Solved

Mac Keylogger, Anti-Virus Results

Posted on 2009-07-13
3
1,673 Views
Last Modified: 2012-05-07
I have a friend who believes there is a keylogger on their computer being used by someone who has been harrassing them.  This is MacBook Pro laptop.  The os is Mac OS version 10.4.11.  The person harrassing my friend likely did have access to the system.

Based on the advice of experts here, Ive run 2 different anti-virus programs but am not sure how to interpret the results.  The two anti-virus programs used are: http://www.clamxav.com/ , http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html .

The results of the virus is shown below:
"/.hotfiles.btree"
"/.Spotlight-V100"
"/.Trashes"
"/Applications/avast!.app"
"/Applications/avast!.app/Contents/Resources/avastKauth.kext"
"/Applications/avast!.app/Contents/Resources/kextloader"
"/Library/Application Support/Objective Development/Little Snitch/rules.xpl"
"/Library/Caches/com.apple.IntlDataCache.le.26"
"/Library/Caches/com.apple.IntlDataCache.le.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.92"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.26"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.4294967294"
"/Library/Caches/com.apple.IntlDataCache.le.sbdl.92"
"/Library/Preferences/DirectoryService/ContactsNodeConfig.plist"
"/Library/Preferences/DirectoryService/ContactsNodeConfigBackup.plist"
"/Library/Preferences/DirectoryService/DirectoryService.plist"
"/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfig.plist"
"/Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist"
"/Library/Receipts/.SetupRegComplete"
"/private/etc/cups/certs"
"/private/etc/cups/classes.conf"
"/private/etc/cups/printers.conf"
"/private/etc/cups/printers.conf.O"
"/private/etc/kcpassword"
"/private/etc/master.passwd"
"/private/etc/openldap/slapd.conf.default"
"/private/etc/racoon/psk.txt"
"/private/etc/racoon/remote/anonymous.conf"
"/private/etc/sudoers"
"/private/var/backups"
"/private/var/db/.AppleSetupDone"
"/private/var/db/.AutoBindDone"
"/private/var/db/.dashboardadvisory.database"
"/private/var/db/BootCache.playlist"
"/private/var/db/dhcpclient"
"/private/var/db/netinfo/local.nidb"
"/private/var/db/openldap/openldap-data"
"/private/var/db/openldap/openldap-slurp"
"/private/var/db/shadow"
"/private/var/db/Spotlight-V100"
"/private/var/db/SystemEntropyCache"
"/private/var/db/SystemKey"
"/private/var/launchd/0"
"/private/var/log/mb.log"
"/private/var/root"
"/private/var/run/.DSRunningSP1"
"/private/var/run/netinfo_local.pid"
"/private/var/samba/gencache.tdb"
"/private/var/spool/cups"
"/private/var/spool/fax"
"/private/var/spool/mqueue"
"/private/var/spool/postfix/active"
"/private/var/spool/postfix/bounce"
"/private/var/spool/postfix/corrupt"
"/private/var/spool/postfix/defer"
"/private/var/spool/postfix/deferred"
"/private/var/spool/postfix/flush"
"/private/var/spool/postfix/hold"
"/private/var/spool/postfix/incoming"
"/private/var/spool/postfix/maildrop"
"/private/var/spool/postfix/private"
"/private/var/spool/postfix/public"
"/private/var/spool/postfix/saved"
"/private/var/spool/postfix/trace"
"/private/var/vm/app_profile"
"/private/var/vm/sleepimage"
"/private/var/vm/swapfile0"
"/private/var/vm/swapfile1"
"/private/var/vm/swapfile2"
"/private/var/vm/swapfile3"
"/System/Library/Filesystems/AppleShare/check_afp.app"
"/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp"
"/System/Library/PrivateFrameworks/MediaKit.framework"
"/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Resources/MKDrivers.bundle/Contents/Resources/bootroot.loader"
"/System/Library/User Template"
"/Users/damienwoodson/Desktop/Dell Back-Up/Keep My Desktop/Security & Anti-Virus Protection/Ad-Aware SE Personal.exe"
"/Users/damienwoodson/Library/Caches/Java/cache/javapi/v1.0/jar/OP.jar-4b9c0e39-727cabdb.zip"
"/usr/bin/sudo"
"/usr/libexec/pt_chown"
"/usr/libexec/security_authtrampoline"
"/usr/libexec/security_privportserver"
"/usr/libexec/ssh-keysign"
"/usr/libexec/utmp_update"
"/usr/sbin/pppd"
"/usr/sbin/visudo"
"/usr/sbin/vpnd"
"/Volumes/ClamXav/.Trashes"
"/Volumes/ClamXav/ClamXav.app"
"/Volumes/ClamXav/ClamXav.app/Contents/Resources/clamavEngineInstaller104.pkg/Contents/Archive.pax.gz"

Does anything here look like a keylogger might be present?

Also, is there a way to get little snitch to show the history of all programs attempting to access the internet for a period of time?

Thanks!
Brandon

0
Comment
Question by:bdfallon
3 Comments
 
LVL 17

Accepted Solution

by:
CSecurity earned 500 total points
ID: 24843020
Check here to see your internet activity and block applications that access internet:
http://www.macworld.com/article/50998/2006/05/osxfirewall.html

Read more in internet about OSX Firewall.

0
 

Author Comment

by:bdfallon
ID: 24861360
Thanks.  My friend is going to try using this.

Anyone know how to spot a keylogger using anti-virus programs?
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now