# How do I detect and REMOVE a potential Keylogger???



## cmae

*How do I detect and REMOVE a potential Keylogger??? Plesa help!*

I think someone may have installed a key logger on my computer and I want it gone!! 
How do I 1. Find out if there is one and 2. if there is, REMOVE it. 

I may need to be walked through this... Also, is there any free antispyware out there I can run to detect it?

THANKS!


----------



## sinclair_tm

What makes you think there is one? Keyloggers for Macs are far and few, and all must have the admin password to even install. So if there is one, it means it was installed by someone that has the admin password to your Mac, which would concern me more. But if you are worried, there is an app called Little Snitch that watches all traffic to and from your Mac on the network, and you can tell it what to allow. As for removing a keylogger, you'd have to know where it is installed, and where all the files that go with it are, and delete them. As for antivirus/spyware software for the Mac, there is some out there, but I can not recommend any as I don't use them, as I feel there is no need to, yet.


----------



## cmae

A "friend" has my password b/c he set up my new computer and transfered programs and such from his computer so I wouldn't have to reinstall them. I downloaded Little Snich but am a bit confused as to how it works. From my understanding, when my "logs" are getting ready to be sent wherever(from the keylogger program) that it'll ask me if its ok to do so beforehand? I know that this person has had access to my email accounts b/c he has been able to read sensitive information transmitted through them. A friend recommended that I download and run http://www.iantivirus.com/ and I have done so with nothing coming up. I just want to be able to send emails and chats without being spied on. Any other suggestions?

Should I deny connections to any of the following?(coied and pasted from Little Snich)
-
action: allow
process: any
destination: 169.254.0.0/16
port: any
protocol: any
help: This rule covers the "rendezvous" zeroconf address space which isn't routed over the Internet and only valid within your local network.

action: allow
process: any
destination: multicast-IPv6
port: any
protocol: any
help: This rule covers the IPv6 multicast addresses within the Link-Local Scope. The Link-Local Scope is limited to your local network and therefore this address space won't be routed over the Internet.

action: allow
process: any
destination: broadcast
port: any
protocol: any
help: Broadcasts are limited to your local network and won't be routed over the Internet. You may deny broadcasts for specific applications, but you shouldn't disallow broadcasts at all since several system services rely on broadcast communication.

action: allow
process: any
destination: local-net-IPv6
port: any
protocol: any
help: "local IPv6 network" represents IPv6 addresses within your home or company network.\n\nIt covers the entire IPv6 Link-Local Scope address space. The Link-Local Scope is limited to your local network and therefore this address space won't be routed over the Internet.

action: allow
process: any
destination: local-net-IPv4
port: any
protocol: any
help: This rule covers the ip range of your home or company network.\n\n"local network" covers all your local networks on all your active network cards (including airport and so on). It is computed from the network interface's current IP address and netmask (depending on the number of active network interfaces it can stand for more than one IP-range). And it is recomputed if you change your "Location".

action: allow
process: any
destination: multicast-IPv4
port: any
protocol: any
help: This rule covers the full multicast addresses IP range 224.0.0.0/4 or 224.0.0.0 - 239.255.255.255. These addresses can be used for efficient distribution of (e.g.) streaming data like internet radio, if your provider and the application you use support it.

action: allow
process: /Applications/Adium.app/Contents/MacOS/Adium
destination: any
port: 1863
protocol: 6
help: wants to connect to dp.msnmessenger.akadns.net on TCP port 1863 (msnp).

action: allow
process: /Applications/Adium.app/Contents/MacOS/Adium
destination: any
port: 443
protocol: 6
help: wants to connect to nexus.passport.com on TCP port 443 (https).

action: allow
process: /Applications/Adium.app/Contents/MacOS/Adium
destination: any
port: 5190
protocol: 6
help: wants to connect to login.oscar.aol.com on TCP port 5190 (aol).

action: allow
process: /Applications/Adium.app/Contents/MacOS/Adium
destination: any
port: 5222
protocol: 6
help: wants to connect to talk.google.com on TCP port 5222 (jabber-client).

action: allow
process: /usr/sbin/DirectoryService
destination: any
port: 53
protocol: any
help: Directory Services is a core part of the Mac OS X's Open Directory technology and may also be used for DNS lookups.

action: allow
process: /Applications/Firefox.app/Contents/MacOS/firefox-bin
destination: any
port: 443
protocol: 6
help: wants to connect to login.live.com on TCP port 443 (https).

action: allow
process: /Applications/Firefox.app/Contents/MacOS/firefox-bin
destination: any
port: 80
protocol: 6
help: wants to connect to pandora.com on TCP port 80 (http).

