages/Archive/2016-04-24/%E2%80%AA+1%20(808)%20341-8094%E2%80%AC%20on%202016-04-24%20at%2019.06.12.ichat</string>
</dict>
<key>calculat</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Calculator</string>
<key>LAST_USED</key>
<date>2016-06-15T06:00:34Z</date>
<key>URL</key>
<string>file:///Applications/Calculator.app/</string>
</dict>
<key>console</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Console</string>
<key>LAST_USED</key>
<date>2016-04-20T04:31:21Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Console.app/</string>
</dict>
<key>contro</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Mission Control</string>
<key>LAST_USED</key>
<date>2016-05-07T17:19:30Z</date>
<key>URL</key>
<string>file:///Applications/Mission%20Control.app/</string>
</dict>
<key>hp</key>
<dict>
<key>DISPLAY_NAME</key>
<string>HP Scan</string>
<key>LAST_USED</key>
<date>2016-05-19T21:22:54Z</date>
<key>URL</key>
<string>file:///Applications/Hewlett-Packard/HP%20Scan.app/</string>
</dict>
<key>july</key>
<dict>
<key>DISPLAY_NAME</key>
<string>*************@gmail.com.ical</string>
<key>LAST_USED</key>
<date>2016-08-13T01:06:15Z</date>
<key>URL</key>
<string>file:///Users/**********/Downloads/*************@gmail.com.ical/</string>
</dict>
<key>ke</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Keynote</string>
<key>LAST_USED</key>
<date>2016-07-26T07:09:35Z</date>
<key>URL</key>
<string>file:///Applications/iWork%20'09/Keynote.app/</string>
</dict>
<key>keychain</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Keychain Access</string>
<key>LAST_USED</key>
<date>2016-07-26T07:10:42Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Keychain%20Access.app/</string>
</dict>
<key>logmein</key>
<dict>
<key>DISPLAY_NAME</key>
<string>LogMeIn.plugin</string>
<key>LAST_USED</key>
<date>2016-07-31T07:19:20Z</date>
<key>URL</key>
<string>file:///Library/Internet%20Plug-Ins/LogMeIn.plugin/</string>
</dict>
<key>preview</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Preview</string>
<key>LAST_USED</key>
<date>2016-08-08T10:14:20Z</date>
<key>URL</key>
<string>file:///Applications/Preview.app/</string>
</dict>
<key>termin</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Terminal</string>
<key>LAST_USED</key>
<date>2016-07-31T07:47:21Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Terminal.app/</string>
</dict>
<key>terminal</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Terminal</string>
<key>LAST_USED</key>
<date>2016-05-07T17:27:08Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Terminal.app/</string>
</dict>
You'd have likely used a different process for accomplishing what I'm trying to do, but let's say that you did–if you saw these results, what items would be cause for alarm and/or indicative that your data was transferred or was being looked over by someone other than yourself?
Best Answer
The posted plist is /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist.
It contains a long list of kernel extensions. The purpose of AppleKextExcludeList.kext is to prevent the loading of the listed kexts in Sierra (based on their hashes or their names) because they are outdated, malicious or cause kernel panics. The AppleKextExcludeList.kext is a package installed by the macOS system installer and updated regularly (last update: Dec 18th, 2016).
The second file is an uninstaller bash script for the Aventail OnDemand Daemon. If you run the script with with
sudo /path/to/script.shAventail OnDemand Daemon should be removed from your system. It may also be part of an Aventail Uninstaller.app which - once launched - executes the script.Neither file is suitable to compromise your system nor are they good indicators that your system has been compromised or is/has been monitored.
To check if your system is actively monitored would require to install a lot of software and/or observe the behavior of the file system and the network activity. To explain this is far beyond the scope of your question.
Further reading (arbitrary non-pro sources after a quick and sloppy Google search):
Is your computer being monitored?
How to know if Mac OS X machine is being remotely viewed?
How Can You See If Someone Is Spying on Your Mac Computer?