Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Mac Keylogger, Anti-Virus Results

Posted on 2009-07-13
3
Medium Priority
?
1,739 Views
Last Modified: 2012-05-07
I have a friend who believes there is a keylogger on their computer being used by someone who has been harrassing them.  This is MacBook Pro laptop.  The os is Mac OS version 10.4.11.  The person harrassing my friend likely did have access to the system.

Based on the advice of experts here, Ive run 2 different anti-virus programs but am not sure how to interpret the results.  The two anti-virus programs used are: http://www.clamxav.com/ , http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html .

The results of the virus is shown below:
"/.hotfiles.btree"
"/.Spotlight-V100"
"/.Trashes"
"/Applications/avast!.app"
"/Applications/avast!.app/Contents/Resources/avastKauth.kext"
"/Applications/avast!.app/Contents/Resources/kextloader"
"/Library/Application Support/Objective Development/Little Snitch/rules.xpl"
"/Library/Caches/com.apple.IntlDataCache.le.26"
"/Library/Caches/com.apple.IntlDataCache.le.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.92"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.26"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.92"
"/Library/Preferences/DirectoryService/ContactsNodeConfig.plist"
"/Library/Preferences/DirectoryService/ContactsNodeConfigBackup.plist"
"/Library/Preferences/DirectoryService/DirectoryService.plist"
"/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist"
"/Library/Receipts/.SetupRegComplete"
"/private/etc/cups/certs"
"/private/etc/cups/classes.conf"
"/private/etc/cups/printers.conf"
"/private/etc/cups/printers.conf.O"
"/private/etc/kcpassword"
"/private/etc/master.passwd"
"/private/etc/openldap/slapd.conf.default"
"/private/etc/racoon/psk.txt"
"/private/etc/racoon/remote/anonymous.conf"
"/private/etc/sudoers"
"/private/var/backups"
"/private/var/db/.AppleSetupDone"
"/private/var/db/.AutoBindDone"
"/private/var/db/.dashboardadvisory.database"
"/private/var/db/BootCache.playlist"
"/private/var/db/dhcpclient"
"/private/var/db/netinfo/local.nidb"
"/private/var/db/openldap/openldap-data"
"/private/var/db/openldap/openldap-slurp"
"/private/var/db/shadow"
"/private/var/db/Spotlight-V100"
"/private/var/db/SystemEntropyCache"
"/private/var/db/SystemKey"
"/private/var/launchd/0"
"/private/var/log/mb.log"
"/private/var/root"
"/private/var/run/.DSRunningSP1"
"/private/var/run/netinfo_local.pid"
"/private/var/samba/gencache.tdb"
"/private/var/spool/cups"
"/private/var/spool/fax"
"/private/var/spool/mqueue"
"/private/var/spool/postfix/active"
"/private/var/spool/postfix/bounce"
"/private/var/spool/postfix/corrupt"
"/private/var/spool/postfix/defer"
"/private/var/spool/postfix/deferred"
"/private/var/spool/postfix/flush"
"/private/var/spool/postfix/hold"
"/private/var/spool/postfix/incoming"
"/private/var/spool/postfix/maildrop"
"/private/var/spool/postfix/private"
"/private/var/spool/postfix/public"
"/private/var/spool/postfix/saved"
"/private/var/spool/postfix/trace"
"/private/var/vm/app_profile"
"/private/var/vm/sleepimage"
"/private/var/vm/swapfile0"
"/private/var/vm/swapfile1"
"/private/var/vm/swapfile2"
"/private/var/vm/swapfile3"
"/System/Library/Filesystems/AppleShare/check_afp.app"
"/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp"
"/System/Library/PrivateFrameworks/MediaKit.framework"
"/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDrivers.bundle/Contents/Resources/bootroot.loader"
"/System/Library/User Template"
"/Users/damienwoodson/Desktop/Dell Back-Up/Keep My Desktop/Security & Anti-Virus Protection/Ad-Aware SE Personal.exe"
"/Users/damienwoodson/Library/Caches/Java/cache/javapi/v1.0/jar/OP.jar-4b9c0e39-727cabdb.zip"
"/usr/bin/sudo"
"/usr/libexec/pt_chown"
"/usr/libexec/security_authtrampoline"
"/usr/libexec/security_privportserver"
"/usr/libexec/ssh-keysign"
"/usr/libexec/utmp_update"
"/usr/sbin/pppd"
"/usr/sbin/visudo"
"/usr/sbin/vpnd"
"/Volumes/ClamXav/.Trashes"
"/Volumes/ClamXav/ClamXav.app"
"/Volumes/ClamXav/ClamXav.app/Contents/Resources/clamavEngineInstaller104.pkg/Contents/Archive.pax.gz"

Does anything here look like a keylogger might be present?

Also, is there a way to get little snitch to show the history of all programs attempting to access the internet for a period of time?

Thanks!
Brandon

0
Comment
Question by:bdfallon
2 Comments
 
LVL 17

Accepted Solution

by:
CSecurity earned 2000 total points
ID: 24843020
Check here to see your internet activity and block applications that access internet:
http://www.macworld.com/article/50998/2006/05/osxfirewall.html

Read more in internet about OSX Firewall.

0
 

Author Comment

by:bdfallon
ID: 24861360
Thanks.  My friend is going to try using this.

Anyone know how to spot a keylogger using anti-virus programs?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question