Potential keylogger infection

It's best to describe the problem in as much relevant detail as possible, rather than what you think is causing it or how you think it should be solved.

It's all caused by your third party "anti virus" software and you should remove those programs and test again.

(kinda desperate right now).

You should probably explain the reason for your desperation.

You can perform any number of software tests on your Mac and never reach a conclusive result, because it is not possible to conclusively determine the absence of a keylogger while using a system that has been altered by a keylogger. It is only possible to conclusively verify the presence of certain well-known keyloggers or like software. If you suspect a keylogger has been installed, the only definitive way to allay that suspicion is to erase the Mac completely and reinstall its operating system and other content from legitimate sources. Then, the absence of any hardware modifications capable of performing the function of a keylogger must also be conclusively determined. That task would be difficult and time-consuming for even someone with the necessary hardware and knowledge necessary to make such a conclusive determination. It would be easier and cheaper to simply replace the hardware, once again ensuring its replacement comes directly from a legitimate source.

Integrated circuits can be duplicated to resemble their physical appearance and markings with 100% accuracy. This is a very common problem with electronic components, though the primary reason for that is to sell counterfeit copies of intellectual property owned by others, not to replace genuine components with those designed to steal your own personal information.

That's the reason you should explain the reason for your concern. There are many more easily accomplished and far less technologically challenging ways of eavesdropping on you.

All those "anti-virus" and "security" products that appear to reside on your Mac are completely worthless, and provide no defense against any keylogger that may be present. I suggest you get rid of them and let your Mac work as it is designed to work.

sebastianfH wrote:

I need some help to find out whether there's a keylogger installed on my machine.

Why do you suspect there may be a keylogger installed?

Unless someone malicious has had physical access to your computer, or has been given remote access, it's very unlikely that you have a keylogger. As John indicates, if someone has had this kind of access, there's really no way to conclusively determine whether your system is clean. No anti-virus software can help you do that.

However, since this is unlikely, it's important that we understand what your concern is, and what symptoms you are seeing, so that we can help with your problem.

sebastianfH wrote:

Thing is I've reinstalled my OS several times in the last 3 months and it seems like some information is still leaking.

What makes you think that information is "leaking?" I see people with these concerns all the time, and in the vast majority of cases, there are many other explanations, and no need to conjure up a theoretical and very unlikely hacking scenario.

Is it possible that there's a keylogger installed in the EFI partition? How can I check whether this scenario is plausible?

Is there a way to check what's living in that EFI partition?

There is only one way that this would be currently known to be possible, and that's through physical access to the machine. There are currently no known pieces of malware capable of doing this, only a proof-of-concept that is not malicious. So, in order for this to have happened, you would need to have been targeted by someone who is capable of both creating the payload that would infect the firmware and creating the specialized hardware to deliver that payload.

If you are running Mac OS X 10.10.2, this is no longer possible, as the firmware vulnerability that allowed this has been closed. If you are using 10.6, as your profile indicates, you also wouldn't be vulnerable, as to my knowledge no machine capable of running 10.6 has a Thunderbolt port.

Unfortunately, there is really no way that you could detect changes to the firmware without some serious hacking work of your own, probably involving using specialized hardware to download the firmware directly from the boot ROM.

For more information, see:

How serious is Thunderstrike?

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)

What info should I give to help you guys better understand my situation (although I don't feel comfortable presenting the situation in detail on a public forum)?

We need details about exactly what you're seeing that leads you to believe that malware is involved. If you are not comfortable posting that information, just anonymize it as much as possible.

No commercial keylogging software is installed. Hardware keyloggers exist, but those available to the public can't be accessed remotely. Unless you're the target of a very sophisticated attack, you'll have to look elsewhere for an explanation.

Again, unless you are the target of a government agency or a very specialized private investigator, you should not pursue the keylogger idea further. If you are such a target, you need the help of a security consultant, at least.

Hi Linc Davis

As I can see, you know how to detect if a computer is a keylogger victim, do I'm right?

Is there a way to know if a computer that I'm using have this "problem"?

I've performed the steps provided in this post: I believe that I have a keylogger or some sort of spyware installed on my mac, please help! and now I got a lot of results. In the line "/Library/LaunchAgents:" I've found these ones:

/Library/LaunchAgents:

com.google.keystone.agent.plist

com.rim.BBAlbumArtCacher.plist

com.rim.BBLaunchAgent.plist

Do I need to paste the whole bunch of info so you can help me with this issue?

