Almost positive I've got a keylogger...

Hi, I'm no expert but a look on google should help you out.

Try here first to scan the systemwide: http://www.clamxav.com/

Then, if rogueware is found remove or heal as instructed.

Failing that a clean reinstall with all backups completed beforehand should/will remove any problem and may refresh your system etc.

Good luck.

Run MacScan demo, which among other things, is supposed to search for known keyloggers. Do the updates first thing and run in authenticated mode. Won't be conclusive, but it might turn something up.

http://macscan.securemac.com/

Ordinarily, I laugh at MacScan because most of the "malware" on its list are viruses from over a decade ago that can't infect a modern Mac or legitimate software that can be misused. However, in a case where someone may have installed a keylogger on your machine, its over-sensitivity can be useful.

Has this guy ever had physical access to your Mac? If so, he could easily have installed a keylogger. If he hasn't, then it becomes much more difficult, and the key (if there actually is a keylogger) would be to find out how it was installed.

First thing to check is System Preferences -> Sharing. Make sure everything there is turned off. This will ensure he's not getting access using one of those methods. Next, get yourself a copy of [Little Snitch|http://www.obdev.at/products/littlesnitch> to monitor all outgoing network traffic. If something tries to make an outgoing network connection from your machine, and you don't know what it is, deny it and then go find out what it is. (You're going to learn a lot about underlying system processes that make periodic outgoing connections that you hadn't previously been aware of...)

Of course, a keylogger is not required to hack into accounts on Facebook, MySpace, etc. Some people choose poor passwords that anyone could guess by perusing the information posted on social networking sites. If you have done this, that could be how he got access to all these accounts, especially if you used the same password on all these accounts. Of course, it goes without saying that you should change the password on all your online accounts immediately. Be sure to pick a good password... something with numbers and varying capitalization and that is not easy to guess. One possibility would be to pick a favorite line from a poem or song, then use the first letter of each word as the password. Maybe pick a long word that nobody would guess and then replace the letters with the numbers that have that letter on a telephone keypad. Mix in numbers, like "w1o2r3d4". And, of course, don't bother to do any of this until after you've scanned for keyloggers and installed Little Snitch.

Ordinarily, I laugh at MacScan because most of the "malware" on its list are viruses from over a decade ago that can't infect a modern Mac or legitimate software that can be misused.

Those are the old OS9 viruses? That's ridiculous!

Good to hear Thomas. I already had my doubts and I've never had the patience to let it run, since it takes forever. It did, however, once find a bunch of tracking cookies -- not in the usual places -- on an inherited iMac G5. It scans the cookies right away, so that's not painful.

I guess, as you say, it might turn up a keylogger.

Message was edited by: WZZZ

I already had my doubts and I've never had the patience to let it run, since it takes forever. It did, however, once find a bunch of tracking cookies

Ahh, I'd forgotten about the "tracking cookies" thing. Another of my gripes about MacScan. Such a scary name, but what are they really? They provide the way for shopping carts or remembered logins to work. So, if you let MacScan do anything with those dangerous "tracking cookies," you won't actually be any more secure, but you might briefly lose some functionality (until you go back to those sites and get the cookies back).

The only real concern with cookies is with ad banners tracking the sites you're visiting, and even then it's a bit of a tinfoil-hat concern. Just make sure that in Safari -> Preferences -> Security, you only allow cookies from sites you visit.

Don't rule out the possibility that he has all of your Facebook, MySpace, AIM, MSN passwords and is using that to do what you describe.

But I just don't think it's possible that he could guess some of the ones I've used more recently...

He could have added his e-mail address to one of your accounts so that he's notified of changes, or might know the answer to some of your security questions. Facebook allows you to link to other accounts, so perhaps he's linked your Facebook account to one of his accounts. There's also a setting on Facebook to notify you if your account is accessed from a computer you've never used. You need to explore all the security settings on your various accounts and use any tools at your disposal to eliminate any possible holes.

Random Geeza, so if none of this works I should just back everything up and reinstall my system?

That's a bit extreme. For now, just stick with Little Snitch to be sure that no outgoing connections are made that you haven't approved. I'm still not convinced that there's a keylogger at work here.

Could he be snooping my MSN and AIM conversations because the outgoing messages are not encrypted?

Not from 1000 miles away, unless he happens to have administrative access to a network node that all your traffic is passing through, which seems extremely unlikely. If he's sitting next to you while you're chatting over an unencrypted wireless connection, he could be snooping on your conversation, but unless he's gone Hollywood psycho and has travelled 1000 miles to stalk you, that doesn't seem likely.

