User profile for user: KenB1
KenB1 Author
User level: Level 1
0 points

Do I have unauthorized Keylogger malware on my Mac?

I was the victim of a phishing email link that I clicked on two days ago. I am concerned that the scam website I visited may have remotely placed a Keylogger program onto my personal Mac desktop.

I have run Intego, MacScan, and Malwarebytes for Mac to try to detect any Keylogger. However, I know from reading here that any Keylogger malware may elude such attempted detections.


I've followed Linc's Terminal instructions from a 2013 post below (though I had to

restart my computer in between a couple of the steps). Im hoping that Linc

or someone knowledgable in reading the results below can see if any Keylogger software is on my Mac. Any such software would be malware and unauthorized.


Note - the Admin account was used for Step 2 only (as the separate User account

is the one that is possibly infected):


com.intego.kext.VirusBarrierKPI (10.6.22)

com.intego.kext.VirusBarrier.AppBarrierKPI (10.6.22)

com.intego.iokit.VBX6NKE (1)

com.intego.iokit.VirusBarrierX6Service (10.6.22)



Password:

com.intego.VirusBarrier.antivandal.hks

com.intego.VirusBarrier.scanner.memory

com.intego.VirusBarrierX6.realtime.daemon

com.malwarebytes.MBAMHelperTool

com.intego.VirusBarrierX6.scanner.daemon

com.intego.VirusBarrierX6.daemon

com.intego.task.manager.daemon

com.intego.netupdate.daemon

com.intego.commonservices.metrics.kschecker

com.intego.commonservices.icalserver

com.intego.commonservices.daemon



com.microsoft.entourage.database_daemon.30304

com.microsoft.autoupdate.fba.36112

com.microsoft.Word.11648

jp.co.canon.cijscannerregister.24320

com.hp.scanModule3.12000.3A7A67A0-3495-4484-8A7A-FB7B337D4635

com.intego.VirusBarrierX6.alert

com.intego.task.manager.notifier

com.intego.netupdate.agent

com.intego.commonservices.statusitem

com.google.keystone.user.agent

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

hp_io_enabler_compound.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

EDWOCommon.framework

EDWOInternet.framework

IntegoiCalFramework.framework

NetUpdateShared.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Intego:

.virusbarrier_info

IM_ObjectiveMetrics.framework

IMailSenderTool

IntegoStatusItem.bundle

IntegoiCalServer

MIME.plist

TaskManager

im_helper_tool

im_ks_tool

integod

netupdated.bundle

virusbarrier.bundle


/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

CouponPrinter-FireFox_v2.plugin

CouponPrinter-Safari.webplugin

Default Browser.plugin

Disabled Plug-Ins

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

Silverlight.plugin

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.intego.VirusBarrierX6.alert.plist

com.intego.VirusBarrierX6.statusitem.plist

com.intego.commonservices.statusitem.plist

com.intego.netupdate.agent.plist

com.intego.task.manager.notifier.plist


/Library/LaunchDaemons:

com.intego.VirusBarrierX6.daemon.plist

com.intego.VirusBarrierX6.scanner.daemon.plist

com.intego.commonservices.daemon.plist

com.intego.commonservices.icalserver.plist

com.intego.commonservices.metrics.kschecker.plist

com.intego.netupdate.daemon.plist

com.intego.task.manager.daemon.plist

com.malwarebytes.MBAMHelperTool.plist


/Library/PreferencePanes:

Flip4Mac WMV.prefPane

NetUpdate.prefPane


/Library/PrivilegedHelperTools:

NetUpdateAgent.app

com.malwarebytes.MBAMHelperTool


/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component


/Library/ScriptingAdditions:


/Library/Services:

VirusBarrier X6 Service.service


/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Frameworks:

EWSMac.framework


Library/Input Methods:

.localized


Library/Internet Plug-Ins:

.DS_Store

Picasa.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.google.keystone.agent.plist


Library/PreferencePanes:


Library/Services:

.localized



TomTomMyDriveConnectHelper, MyDriveConnect

OS X Mavericks (10.9.5)

Posted on Dec 27, 2015 12:39 PM

Reply
13 replies
User profile for user: KenB1
KenB1 Author
User level: Level 1
0 points

Dec 28, 2015 4:29 PM in response to Eric Root

Thanks for your response. Im really trying to avoid the whole erasing/reformatting idea if possible.

Unfortunately did not have a backup at the time (it was accidentally erased just at the wrong time).

So hoping others on this board will concur with you that it doesnt look like

there is any Keylogger software evident. I know there is no way to tell for sure though.


Whoops, it says the problem is solved, but Im still looking for more learned

opinions. I just meant to say that Eric's answer was

"helpful".

