KenB1
Level 1 (0 points)

Q: Do I have unauthorized Keylogger malware on my Mac?

I was the victim of a phishing email link that I clicked on two days ago. I am concerned that the scam website I visited may have remotely placed a Keylogger program onto my personal Mac desktop.


I have run Intego, MacScan, and Malwarebytes for Mac to try to detect any Keylogger. However, I know from reading here that any Keylogger malware may elude such attempted detections.

 

I've followed Linc's Terminal instructions from a 2013 post below (though I had to

restart my computer in between a couple of the steps). Im hoping that Linc

or someone knowledgable in reading the results below can see if any Keylogger software is on my Mac. Any such software would be malware and unauthorized.

 

Note - the Admin account was used for Step 2 only (as the separate User account

is the one that is possibly infected):


 

com.intego.kext.VirusBarrierKPI (10.6.22)

com.intego.kext.VirusBarrier.AppBarrierKPI (10.6.22)

com.intego.iokit.VBX6NKE (1)

com.intego.iokit.VirusBarrierX6Service (10.6.22)

 

 

Password:

com.intego.VirusBarrier.antivandal.hks

com.intego.VirusBarrier.scanner.memory

com.intego.VirusBarrierX6.realtime.daemon

com.malwarebytes.MBAMHelperTool

com.intego.VirusBarrierX6.scanner.daemon

com.intego.VirusBarrierX6.daemon

com.intego.task.manager.daemon

com.intego.netupdate.daemon

com.intego.commonservices.metrics.kschecker

com.intego.commonservices.icalserver

com.intego.commonservices.daemon

 

 

com.microsoft.entourage.database_daemon.30304

com.microsoft.autoupdate.fba.36112

com.microsoft.Word.11648

jp.co.canon.cijscannerregister.24320

com.hp.scanModule3.12000.3A7A67A0-3495-4484-8A7A-FB7B337D4635

com.intego.VirusBarrierX6.alert

com.intego.task.manager.notifier

com.intego.netupdate.agent

com.intego.commonservices.statusitem

com.google.keystone.user.agent

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae



/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext

hp_io_enabler_compound.kext

 

/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

Adobe AIR.framework

AudioMixEngine.framework

EDWOCommon.framework

EDWOInternet.framework

IntegoiCalFramework.framework

NetUpdateShared.framework

NyxAudioAnalysis.framework

PluginManager.framework

TSLicense.framework

iTunesLibrary.framework

 

/Library/Input Methods:

 

/Library/Intego:

.virusbarrier_info

IM_ObjectiveMetrics.framework

IMailSenderTool

IntegoStatusItem.bundle

IntegoiCalServer

MIME.plist

TaskManager

im_helper_tool

im_ks_tool

integod

netupdated.bundle

virusbarrier.bundle

 

/Library/Internet Plug-Ins:

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

CouponPrinter-FireFox_v2.plugin

CouponPrinter-Safari.webplugin

Default Browser.plugin

Disabled Plug-Ins

Flip4Mac WMV Plugin.plugin

JavaAppletPlugin.plugin

OfficeLiveBrowserPlugin.plugin

Quartz Composer.webplugin

Silverlight.plugin

iPhotoPhotocast.plugin

nsIQTScriptablePlugin.xpt

 

/Library/Keyboard Layouts:

 

/Library/LaunchAgents:

com.intego.VirusBarrierX6.alert.plist

com.intego.VirusBarrierX6.statusitem.plist

com.intego.commonservices.statusitem.plist

com.intego.netupdate.agent.plist

com.intego.task.manager.notifier.plist

 

/Library/LaunchDaemons:

com.intego.VirusBarrierX6.daemon.plist

com.intego.VirusBarrierX6.scanner.daemon.plist

com.intego.commonservices.daemon.plist

com.intego.commonservices.icalserver.plist

com.intego.commonservices.metrics.kschecker.plist

com.intego.netupdate.daemon.plist

com.intego.task.manager.daemon.plist

com.malwarebytes.MBAMHelperTool.plist

 

/Library/PreferencePanes:

Flip4Mac WMV.prefPane

NetUpdate.prefPane

 

/Library/PrivilegedHelperTools:

NetUpdateAgent.app

com.malwarebytes.MBAMHelperTool

 

/Library/QuickLook:

GBQLGenerator.qlgenerator

iBooksAuthor.qlgenerator

iWork.qlgenerator

 

/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component

Flip4Mac WMV Advanced.component

Flip4Mac WMV Export.component

Flip4Mac WMV Import.component

 

/Library/ScriptingAdditions:

 

/Library/Services:

