User profile for user: ShadowZZer
ShadowZZer Author
User level: Level 1
0 points

I think I have a keylogger on my iMac...

Hi,

I think someone has put a keylogger on my computer and I'm trying to locate it. They have told me two pieces of info, and the only way they would know is by some how having access to my computer. Only I know the password. I'm not under 18 nor an employee. Please look through the list off my computer terminal which I got to see if there's any keylogger clues.


Do you see any spyware or keylogger?


Once I find out the spy software, how do I find out who put it on?


Perhaps there are other keyloggers or spyware, do you see any?

Can anybody tell me if there is any easy way to get it out?


I'm quite sure that someone has put a keylogger on my iMac. I followed the directions here:https://discussions.apple.com/thread/4243511 And I came up with the following. Does you see any keylogger info here? Please include any helpful info. Thank you so much for your assistance. I greatly appreciate it and I look forward to reading your response.

1.

com.parallels.kext.prl_hypervisor (5.0

com.parallels.kext.prl_hid_hook (5.0

com.parallels.kext.prl_usb_connect (5.0

com.parallels.kext.prl_netbridge (5.0

com.parallels.kext.prl_vnic (5.0


2.


com.parallels.vm.prl_naptd

com.parallels.desktop.launchdaemon

com.adobe.fpsaud


3.

com.parallels.desktop.client.launch

com.divx.update.agent

com.divx.dms.agent

com.google.keystone.user.agent

com.divx.agent.postinstall

com.valvesoftware.steamclean

com.valvesoftware.steam.ipctool


4.


/Library/Components:



/Library/Extensions:



/Library/Frameworks:

Adobe AIR.framework

DivX Toolkit.framework

HPPml.framework

HPServicesInterface.framework

MacFUSE.framework

NyxAudioAnalysis.framework

PluginManager.framework

Python.framework

iTunesLibrary.framework



/Library/Input Methods:



/Library/Internet Plug-Ins:

.DS_Store

DivX Plus Web Player.plugin

Flash Player.plugin

JavaPlugin2_NPAPI.plugin

JavaPluginCocoa.bundle

NP-PPC-Dir-Shockwave

OVSHelper.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

flashplayer.xpt

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt



/Library/Keyboard Layouts:



/Library/LaunchAgents:

com.divx.dms.agent.plist

com.divx.update.agent.plist

com.parallels.desktop.launch.plist



/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.parallels.desktop.launchdaemon.plist



/Library/PreferencePanes:

Flash Player.prefPane

MacFUSE.prefPane



/Library/PrivilegedHelperTools:



/Library/QuickLook:

GBQLGenerator.qlgenerator

ParallelsQL.qlgenerator

iWork.qlgenerator



/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

DivX Decoder.component

DivX Encoder.component



/Library/Spotlight:

AppleWorks.mdimporter

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

ParallelsMD.mdimporter

iWork.mdimporter



/Library/StartupItems:

HP IO

HP Trap Monitor

ParallelsDesktopTransporter



/etc/mach_init.d:

dashboardadvisoryd.plist



/etc/mach_init_per_login_session.d:



/etc/mach_init_per_user.d:



Library/Address Book Plug-Ins:

AdiumAddressBookAction_AIM.scpt

AdiumAddressBookAction_ICQ.scpt

AdiumAddressBookAction_Jabber.scpt

AdiumAddressBookAction_MSN.scpt

AdiumAddressBookAction_SMS.scpt

AdiumAddressBookAction_Yahoo.scpt

SkypeABDialer.bundle

SkypeABSMS.bundle



Library/Fonts:



Library/Input Methods:

.localized



Library/Internet Plug-Ins:



Library/Keyboard Layouts:



Library/LaunchAgents:

com.apple.CSConfigDotMacCert-dana_nushit@me.com-SharedServices.Agent.plist

com.divx.agent.postinstall.plist

com.google.keystone.agent.plist

com.valvesoftware.steamclean.plist



Library/PreferencePanes:

Growl.prefPane



Library/QuickTime:


5.


Steam, iTunesHelper, Parallels Desktop, BitTorrent

iMac

Posted on Jul 25, 2014 5:10 PM

Reply
12 replies
User profile for user: JoshSTJ
JoshSTJ
User level: Level 1
30 points

Jul 25, 2014 5:19 PM in response to ShadowZZer

After taking a look through your info, I'm not seeing anything that looks suspicious. How do you know you have a keylogger? Do you use the two pieces of info someone knows (I'm guessing a password) on other sites or computers? Is the password randomly generated, or are you using something personal (like a pet name or birthday)?


