Perfect Key Logger on Macbook pro?

Question

Perfect Key Logger on Macbook pro?

Hi,

I have reason to believe my boyfriend has downloaded a key logger onto my computer. I started noticing weird programs being downloaded that had to do with unarchiving files and unencrypting text and I looked into it and found an icon that said "PKL.app". So I googled it and perfect key logger came up. I tried to download it myself and when I did, it would download and never open. I know they are supposed to open the first time but then otherwise run in the background and only open with hot keys. I have tried a couple of variations with no luck. When I click the PKL.app icon (I saved it to my desktop after I found it) and press "open" nothing happens. If I press "get info" it says the date it was downloaded, last time it was opened ect. Also, within the "get info" area on the app icon there is a option to click that says "hide extensions" which is clicked and I am unable to unclick it. He has open access to my computer and I haven't had any credit card theft or anything like that which leads me to believe it is someone that doesn't have a desire to do anything other than on my personal level. Can someone take a look at what the terminal showed and give me any insight? If nothing shows up does anyone know what this PKL app that I can't open is? Also I tried removing the app and it wouldn't let me. Here are my terminal results:

Last login: Thu Feb 12 20:41:34 on ttys000

(name deleted for privacy)-MacBook-Pro-2:~ (name deleted for privacy)$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

com.zeobit.kext.Firewall (2.3.4)

(name deleted for privacy)-MacBook-Pro-2:~ (name deleted for privacy)$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

com.zeobit.MacKeeper.AntiVirus

com.microsoft.office.licensing.helper

com.adobe.fpsaud

(name deleted for privacy)-MacBook-Pro-2:~ (name deleted for privacy)$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.zeobit.MacKeeper.Helper

com.spotify.webhelper

com.google.keystone.user.agent

com.BT.PKL

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

(name deleted for privacy)-MacBook-Pro-2:~ (name deleted for privacy)$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:

/Library/Extensions:

hp_io_enabler_compound.kext

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework

/Library/Input Methods:

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt

/Library/Keyboard Layouts:

/Library/LaunchAgents:

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.apple.remotepairtool.plist

com.microsoft.office.licensing.helper.plist

com.zeobit.MacKeeper.AntiVirus.plist

/Library/PreferencePanes:

Flash Player.prefPane

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

/Library/QuickLook:

iWork.qlgenerator

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

/Library/ScriptingAdditions:

/Library/Spotlight:

Microsoft Office.mdimporter

iWork.mdimporter

/Library/StartupItems:

/etc/mach_init.d:

/etc/mach_init_per_login_session.d:

/etc/mach_init_per_user.d:

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

Library/Fonts:

Library/Input Methods:

.localized

Library/Internet Plug-Ins:

Library/Keyboard Layouts:

Library/LaunchAgents:

com.BT.PKL.plist

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.45B48A27-9871-4335-99D8-FA1 FA534FCE0.plist

com.apple.CSConfigDotMacCert-(email deleted for privacy)SharedServices.Agent.plist

com.google.keystone.agent.plist

com.spotify.webhelper.plist

com.zeobit.MacKeeper.Helper.plist

Library/PreferencePanes:

(name deleted for privacy)-MacBook-Pro-2:~(name deleted for privacy)$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Dropbox, AdobeResourceSynchronizer, Google Drive

(name deleted for privacy)-MacBook-Pro-2:~ (name deleted for privacy)$

MacBook Pro with Retina display, iOS 8.1.3

Posted on Feb 12, 2015 9:16 PM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Feb 13, 2015 3:34 PM in response to luxelifemomma

Yes, a keylogger is installed. What you should do next depends on the circumstances.

If you're an adult, and the keylogger was installed on your personal computer without your permission, then the computer may be evidence of a crime or a civil wrong. Consider the legal implications before you do anything. Assume that everything you've done with the computer is known to the party who installed the keylogger.

If you just want to cleanup the machine, see below.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated. Don't reinstall "MacKeeper," which is a scam.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Reply

Answer 2

Feb 13, 2015 9:41 PM in response to Linc Davis

Thank you for your help Linc. The "get info" on the program says it was downloaded about a year ago. Is that an accurate thing to trust? Also I have several programs that I got from friends and wouldn't be able to get again that are fairly expensive like Rosetta stone and Microsoft office suite. If I completely restore my computer would it be possible to salvage those programs? And I'm sorry I'm not super tech savvy but you said I cant ttransfer files and folders? So basically will all my stuff no longer be possible to use on the computer? I'm talking things like pictures and basically school and work stuff like power points, word docs ect. I really appreciate the help. I've pretty much known about the PKL for like 2 months now and haven't dealt with it because I don't really understand and I don't want to lose everything.

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Feb 13, 2015 10:06 PM in response to luxelifemomma

Is that an accurate thing to trust?

No.

I have several programs that I got from friends

What you have is pirated software. You're not asking for a lecture in morality and I'm not going to give you one. Using pirated software, no matter where you get it, is the surest way to be infected with malware. There's also a risk of being sued for copyright infringement. I understand that the publisher of "Rosetta Stone" is quite aggressive in pursuing unlicensed end users. The program may be sending out information that could be used against you in court.

However, it's your computer and your life. If you prefer, you can contact the developer of the keylogger and ask for instructions to remove it. Whether those instructions will work, I have no way of knowing. Whether any other harmful software is present, I can't be sure.

Reply

Answer 4

Feb 14, 2015 12:41 AM in response to Linc Davis

Okay thank you. What about the pictures and my school stuff? Is there any way to get that back on after I back it up without risking reinfecting my computer?

Reply

Answer 5

Linc Davis

Level 10

209,547 points

Feb 14, 2015 6:49 AM in response to luxelifemomma

Follow the instructios in my first comment. Good luck.

Reply