Oh, and for the person who asked, he's never physically had access to my Mac. He lives over 1000 miles away and has never been near me.

That makes it very difficult for him to install any kind of malware on your machine. You'd have to have some kind of remote access set up already with extremely weak security and he'd have to know exactly how to find your machine over the internet. You'd almost have to purposefully give him access. It's far more likely that he's using every hacker trick in the book to access your accounts online.

Keychain and KeePassX can generate some really good passwords and still make it easy to use. Firefox NoScript includes secure cookie management and https.

Tracking cookies are 3rd party marketing, like doubleclick and adservers use. And are used and track across-sites. You'll find Kaspersky, Norton and probably others will spot and remove them, or you can have CCleaner on Windows remove all cookies (with exceptions) everytime you log into your account. I would assume and hope there is an OS X variant in one of those "cache cleaners" you see, but there is no need to keep cookies. FWIW, and something that IE8, Firefox,

Man-in-the-middle is possible and due to the way http works, even https, or how determined someone is. And if there are kits out there.

Social networking... up until recent Facebook was __ in their security and privacy. And flaws abound.

Browser-based router DNS rebinding attack
http://news.techworld.com/security/11911/browser-hack-renders-routers-insecure/

Every used torrent? your IP address was made public, your probably saw an increase in DDoS, and your router should/could email log of activity or immediate alerts.

Skype exploit, Skype-themed malicious spam campaigns detected
http://www.zdnet.com/blog/security/malware-watch-skype-exploit-skype-themed-mali cious-spam-campaigns-detected/6716

http://www.zdnet.com/blog/security/facebooks-new-developer-verification-wont-sto p-rogue-apps/6598

Free Mac OS X screensavers bundled with spyware
http://www.zdnet.com/blog/security/malware-watch-free-mac-os-x-screensavers-bund led-with-spyware/6560

Apple keyboard with specialized (malware) firmware turns it into keylogger
http://www.zdnet.com/blog/hardware/apple-keyboard-vulnerable-to-hack-attack/5088

Facebook malware
http://www.zdnet.com/search?q=facebook+malware

your router/modem (esp newer models) can help block ports and services (like IM)

I don't want to get this discussion too sidetracked, but I empty all cookies -- including any tracking cookies I may have picked up, at the end of a browsing session. I use Firefox with NoScript, and that also minimizes the chances of picking up some junk from allowing a script to load. I agree, many tracking cookies, in general, may not be the end of the world, but I feel the less any of these ad and data trackers, including Google -- who already knows too much -- know about me, the better. I do feel it's a significant privacy concern. And some of them are very intrusive. If it's not a concern for you, then each to his own.

I also make sure to not allow any Local Shared Objects from any Flash sites to load ("Shared" is a nice euphemism.) I have never once noticed any loss of Flash functionality with all the Macromedia Folders locked and empty.

I have never once found anything bothersome, whatsoever, as a result of removing all cookies. I have all my important passwords stored and I can log back in to those sites in a matter of seconds. I have never noticed any real loss of functionality by removing any cookies, including tracking cookies.

If this person has not had physical access to your machine you can be almost 100% sure he didn't install anything on your machine. The most logical explanation is that he is able to guess your passwords.

You probably DO NOT have a key logger installed. It takes a really skilled and intelligent hacker to access either a PC or Mac remotely. It's almost impossible without previous physical access or by tricking the user to install the malware. There are NO viruses or malware for the Mac that can install themselves without tricking the user into doing so. NONE.

Lilttle Snitch sets default "allow" rules for native Mac process. Open LS Rules and you will see those have a little padlock on them. There's often a little square at the right of each which you can click to get information about what is being allowed and why, and you can disallow any that aren't relevant, e.g. if you don't have Mobile Me.

In the MenuBar, if you hover the mouse over the LS alert icon -- two parallel sets of short bars -- you can see what is being, or has been allowed and from what. For example, if I click on Firefox, I can see what connections have been made there. If I don't understand anything, I just google its URL to find out what it is.

Generally, you can always deny first and then if you find something isn't working (once you've checked to see if it's safe), you can just go back into the rules, double click on that rule -- it will show a small clock and a semi-circle half in red to show that it is temporary until quit -- and reverse it from the dialog box that appears.

You can google the process the alert is coming from + "Little Snitch" (+ the Port) and see what others have reported.

Message was edited by: WZZZ

That's more than a little paranoid and completely unnecessary. Cookies can't hurt you. They can't contain any personal information that you haven't voluntarily given to a site, and other sites cannot access the cookies containing that info. Add the accepting of cookies only from sites you visit and you're fine.