Keylogger Elimination

Hi,

Obviously a full wipe-reinstall will fix any software key logger, but what makes you think you have one? What are the symptons? If there is one and it can be identified, it should be removable. Since a simple system reinstall does not remove/replace applications, I suspect it would be of little use to you at this point.

Good luck

If such a keylogger was installed by an Admin of the computer and you have a standard/managed user account, there's not a lot you can do (other than tell the Admin that you think there's a keylogger and ask them to remove it...).

If you are the Admin of the computer, it shouldn't be hard to find.

WARNING: Do NOT remove anything from any of these places whose purpose or nature you are unsure of. If you're not sure of what something is, post back here and ask first.

First look in your Login Items:

 > System Preferences... Users & Groups | Login Items

If you find nothing there, look in

Hard disk > System > Library > StartupItems

Hard disk > System >Library > LaunchAgents

Hard disk > System >Library > LaunchDaemons

Hard disk > Library > LaunchAgents

Hard disk > Library > LaunchDaemons

Finally, click Finder in the Dock, choose 'Go' from the menu bar and hold down the 'option' key. Click on the 'Library' entry and look in

~/Library/LaunchAgents

Hmm, the activity monitor could be of use to check all processes for something that you are not familiar with.

Yes, that will work if you know the name of the keylogger process.

However, I just downloaded one of the popular keyloggers to test out my instructions and found that it was sneakier than I thought...

It does show up in Activity monitor, but it didn't show up in any of the places I mentioned earlier. In fact it was hiding as a hidden directory in ~/Library/.<keyloggerName>

In this case, to find, and remove it, the first thing you need to do is enter Terminal and paste this command:

defaults write com.apple.finder AppleShowAllFiles TRUE; killall Finder

Then go click Finder in the Dock, choose 'Go' from the menu bar and hold down the 'option' key. Click on the 'Library' and look for a hidden directory (greyed out and prepended with a dot .

Inside that hidden directory you should find something with a .app file extension. If so, that's your keylogger.

Also run EasyFind on the keylogger name (which you can get from the name of the app in the hidden directory) and see if it finds anything else elsewhere.

Secure empty trash, then restart. Go look back in the same place to ensure the keylogger has not magically recreated itself.

When you're sure all is done, don't forget to undo the hidden files command in Terminal with this:

defaults write com.apple.finder AppleShowAllFiles FALSE; killall Finder

What is the 'created' date on that .rdb file, please?

I don't know what those are, but I'd leave them alone for now (a couple of guesses from a quick google search: do you have either picasa or something called ArchiCad on your system?).

What you're looking for is an .app.

BTW, you haven't yet indicated WHY you think there's a keylogger on your system (...no use trying to hunt something down that doesn't exist).

Also, restart your system and don't start up any of your usual software (including mail or safari). Have a look and see what's running in Activity monitor. Post a screenshot here.

ABK is a keylogger. Delete it.

Use EasyFind to see if there's another version of it elswhere in your system.

In EasyFind, from the options down the left, choose the following:

'Files and Folder'

'Phrase'

'Ignore case'

'Package contents'

'Include invisible files and folders'

Yep, that's it alright. 🙂

Delete the entire folder. Also use 'secure empty trash' just to be on the safe side.

It seems to me that at this point, I would suggest that YOU and your EX use seperate accounts. Mac OS X is pretty secure in that it's unix based and mirrored off FreeBSD from the old days.

Don't let them use your account, and if you have to step away from the computer, make sure you LOCK IT (or log out).... also change your password(s) of course as well, etc.

this was helpful- it made my finder work again.

How do I find EasyFind? I don't see it in the applications folder