Solved

Mac Keylogger, Anti-Virus Results

Posted on 2009-07-13
3
1,722 Views
Last Modified: 2012-05-07
I have a friend who believes there is a keylogger on their computer being used by someone who has been harrassing them.  This is MacBook Pro laptop.  The os is Mac OS version 10.4.11.  The person harrassing my friend likely did have access to the system.

Based on the advice of experts here, Ive run 2 different anti-virus programs but am not sure how to interpret the results.  The two anti-virus programs used are: http://www.clamxav.com/ , http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html .

The results of the virus is shown below:
"/.hotfiles.btree"
"/.Spotlight-V100"
"/.Trashes"
"/Applications/avast!.app"
"/Applications/avast!.app/Contents/Resources/avastKauth.kext"
"/Applications/avast!.app/Contents/Resources/kextloader"
"/Library/Application Support/Objective Development/Little Snitch/rules.xpl"
"/Library/Caches/com.apple.IntlDataCache.le.26"
"/Library/Caches/com.apple.IntlDataCache.le.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.92"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.26"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.92"
"/Library/Preferences/DirectoryService/ContactsNodeConfig.plist"
"/Library/Preferences/DirectoryService/ContactsNodeConfigBackup.plist"
"/Library/Preferences/DirectoryService/DirectoryService.plist"
"/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist"
"/Library/Receipts/.SetupRegComplete"
"/private/etc/cups/certs"
"/private/etc/cups/classes.conf"
"/private/etc/cups/printers.conf"
"/private/etc/cups/printers.conf.O"
"/private/etc/kcpassword"
"/private/etc/master.passwd"
"/private/etc/openldap/slapd.conf.default"
"/private/etc/racoon/psk.txt"
"/private/etc/racoon/remote/anonymous.conf"
"/private/etc/sudoers"
"/private/var/backups"
"/private/var/db/.AppleSetupDone"
"/private/var/db/.AutoBindDone"
"/private/var/db/.dashboardadvisory.database"
"/private/var/db/BootCache.playlist"
"/private/var/db/dhcpclient"
"/private/var/db/netinfo/local.nidb"
"/private/var/db/openldap/openldap-data"
"/private/var/db/openldap/openldap-slurp"
"/private/var/db/shadow"
"/private/var/db/Spotlight-V100"
"/private/var/db/SystemEntropyCache"
"/private/var/db/SystemKey"
"/private/var/launchd/0"
"/private/var/log/mb.log"
"/private/var/root"
"/private/var/run/.DSRunningSP1"
"/private/var/run/netinfo_local.pid"
"/private/var/samba/gencache.tdb"
"/private/var/spool/cups"
"/private/var/spool/fax"
"/private/var/spool/mqueue"
"/private/var/spool/postfix/active"
"/private/var/spool/postfix/bounce"
"/private/var/spool/postfix/corrupt"
"/private/var/spool/postfix/defer"
"/private/var/spool/postfix/deferred"
"/private/var/spool/postfix/flush"
"/private/var/spool/postfix/hold"
"/private/var/spool/postfix/incoming"
"/private/var/spool/postfix/maildrop"
"/private/var/spool/postfix/private"
"/private/var/spool/postfix/public"
"/private/var/spool/postfix/saved"
"/private/var/spool/postfix/trace"
"/private/var/vm/app_profile"
"/private/var/vm/sleepimage"
"/private/var/vm/swapfile0"
"/private/var/vm/swapfile1"
"/private/var/vm/swapfile2"
"/private/var/vm/swapfile3"
"/System/Library/Filesystems/AppleShare/check_afp.app"
"/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp"
"/System/Library/PrivateFrameworks/MediaKit.framework"
"/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDrivers.bundle/Contents/Resources/bootroot.loader"
"/System/Library/User Template"
"/Users/damienwoodson/Desktop/Dell Back-Up/Keep My Desktop/Security & Anti-Virus Protection/Ad-Aware SE Personal.exe"
"/Users/damienwoodson/Library/Caches/Java/cache/javapi/v1.0/jar/OP.jar-4b9c0e39-727cabdb.zip"
"/usr/bin/sudo"
"/usr/libexec/pt_chown"
"/usr/libexec/security_authtrampoline"
"/usr/libexec/security_privportserver"
"/usr/libexec/ssh-keysign"
"/usr/libexec/utmp_update"
"/usr/sbin/pppd"
"/usr/sbin/visudo"
"/usr/sbin/vpnd"
"/Volumes/ClamXav/.Trashes"
"/Volumes/ClamXav/ClamXav.app"
"/Volumes/ClamXav/ClamXav.app/Contents/Resources/clamavEngineInstaller104.pkg/Contents/Archive.pax.gz"

Does anything here look like a keylogger might be present?

Also, is there a way to get little snitch to show the history of all programs attempting to access the internet for a period of time?

Thanks!
Brandon

0
Comment
Question by:bdfallon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Accepted Solution

by:
CSecurity earned 500 total points
ID: 24843020
Check here to see your internet activity and block applications that access internet:
http://www.macworld.com/article/50998/2006/05/osxfirewall.html

Read more in internet about OSX Firewall.

0
 

Author Comment

by:bdfallon
ID: 24861360
Thanks.  My friend is going to try using this.

Anyone know how to spot a keylogger using anti-virus programs?
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month10 days, 7 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question