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,443 points

Dec 28, 2015 5:06 PM in response to KenB1

  • If you had a keylogger or other malware, the only path that's likely to work with any certainty is to reinstall.
  • Change all your passwords locally, remotely, and on the mail servers, etc.
  • Once any add-on software has been authorized via administrative password, all of your data is potentially uploaded.
  • The usual approach is to roll in backups from prior to the breach, and preferably a backup that was disconnected during the breach.
  • AV tools are of comparatively low value beyond what Gatekeeper can do for you (App Store and Developer ID, and that's not a particularly great deal of assurance), and may well end up causing stability or security problems — some of those packages have themselves had large holes. An increasing number of the threats in recent times are what you've experienced — phishing and bogus downloads.
  • Listings will tell you that something that's called itself (for instance) com.microsoft.Word.11648 is installed. Not what that really is. This is why listings don't really help.
Reply
User profile for user: KenB1
KenB1 Author
User level: Level 1
0 points

Dec 28, 2015 5:31 PM in response to MrHoffman

thanks for your answer. I wanted to add an idea. Within 10 minutes of being phished, I checked my

downloads file and found only downloads there I already knew were alright from before.

In other words, the sparse downloads file showed no extra, unauthorized download at all.

Should I take comfort in this fact in trying to determine if someone remotely

installed Keylogger software onto my computer?

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,443 points

Dec 28, 2015 5:52 PM in response to KenB1

It's comparatively unlikely that a web site itself breached your Mac, unless you had a vulnerable version of Oracle Java or Adobe Flash Player around and no plug-in blocker, and one of the attacks against those tools. I also prefer to disable the automatic opening of "safe" downloads in Safari.


Now if the phished passwords were shared with other systems and/or if any additional access was granted beyond the browser — if any code was executed locally, such as one of the web tools that allow screen sharing and local access into your Mac — then things change. If this was an AppleID, for instance, change that password. An Apple ID can also be used to log into systems remotely via Back To My Mac, too.


The downloads folder? Downloads can go elsewhere via Save As..., and downloads can get cleaned up.


Want to be rather more certain? Wipe. Reinstall. Don't re-load any executable code from any of the post-breach backups. Change all your passwords. Check your firewall. Re-evaluate your backup strategy.

Reply
User profile for user: KenB1
KenB1 Author
User level: Level 1
0 points

Dec 28, 2015 6:31 PM in response to MrHoffman

There was no local access granted. I simply clicked the email link, then left the scam website. Though probably made another mistake in leaving

that site by clicking on the site's pop up box "Leave Page" button. So, i didnt type in any passwords while on

the site. Does that mean the AppleID (which I never typed in while on the site) may not need changing too?

Im not understanding how the AppleID may have been revealed in that process.

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,443 points

Dec 28, 2015 6:58 PM in response to KenB1

No one here can know what happened with that link.


No one here knows what your configuration is.


No one here knows whether there is a down-revision tool around which can be and was remotely exploited to execute code on your system.


We don't know. (Don't bet on anti-malware tools being able to find anything here, either.)


Best case? Nothing happened, nothing further needed, everything is fine.


Nasty case: reinstall from backups, or from distro, change passwords, etc.

Really nasty case (if you're a target that's worth the effort, or if you're affiliated with somebody that is a target): entirely replace all of your hardware and software.

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,443 points

Dec 29, 2015 10:20 AM in response to KenB1

BTW: check your firewall settings. Make sure your firewall has your ISP's preferred router address set and not some other router elsewhere, and also make sure your firewall's DNS settings are using your ISP or (maybe) to Google DNS servers 8.8.8.8 and 8.8.4.4. Some of these web sites attack the local firewall, and not your local computer. While you're looking at all that, also make sure the firmware in your firewall is current, and the passwords are not the default values.

Reply
User profile for user: KenB1
KenB1 Author
User level: Level 1
0 points

Dec 29, 2015 10:33 AM in response to MrHoffman

thanks for all your info. One quick question: If I decide to be drastic and buy a new desktop Mac to start fresh,

how do i make sure to only transfer my data to the new machine and not also transfer any malware to

the new Mac? Is there a procedure I should follow to be safe and make sure any Keylogger or malware

doesnt attach itself to my data transfer?

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,443 points

Dec 29, 2015 10:43 AM in response to KenB1

For most folks, rolling in backups is usually enough.


Ask yourself how valuable of a target are you here, how well-funded are you, and how much are your likely attackers willing to expend here.


Because if you're enough of a target to warrant a "burn it all down and replace it" approach, then you won't be transferring anything over from the pyre.


Also because if you're enough of a target to warrant anything more advanced than a roll-in-the-backups or a wipe-and-install approach and with new passwords all around, then you'll want to acquire help specific to your situation, too.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Do I have unauthorized Keylogger malware on my Mac?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up