VirusBarrier X6 Service.service

 

/Library/Spotlight:

GBSpotlightImporter.mdimporter

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter

 

/Library/StartupItems:

 

/etc/mach_init.d:

 

/etc/mach_init_per_login_session.d:

 

/etc/mach_init_per_user.d:

 

Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle

 

Library/Fonts:

 

Library/Frameworks:

EWSMac.framework

 

Library/Input Methods:

.localized

 

Library/Internet Plug-Ins:

.DS_Store

Picasa.plugin

 

Library/Keyboard Layouts:

 

Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.google.keystone.agent.plist

 

Library/PreferencePanes:

 

Library/Services:

.localized

 

 

TomTomMyDriveConnectHelper, MyDriveConnect

OS X Mavericks (10.9.5)

Posted on Dec 27, 2015 12:39 PM

by KenB1,Solvedanswer
KenB1 KenB1
Level 1 (0 points)
A:

Thanks for your response. Im really trying to avoid the whole erasing/reformatting idea if possible.

Unfortunately did not have a backup at the time (it was accidentally erased just at the wrong time).

So hoping others on this board will concur with you that it doesnt look like

there is any Keylogger software evident. I know there is no way to tell for sure though.

 

Whoops, it says the problem is solved, but Im still looking for more learned

opinions. I just meant to say that Eric's answer was

"helpful".

Posted on Dec 28, 2015 4:29 PM

Close
KenB1

Q: Do I have unauthorized Keylogger malware on my Mac?

  • All replies
  • Helpful answers

  • by Eric Root,Helpful

    Eric Root Eric Root Dec 28, 2015 4:25 PM in response to KenB1
    Level 9 (73,966 points)
    iTunes
    Dec 28, 2015 4:25 PM in response to KenB1

    Nothing there looks abnormal to me. If you are concerned, you should erase and reformat your hard drive, then restore your computer from a backup made prior to when you visited the website. Change your passwords and other critical information also. You don't know what software might have been installed.

  • by KenB1,Solvedanswer

    KenB1 KenB1 Dec 28, 2015 4:29 PM in response to Eric Root
    Level 1 (0 points)
    Dec 28, 2015 4:29 PM in response to Eric Root

    Thanks for your response. Im really trying to avoid the whole erasing/reformatting idea if possible.

    Unfortunately did not have a backup at the time (it was accidentally erased just at the wrong time).

    So hoping others on this board will concur with you that it doesnt look like

    there is any Keylogger software evident. I know there is no way to tell for sure though.

     

    Whoops, it says the problem is solved, but Im still looking for more learned

    opinions. I just meant to say that Eric's answer was

    "helpful".

  • by Eric Root,

    Eric Root Eric Root Dec 28, 2015 4:56 PM in response to KenB1
    Level 9 (73,966 points)
    iTunes
    Dec 28, 2015 4:56 PM in response to KenB1

    You are welcome.

  • by MrHoffman,

    MrHoffman MrHoffman Dec 28, 2015 5:06 PM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 28, 2015 5:06 PM in response to KenB1
    • If you had a keylogger or other malware, the only path that's likely to work with any certainty is to reinstall.
    • Change all your passwords locally, remotely, and on the mail servers, etc.
    • Once any add-on software has been authorized via administrative password, all of your data is potentially uploaded.
    • The usual approach is to roll in backups from prior to the breach, and preferably a backup that was disconnected during the breach.
    • AV tools are of comparatively low value beyond what Gatekeeper can do for you (App Store and Developer ID, and that's not a particularly great deal of assurance), and may well end up causing stability or security problems — some of those packages have themselves had large holes.   An increasing number of the threats in recent times are what you've experienced — phishing and bogus downloads.
    • Listings will tell you that something that's called itself (for instance) com.microsoft.Word.11648 is installed.  Not what that really is.  This is why listings don't really help.

  • by KenB1,

    KenB1 KenB1 Dec 28, 2015 5:31 PM in response to MrHoffman
    Level 1 (0 points)
    Dec 28, 2015 5:31 PM in response to MrHoffman

    thanks for your answer. I wanted to add an idea.  Within 10 minutes of being phished, I checked my

    downloads file and found only downloads there I already knew were alright from before.

    In other words, the sparse downloads file showed no extra, unauthorized download at all.

    Should I take comfort in this fact in trying to determine if someone remotely

    installed  Keylogger software onto my computer?

  • by MrHoffman,

    MrHoffman MrHoffman Dec 28, 2015 5:52 PM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 28, 2015 5:52 PM in response to KenB1

    It's comparatively unlikely that a web site itself breached your Mac, unless you had a vulnerable version of Oracle Java or Adobe Flash Player around and no plug-in blocker, and one of the attacks against those tools.   I also prefer to disable the automatic opening of "safe" downloads in Safari.

