Q: Finding and removing malware, key-loggers, spyware

mark00thomas wrote:

 

After looking at my output in the above link someone suggested that  com.BT.kext.bpkkext was a suspect and that Blazing tools Perfect Keylogger was the software.

That seems to be the case. Keylogging software can employ any number of system modifications to accomplish their tasks.

In the case of "Blazing Tools Perfect Keylogger" that appears to be installed, if their uninstaller did not eradicate it, one solution guaranteed to be reliable would be to completely erase your boot volume and rebuild your system. Short of that extreme though, I recommend you exhaustively search for its components in each of the following locations in addition to the above paths (some may be repeated):

/Library

/Library/Application Support

/Library/Bundles

/Library/Caches

/Library/Extensions

/Library/Frameworks

/Library/Preferences

/System/Library/Extensions

/System/Library/LaunchAgents

/System/Library/LaunchDaemons

~/Library

~/Library/Application Support

~/Library/Caches

~/Library/LaunchAgents

~/Library/Preferences

~/Library/Preferences/ByHost

To easily navigate to each location triple-click the line that contains the path to select it, and then right click (or control-click) to bring up a contextual menu. Select Services > Reveal. A Finder window will open with the folder selected. Open the selected folder, scrutinize it for anything that may be related to Blazing Tools (com.BT.kext.bpkkext, com.BT.BPK, and PKard are three examples), and drag the suspicious file to the Desktop, or directly to the Trash. You will need to authenticate.

Recursively apply this procedure to ensure that a running process that remains does not re-create one of the keylogger's required components. I have no reason to believe that will occur but it is possible.

Back up your system prior to performing the above.

I heard once that if you back up your infected computer to a drive and computer you now connect that drive to can get infected

It's not quite as simple as you describe. Backing up your Mac does not migrate files from the backup to the source. However, an active keylogger or similar app could conceivably install itself on a mounted bootable volume. It would not be active on that volume unless you were to boot from it though.

You will find no general purpose tutorial for the above because every keylogging app will have different ways of functioning and will have different places to hide their files. Keyloggers have legitimate purposes and won't generally be characterized as malware, but like anything else installed on a Mac it is incumbent upon its user to know how to uninstall it. Not all programs have uninstallers, and those that do may or may not eradicate all its components. It is even possible that Blazing Tools' uninstaller did in fact render it inert, but I would not trust that to be the case given that at least two of its components remain present on your Mac.

Yes, a keylogger is installed.

Another to add to Linc's possibilities.

Have you installed illegal software from torrent, or other sharing sites. This is the number one way crooks are attacking Mac users. They stuff all kinds of extra packages into commercial software installers you don't know about. Once you enter your admin password to allow the software you expect to install, it also now has permission to install the extras. It doesn't have to ask you again for those.

Dear mark00thomas

Whew..... It looks like there is a lot of effort/work applied on your endeavor already just in Posting by themselves.  Repeat please, Whew.

I pondered this same concern and hope my solution may be of some avenue for you to explore.

My Solution:

I went to the Apple Apps , (icon on your dock in OS X 10.8.4) and purchased the 'Bitdefender Virus Scanner' Version 2.21, then found it to be very effective to eliminate my concerns somewhat similar to yours. 

Summary:

That's it.  __________Simple on my end> hopefully for you too<..

Then let's have one of the following: coffee/tea/soda/cup of water break to get ones' (second wind & keeping our) systems sparkling clean. lol  

Authored Statements:  ysureican.____

ysureican wrote:

 

... I went to the Apple Apps , (icon on your dock in OS X 10.8.4) and purchased the 'Bitdefender Virus Scanner' ...

Keyloggers are not viruses, Bitdefender is utterly useless, and the OP's concerns are not at all similar to yours.

A keylogger is not malware either. It is a tool with legitimate uses, but it can nevertheless be used by someone with malicious intent.

There is no commercial product that will keep your Mac "sparking clean". Bitdefender and similar junk will at best convey a misplaced sense of security, and at worst will cause your Mac to run poorly.

Little Snitch can be very useful, but it can also cause needless concern. OS X has many processes that require outgoing connections and there are many legitimate Apple apps that require them to work. If you use LS to block them your Mac may not work as expected and then you have other problems. Use it as you wish, but like everything else you have to be familiar with its operation and limitations for it to be an effective tool.

How did you guys know that com.BT.kext was not suposed to be there?

Many years of using many Macs, resulting in a general familiarity with what is supposed to be present and how they are designed to work. Anything extraneous becomes as obvious as an intruder in your own home, deserving of the appropriate scrutiny.

Knowing what is installed and its intended use is a fundamental principle for using any computer. Unfortunately someone with malicious intent with physical access to your Mac - a future former spouse in your case - has unfettered ability to install anything for purposes limited only to the imagination. This is not limited to software since it is entirely conceivable that hardware modifications can record keystrokes, passwords, etc. for future retrieval.

