You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How can I detect and remove keystroke logger software?

I suspect that my soon to be ex-husband has surreptitiously installed keystroke logger software (or other "spyware") onto my MacMini. Is there a way to detect it and remove it? Any recommendations for protection software? Or, is it better to wipe the machine clean and reinstall software and files? I cannot afford a new computer right now, so buying a new one is not an option.

Mac mini, Mac OS X (10.6.8), Machine is 1.66 GHz Intel Core Duo

Posted on Sep 1, 2014 12:31 PM

Reply
Question marked as Top-ranking reply

Posted on Sep 1, 2014 3:18 PM

If you know or suspect that a hostile intruder has either had physical access to it, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, depending on the circumstances, computer tampering may be a crime, a civil wrong, or both. If there's any chance that the matter will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to contaminate that evidence.

Running any kind of "anti-virus" software is pointless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. Commercial keylogging software—which has legitimate as well as illegitimate uses—won't be recognized as malware, because it's not malware.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

12 replies
Question marked as Top-ranking reply

Sep 1, 2014 3:18 PM in response to MacMiniFan7

If you know or suspect that a hostile intruder has either had physical access to it, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, depending on the circumstances, computer tampering may be a crime, a civil wrong, or both. If there's any chance that the matter will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to contaminate that evidence.

Running any kind of "anti-virus" software is pointless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. Commercial keylogging software—which has legitimate as well as illegitimate uses—won't be recognized as malware, because it's not malware.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Sep 4, 2014 7:16 AM in response to MacMiniFan7

My suggestion:


Stop using the MacMini right away, in case he's trying to get your passwords etc.


Then, by agreement with your attorney, take the MacMini to her/his office and in her/his presence, make a complete clone of it to an external hard drive. Get the attorney to label the external drive with the date and time etc. and leave the HD with the attorney.


Then take the MacMini home, wipe it, and re-install everything and get on with your life.


Alternatively ask your attorney to come to your home, and go through the same process.


As and when necessary, a computer expert acceptable to both parties can examine the hard drive to see if your suspicions are correct.


If your husband is still in the house or has access to the MacMini, leave the whole MacMini with your attorney, get a new Mac, create a new account, and move on.

Sep 4, 2014 1:57 PM in response to Chris CA

Chris CA wrote:


Csound1 wrote:

If he has then it's an illegal act,

(not lawyer but) only if there is a separation agreement or restraining order that he cannot have access to the house/contents.

If the computer is jointly owned, nothing illegal about installing software on your own device.


But yes, contact your lawyer.

Maybe, but all I see is a costly argument between lawyers as to whether he has the right to do that, even if the surveillance software predates the separation.

How can I detect and remove keystroke logger software?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.