Solved

Mac Keylogger, Anti-Virus Results

Posted on 2009-07-13
3
1,681 Views
Last Modified: 2012-05-07
I have a friend who believes there is a keylogger on their computer being used by someone who has been harrassing them.  This is MacBook Pro laptop.  The os is Mac OS version 10.4.11.  The person harrassing my friend likely did have access to the system.

Based on the advice of experts here, Ive run 2 different anti-virus programs but am not sure how to interpret the results.  The two anti-virus programs used are: http://www.clamxav.com/ , http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html .

The results of the virus is shown below:
"/.hotfiles.btree"
"/.Spotlight-V100"
"/.Trashes"
"/Applications/avast!.app"
"/Applications/avast!.app/Contents/Resources/avastKauth.kext"
"/Applications/avast!.app/Contents/Resources/kextloader"
"/Library/Application Support/Objective Development/Little Snitch/rules.xpl"
"/Library/Caches/com.apple.IntlDataCache.le.26"
"/Library/Caches/com.apple.IntlDataCache.le.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.92"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.26"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.92"
"/Library/Preferences/DirectoryService/ContactsNodeConfig.plist"
"/Library/Preferences/DirectoryService/ContactsNodeConfigBackup.plist"
"/Library/Preferences/DirectoryService/DirectoryService.plist"
"/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist"
"/Library/Receipts/.SetupRegComplete"
"/private/etc/cups/certs"
"/private/etc/cups/classes.conf"
"/private/etc/cups/printers.conf"
"/private/etc/cups/printers.conf.O"
"/private/etc/kcpassword"
"/private/etc/master.passwd"
"/private/etc/openldap/slapd.conf.default"
"/private/etc/racoon/psk.txt"
"/private/etc/racoon/remote/anonymous.conf"
"/private/etc/sudoers"
"/private/var/backups"
"/private/var/db/.AppleSetupDone"
"/private/var/db/.AutoBindDone"
"/private/var/db/.dashboardadvisory.database"
"/private/var/db/BootCache.playlist"
"/private/var/db/dhcpclient"
"/private/var/db/netinfo/local.nidb"
"/private/var/db/openldap/openldap-data"
"/private/var/db/openldap/openldap-slurp"
"/private/var/db/shadow"
"/private/var/db/Spotlight-V100"
"/private/var/db/SystemEntropyCache"
"/private/var/db/SystemKey"
"/private/var/launchd/0"
"/private/var/log/mb.log"
"/private/var/root"
"/private/var/run/.DSRunningSP1"
"/private/var/run/netinfo_local.pid"
"/private/var/samba/gencache.tdb"
"/private/var/spool/cups"
"/private/var/spool/fax"
"/private/var/spool/mqueue"
"/private/var/spool/postfix/active"
"/private/var/spool/postfix/bounce"
"/private/var/spool/postfix/corrupt"
"/private/var/spool/postfix/defer"
"/private/var/spool/postfix/deferred"
"/private/var/spool/postfix/flush"
"/private/var/spool/postfix/hold"
"/private/var/spool/postfix/incoming"
"/private/var/spool/postfix/maildrop"
"/private/var/spool/postfix/private"
"/private/var/spool/postfix/public"
"/private/var/spool/postfix/saved"
"/private/var/spool/postfix/trace"
"/private/var/vm/app_profile"
"/private/var/vm/sleepimage"
"/private/var/vm/swapfile0"
"/private/var/vm/swapfile1"
"/private/var/vm/swapfile2"
"/private/var/vm/swapfile3"
"/System/Library/Filesystems/AppleShare/check_afp.app"
"/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp"
"/System/Library/PrivateFrameworks/MediaKit.framework"
"/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDrivers.bundle/Contents/Resources/bootroot.loader"
"/System/Library/User Template"
"/Users/damienwoodson/Desktop/Dell Back-Up/Keep My Desktop/Security & Anti-Virus Protection/Ad-Aware SE Personal.exe"
"/Users/damienwoodson/Library/Caches/Java/cache/javapi/v1.0/jar/OP.jar-4b9c0e39-727cabdb.zip"
"/usr/bin/sudo"
"/usr/libexec/pt_chown"
"/usr/libexec/security_authtrampoline"
"/usr/libexec/security_privportserver"
"/usr/libexec/ssh-keysign"
"/usr/libexec/utmp_update"
"/usr/sbin/pppd"
"/usr/sbin/visudo"
"/usr/sbin/vpnd"
"/Volumes/ClamXav/.Trashes"
"/Volumes/ClamXav/ClamXav.app"
"/Volumes/ClamXav/ClamXav.app/Contents/Resources/clamavEngineInstaller104.pkg/Contents/Archive.pax.gz"

Does anything here look like a keylogger might be present?

Also, is there a way to get little snitch to show the history of all programs attempting to access the internet for a period of time?

Thanks!
Brandon

0
Comment
Question by:bdfallon
3 Comments
 
LVL 17

Accepted Solution

by:
CSecurity earned 500 total points
ID: 24843020
Check here to see your internet activity and block applications that access internet:
http://www.macworld.com/article/50998/2006/05/osxfirewall.html

Read more in internet about OSX Firewall.

0
 

Author Comment

by:bdfallon
ID: 24861360
Thanks.  My friend is going to try using this.

Anyone know how to spot a keylogger using anti-virus programs?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now