Thanks in advance!

darboscalante wrote:

Hi Linc Davis

As I can see, you know how to detect if a computer is a keylogger victim, do I'm right?

Is there a way to know if a computer that I'm using have this "problem"?

I've performed the steps provided in this post: I believe that I have a keylogger or some sort of spyware installed on my mac, please help! and now I got a lot of results. In the line "/Library/LaunchAgents:" I've found these ones:

/Library/LaunchAgents:

com.google.keystone.agent.plist

com.rim.BBAlbumArtCacher.plist

com.rim.BBLaunchAgent.plist

Do I need to paste the whole bunch of info so you can help me with this issue?

Thanks in advance!

I'd strongly suggest you create a new topic & start explaining what your actual issues are (like the info Linc Davis first comment here asks for).

Those look like normal launch agents (background tasks) from known Mac software developers. I suspect you have ancient RIM software (for Blackberry devices) that could be removed if not needed, but that requires you to find the correct steps to remove it. It is often left over from older OS versions it is just what happens in a migration.

Hunting for 'keyloggers' & other malicious software is not something you should do unless you have a lot of experience or are known to be a target of government agencies, frankly many users assume that something is evil when it is just a part of the OS or third party software.

If you want help here, start by explaining your issues, don't give us the latest conclusion you have decided to latch on to - you could be wrong, which wastes our time & yours.

Hi Drew, thanks for your quick response.

Here my new thread just as you want to see it: Does this Mac is a Keylogger target?

I'm not the owner of the device. As far as I know, the owner —someone who uses his computer to navigate in Netflix and write some letters in Word— is in the middle of legal issues where a lot of money is involved. That, and the lack of important information located in various of his email threads (from a hotmail account) are parts of this recipe.

As he told me, he has created a new email account recently, with a totally different password and the same problem has come again. Then, I heard by the first time about keyloggers. I never figure it out this kind of software exists for Macs, so, I'm not a devoted mysteries creator or someone who thinks that a big occult power is behind me or other people. This desperate owner asked me for an opinion, that's all.

I just made my research and tried to get a result based on the knowledge expressed in this PUBLIC forum, I'm not trying to play a techie/savvy role. As I noticed in a lot of forum posts, the community does not like to respond to a problem twice. That's why I posted the result I thought can work for this issue, sorry if it were a waste of time for you. If you can help, thanks in advance, if not, I hope Linc Davis can, as this pledge was originally posted for him.

In the other hand, thanks for clarify me what about the RIM stuff.

darboscalante wrote:

I just made my research and tried to get a result based on the knowledge expressed in this PUBLIC forum, I'm not trying to play a techie/savvy role. As I noticed in a lot of forum posts, the community does not like to respond to a problem twice. That's why I posted the result I thought can work for this issue, sorry if it were a waste of time for you. If you can help, thanks in advance, if not, I hope Linc Davis can, as this pledge was originally posted for him.

I'm attempting to help 🙂…

This thread is solved, which means some users will simply ignore it, post a link here to a new thread if you or the owner creates one so interested parties can follow along. You can click Linc's name & view the history to see if he is currently active, it seems to me that he leaves old threads after offering advice on topics like this. When you have your own thread you can also award points, which encourages some users (who want the worthless tokens). Duplicates can be merged, but it is mostly when a user asks the same question over & over in new threads that patience runs out.

This topic is over a year old so the commands may have changed & are possibly irrelevant to the OS on your friends Mac. The other 'keylogger / spyware thread' you linked is from 2012 - all newer OS's work differently to 10.6.8.

If you want a guess at how a person could be 'compromised' on a computer you should focus on asking about that - key loggers are only one possible option, another is a compromised network connection or other malware on the machine (or on other machines on the network). Running old software can also expose other security issues… many potential ways exist & these vary by OS version too.

Another option is that the friend chose terrible quality passwords & it was attacked by a bot that simply is out to get any accounts (or the password reset email account is already compromised). Some services have flaws that get hacked all the time. Use second factor/ 2 step authentication to limit the potential of this.

If the owner is in legal disputes they should contemplate making a full backup for investigators & start over with a clean install, it is the only way to be sure that an OS is not effected by anything malicious installed. Forensics professionals may be able to find a compromise, but that will be expensive since law enforcement generally have better things to do than diagnose computer bugs or issues that can simply be a user misunderstanding how something operates.

Sorry these topics are a can of worms, giving us piecemeal info that is second hand makes it a long & arduous task to achieve anything. Too much speculation, too little info.

With that said I'll leave you to Linc Davis & the others here, good luck with it.