It's also quite likely that installing something downloaded from a torrent site contained malicious software. Given these uncertainties, I once again strongly favor erasing your Mac completely and rebuilding it from that known state. However, if you have reason to believe someone modified your Mac you may wish to preserve the evidence and pursue legal remedies. This lies well outside the scope any help I am able to provide.

The item you posted appears to be an empty cache file, perhaps from Safari.

Searching by name for something that might want to be hidden could well fall short, since the developers could have named the files most anything, rather than helpfully 'com.keylog.something'.  I'd still suggest erase/install & selectively import, unless you've very good reason to think that Blazing tools was the start & finish of any efforts to see what you do... & even then, I'd want confirmation from BT about what was installed.

The pkard references are likely this, not BTPK.  I don't recognise wceprv.framework

Is there a tutorial or something that we can use to monitor these kinds of things?

There's been a lot of information posted on this topic (and a bit of misinformation as well), but I haven't seen what I would say was a complete answer to this question. The bottom line is that there is no set of techniques or software that you can use to detect any and all keyloggers. If someone untrusted has had physical access to the machine in question, you cannot know what may have been done, and you will never be able to be sure that you have found everything. In such a case, your only choice that will ensure your security is to erase the hard drive and reinstall the system from scratch. See:

How to reinstall Mac OS X from scratch

Since you seem to be in the middle of a domestic dispute and suspect that your wife, who would have had access, might have installed something, this would be an appropriate action to take.

I do hate to throw fuel on a fire...but if this is your "personal" computer (eg, each of you has a seperate computer with only your personal accounts on it) and your spouse has for all intents and purposes installed malware on it...you may also want to consult your attorney.  Especially if you think that whatever she has been doing on your computer may come up later during a divorce.

Sad, but better to be safe than sorry...

I'm quite sure that someone has put a keylogger on my macbook pro. I followed the directions here: https://discussions.apple.com/thread/4243511 And I came up with the following. Does anyone see any keylogger info here? Please include any helpful info, like links to identify the culprit. Thanks

https://discussions.apple.com/message/2644034?searchText=keylogger#2644034

--------------------

Lelies-MacBook-Pro:~ healthyinspiration

Password:

Sorry, try again.

Password:

1. com.wdc.WDSmartWareServer
2. com.wdc.WDDMservice
3. com.microsoft.office.licensing.helper
4. com.mcafee.virusscan.fmpd
5. com.mcafee.ssm.ScanManager
6. com.mcafee.virusscan.ssm.ScanFactory
7. com.mcafee.ssm.Eupdate
8. com.google.keystone.daemon
9. com.adobe.fpsaud

Lelies-MacBook-Pro:~ healthyinspiration$

Lelies-MacBook-Pro:~ healthyinspiration$

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null/Library/Components:

/Library/Extensions:

/Library/Frameworks:

1. AEProfiling.framework
2. AERegistration.framework
3. AVEngine.framework
4. AudioMixEngine.framework
5. NyxAudioAnalysis.framework
6. PluginManager.framework
7. ScanBooster.framework

• VirusScanPreferences.framework

1. iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

1. AdobeAAMDetect.plugin

Flash Player.plugin

1. JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

1. SharePointBrowserPlugin.plugin
2. SharePointWebKitPlugin.webplugin
3. flashplayer.xpt
4. googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

1. nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin

/Library/Keyboard Layouts:

/Library/LaunchAgents:

1. com.adobe.AAM.Updater-1.0.plist
2. com.adobe.CS4ServiceManager.plist
3. com.google.keystone.agent.plist
4. com.mcafee.menulet.plist
5. com.mcafee.reporter.plist

/Library/LaunchDaemons:

1. com.adobe.fpsaud.plist
2. com.apple.remotepairtool.plist
3. com.google.keystone.daemon.plist
4. com.mcafee.ssm.Eupdate.plist
5. com.mcafee.ssm.ScanFactory.plist
6. com.mcafee.ssm.ScanManager.plist
7. com.mcafee.virusscan.fmpd.plist
8. com.microsoft.office.licensing.helper.plist
9. com.wdc.WDDMservice.plist
10. com.wdc.WDSmartWareServer.plist

/Library/PreferencePanes:

Flash Player.prefPane

/Library/PrivilegedHelperTools:

1. com.microsoft.office.licensing.helper

/Library/QuickLook:

1. iWork.qlgenerator

/Library/QuickTime:

1. AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

Adobe Unit Types.osax

/Library/Spotlight:

Microsoft Office.mdimporter

1. iWork.mdimporter

/Library/StartupItems:

cma

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Google Earth Web Plug-in.plugin

1. Picasa.plugin

Library/Keyboard Layouts:

Library/LaunchAgents:

1. com.apple.CSConfigDotMacCert-healthyinspiration@me.com-SharedServices.Agent.plist

Library/PreferencePanes:

Lelies-MacBook-Pro:~ healthyinspiration$

Lelies-MacBook-Pro:~ healthyinspiration$

Lelies-MacBook-Pro:~ healthyinspiration$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, HP Scheduler

Lelies-MacBook-Pro:~ healthyinspiration$

Lelies-MacBook-Pro:~ healthyinspiration$