action: allow
process: /Applications/Front Row.app/Contents/MacOS/Front Row
destination: any
port: any
protocol: any

action: allow
process: /Applications/iChat.app/Contents/MacOS/iChat
destination: any
port: any
protocol: any

action: allow
process: /System/Library/Frameworks/InstantMessage.framework/iChatAgent.app/Contents/MacOS/iChatAgent
destination: any
port: any
protocol: any

action: allow
process: /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
destination: lcs.mac.com
port: 443
protocol: 6
help: wants to connect to lcs.mac.com on TCP port 443 (https).

action: allow
process: /Applications/Mail.app/Contents/MacOS/Mail
destination: any
port: 110
protocol: 6

action: allow
process: /Applications/Mail.app/Contents/MacOS/Mail
destination: any
port: 143
protocol: 6

action: allow
process: /Applications/Mail.app/Contents/MacOS/Mail
destination: any
port: 25
protocol: 6

action: allow
process: /Applications/Mail.app/Contents/MacOS/Mail
destination: any
port: 993
protocol: 6

action: allow
process: /Applications/Mail.app/Contents/MacOS/Mail
destination: any
port: 995
protocol: 6

action: allow
process: /usr/sbin/mDNSResponder
destination: any
port: any
protocol: 17
help: is necessary for local host name resolving.

action: allow
process: /Applications/Utilities/Network Utility.app/Contents/MacOS/Network Utility
destination: any
port: any
protocol: any

action: allow
process: /usr/bin/nmblookup
destination: any
port: 137
protocol: any
help: nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. Necessary for windows file sharing.

action: allow
process: /usr/sbin/ntpd
destination: any
port: 123
protocol: 17
help: ntpd is the network time daemon which synchronizes your clock with a network-time-server.

action: allow
process: /usr/sbin/ntpdate
destination: any
port: 123
protocol: 17
help: ntpdate immediately synchronizes your clock with a network-time-server.

action: allow
process: /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
destination: any
port: 80
protocol: 6
help: necessary if you like to have your bookmarked RSS Feeds up to date.

action: allow
process: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
destination: any
port: 554
protocol: 6
help: necessary to get real time streaming content.

action: allow
process: /Applications/Safari.app/Contents/MacOS/Safari
destination: any
port: 443
protocol: 6

action: allow
process: /Applications/Safari.app/Contents/MacOS/Safari
destination: any
port: 80
protocol: 6

action: allow
process: /Applications/System Preferences.app/Contents/MacOS/System Preferences
via: /usr/sbin/ntpdate
destination: any
port: 123
protocol: any
help: ntpdate immediately synchronizes your clock with a network-time-server.
-

Thank you again for helping me without making me feel patronized. Before posting here I read other forums that were unhelpful and pretty demeaning to someone who really just needs some help!!


----------



## sinclair_tm

Well, everything listed there is normal for a Mac, so should be allowed. As for the email thing, how do you know they were read. Also, you do know that as email flies along the internet, it could be looked at anyone with the right equipment/software. They don't need to ever touch your computer. That's why it is recommended never to send anything over email that you don't want seen. If you want to be sure that no one reads your stuff, then most email apps, and chat apps have a sercure message feature. I don't know how to use them, as it has never been a worry of mine. Look for something that talks about encrypting the message, or requireing a password to read.


----------



## planonoob

Macs are very good about keeping people away from installing this kind of software on your personal computer. The problem here seems to be that the person knew the password to begin with. If that is true then there are not very many things that you can do. Little Snitch, while a good app will not be any help if the person is tech saavy and knows how to get through the security. It sounds to me like the person also has remote access to your mac. Which would easily be possible to set up if they have had physical contact with your computer and harder to do so if they have not. Im sorry to tell you that If that is the case then anything that you have done on your computer is and can be monitored. I guess the question is: Who is using your system?! What kind of information do you have there? If you have any business information or anything that is highly confidential do it on another computer!


----------



## cmae

It is an ex partner who keeps gaining access to private information (ie. passwords and log in names for email, portfolio and all other online accounts). Our computers were synced upon the arrival of my new one to avoid having to reinstall all programs. He put a keylogger on one of my other computers, also a macbook pro, and with the help of a techy friend I was able to remove it. It was called logkext and was free and downloadable from the internet. I am thinking it best to reformat the entire computer. How do I go about doing that? Thank you all for your help. This has been rough times!


----------



## sinclair_tm

Put in the OS X install/restore DVD that came with the Mac new and boot from it by holding down the c key when you start it up. Once it's loaded, you can tell it to reformat the drive before it installs the OS.


----------