Please post the files you see in the following folders:


  • ~/Library/LaunchAgents
  • /Library/LaunchAgents
Reply
User profile for user: ShadowZZer
ShadowZZer Author
User level: Level 1
0 points

Jul 25, 2014 5:35 PM in response to JoshSTJ

The password is randomly generated. Nobody knows my password if thats what you mean by this Do you use the two pieces of info someone knows (I'm guessing a password) on other sites or computers? (because English isnt my native language), but I do use my passwords on multiple computers. I know (well, I think) I have a keylogger because I was stupid enough to enter a link someone sent me, then he told me a piece of information he couldnt know about me.

Anyways the files I see in the following folders are:


/Library/LaunchAgents:

com.apple.CSConfigDotMacCert-dana_nushit@me.com-SharedServices.Agent.plist

com.divx.agent.postinstall.plist

com.google.keystone.agent.plist

com.valvesoftware.steamclean.plist


(I THINK this is it) ~/Library/LaunchAgents:

com.divx.dms.agent.plist

com.divx.update.agent.plist

com.parallels.desktop.launch.plist


Thanks again for your help

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,684 points

Jul 25, 2014 6:02 PM in response to ShadowZZer

ShadowZZer wrote:


Anyways the files I see in the following folders are:


/Library/LaunchAgents:

com.apple.CSConfigDotMacCert-dana_nushit@me.com-SharedServices.Agent.plist

com.divx.agent.postinstall.plist

com.google.keystone.agent.plist

com.valvesoftware.steamclean.plist


(I THINK this is it) ~/Library/LaunchAgents:

com.divx.dms.agent.plist

com.divx.update.agent.plist

com.parallels.desktop.launch.plist


They all look like normal files too.

It's possible the contents have been edited to do malicious things, but you are looking for a needle in a haystack.


Personally if you are sure you have a key logger installed it is pointless trying to track it down. Key logging usually requires low level access (to gain access to protected password fields etc) so many other malicious things could be installed onto the OS, like backdoors that are difficult to detect. You may clean up the Mac & get a new issue the next day.


To clean up

Install a new HD, clean install the OS, move your user data back over with great care (avoid apps, only copy files you need). Run ClamXAV over the data too to see if it has known malware. Systematically change all your old passwords to email & any web services you use.


You should seriously think about how this person got the information you think is private, many times it can be as simple as a common acquaintance or public info on sites like Facebook etc. Clicking a link doesn't instantly gain full access to your Mac unless you are very unlucky so it's possible you are just missing a better explanation. Is your user account an admin user?


P.S.

If you are certain this person has installed a key logger you should contact the Police & stop using the computer - the Mac is evidence & you could be jeopardising that by removing it.

Reply
User profile for user: JoshSTJ
JoshSTJ
User level: Level 1
30 points

Jul 25, 2014 6:12 PM in response to ShadowZZer

Also agreed with Drew, those are all normal files.


When you entered the link someone sent you, did you enter in any of your information that the person later told you they knew? (IE: Did you get to a login screen, you entered your password, and then they told you they knew what your password is?)


If that's the case, I wouldn't say it's a keylogger. They just coded a script to gather the info you entered on that website.

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,684 points

Jul 25, 2014 6:36 PM in response to ShadowZZer

I don't have a link since it would be very specific to what apps you use.


The first step is to remove your boot disk & stop using it. Then you can boot into internet recovery mode & reinstall OS X onto the new disk. Assuming your Mac supports internet recovery.


It is similar steps that you would take to setup your Mac again, however because you cannot assume your accounts are safe you must reset the passwords on them too. Otherwise if iCloud (for example) can control your Mac (Back to My Mac) you could have the Mac modified again.

You also cannot trust your user data either so you would want to scan the disk with ClamXAV then move files back that you need. It is complex & risks reinstalling something that could compromise you again.

You also want to avoid using the original disk in read & write mode (https://github.com/aburgh/Disk-Arbitrator can help with that).


Using a non-admin account can help mitigate some attacks so use a standard account.


All of this is complex & time consuming (to do correctly) so you really want to be sure that you are not making a wild assumption otherwise it would be a waste of time & effort.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jul 25, 2014 10:54 PM in response to ShadowZZer

ShadowZZer wrote:


Any chance you can give me a link how to clean up and do all that stuff?

There is no magic way to do this and all those "cleaner" apps that try to tell you they can will do you more harm than good.


Not sure exactly what you mean by clean up, but if you see leftovers from software you no longer use the only safe way to remove them is to visit the developer's site for instructions on how to remove them. They are the only ones that really know where they put everything and what it's called.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

I think I have a keylogger on my iMac...

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up