     

    Now if the phished passwords were shared with other systems and/or if any additional access was granted beyond the browser — if any code was executed locally, such as one of the web tools that allow screen sharing and local access into your Mac — then things change.   If this was an AppleID, for instance, change that password.   An Apple ID can also be used to log into systems remotely via Back To My Mac, too.

     

    The downloads folder?   Downloads can go elsewhere via Save As..., and downloads can get cleaned up.

     

    Want to be rather more certain?   Wipe.   Reinstall.  Don't re-load any executable code from any of the post-breach backups.   Change all your passwords.  Check your firewall.   Re-evaluate your backup strategy.

  • by KenB1,

    KenB1 KenB1 Dec 28, 2015 6:31 PM in response to MrHoffman
    Level 1 (0 points)
    Dec 28, 2015 6:31 PM in response to MrHoffman

    There was no local access granted. I simply clicked the email link, then left the scam website. Though probably made another mistake in leaving

    that site by clicking on the site's pop up box  "Leave Page" button. So, i didnt type in any passwords while on

    the site. Does that mean the AppleID (which I never typed in while on the site) may not need changing too?

    Im not understanding how the AppleID may have been revealed in that process.

  • by MrHoffman,

    MrHoffman MrHoffman Dec 28, 2015 6:58 PM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 28, 2015 6:58 PM in response to KenB1

    No one here can know what happened with that link.

     

    No one here knows what your configuration is.

     

    No one here knows whether there is a down-revision tool around which can be and was remotely exploited to execute code on your system.

     

    We don't know.   (Don't bet on anti-malware tools being able to find anything here, either.)

     

    Best case?  Nothing happened, nothing further needed, everything is fine.

     

    Nasty case: reinstall from backups, or from distro, change passwords, etc.


    Really nasty case (if you're a target that's worth the effort, or if you're affiliated with somebody that is a target): entirely replace all of your hardware and software.

  • by MrHoffman,

    MrHoffman MrHoffman Dec 29, 2015 10:20 AM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 29, 2015 10:20 AM in response to KenB1

    BTW: check your firewall settings.   Make sure your firewall has your ISP's preferred router address set and not some other router elsewhere, and also make sure your firewall's DNS settings are using your ISP or (maybe) to Google DNS servers 8.8.8.8 and 8.8.4.4.   Some of these web sites attack the local firewall, and not your local computer.   While you're looking at all that, also make sure the firmware in your firewall is current, and the passwords are not the default values.

  • by KenB1,

    KenB1 KenB1 Dec 29, 2015 10:33 AM in response to MrHoffman
    Level 1 (0 points)
    Dec 29, 2015 10:33 AM in response to MrHoffman

    thanks for all your info.  One quick question: If I decide to be drastic and buy a new desktop Mac to start fresh,

    how do i make sure to only transfer my data to the new machine and not also transfer any malware to

    the new Mac?  Is there a procedure I should follow to be safe and make sure any Keylogger or malware

    doesnt attach itself to my data transfer?

  • by MrHoffman,

    MrHoffman MrHoffman Dec 29, 2015 10:43 AM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 29, 2015 10:43 AM in response to KenB1

    For most folks, rolling in backups is usually enough.

     

    Ask yourself how valuable of a target are you here, how well-funded are you, and how much are your likely attackers willing to expend here. 

     

    Because if you're enough of a target to warrant a "burn it all down and replace it" approach, then you won't be transferring anything over from the pyre.

     

    Also because if you're enough of a target to warrant anything more advanced than a roll-in-the-backups or a wipe-and-install approach and with new passwords all around, then you'll want to acquire help specific to your situation, too.

  • by KenB1,

    KenB1 KenB1 Dec 29, 2015 11:05 AM in response to MrHoffman
    Level 1 (0 points)
    Dec 29, 2015 11:05 AM in response to MrHoffman

    oh no its not that Im such a great target. I was just thinking of all options.

    And my computer's a little older, so it occurred to me it might be just

    easier to buy a new one instead of wiping and installing. Once I thought

    of that, the data transfer question arose.

  • by MrHoffman,

    MrHoffman MrHoffman Dec 29, 2015 11:15 AM in response to KenB1
    Level 6 (15,637 points)
    Mac OS X
    Dec 29, 2015 11:15 AM in response to KenB1

    Likely via https://support.apple.com/en-us/HT204350, and omitting any applications.  If you have applications in your local login directories, get new copies of those.  Password changes, et al.