Key logger on my Mac - Help with re-install

Discussion in 'Mac Apps and Mac App Store' started by PreetinderBajwa, Aug 9, 2009.

?

What's the solution ?

Poll closed Aug 23, 2009.
  1. There're credible antimalware to solve this? Buy n run them ,no need 2 format etc?

    0 vote(s)
    0.0%
  2. U can never be sure, format & re-intall. Files & mails can be exported & bought back no problem !

    100.0%
  3. Format & re-install not sure abt malware hidding in mails & files & coming back to fresh install

    0 vote(s)
    0.0%
  4. This is the new age of Mac malware !

    0 vote(s)
    0.0%
  1. PreetinderBajwa macrumors regular

    Joined:
    May 30, 2009
    Location:
    HK
    #1
    Hi All,

    I have appended the original thread below... I have new question (assuming no way out and a fresh/clean install of OSX is the only way out)

    I have taken a time machine backup (of the suspect hard disk), another backup using an utility called IBackup and am also selecting particular folders (Document, Library, Music, Pictures, Zinio - digital magazines) and copying them over to a new disk.

    Tonight I will reinstal (wipe and intall) OSX. I want to ask everyone this :
    When I am getting the data back either through any one of the backups I have taken above, how can I make sure I don't get the damn spyware back ?
    I am wondring that I would need to install all applications/programme again manually because just simply restoring the applications folder is the highest risk ?

    The spyware is called DutyWatch 1.3a and is briefly listed on MacScan website under the Last tab at the top.

    Thanks in advance.

    Preetinder

    -------original post starts here---------

    Hi everyone, (Sorry this is longish)

    A very peculiar problem and scary one.

    I ran MacScan 2.6 - 2 days ago on my UMBP 17" and it picked up a keylogger and identified it as DutyWatch 1.3 and asked me to isolate the file :eek:, which I did. Stupidly enough I didn't check the location where it found it and am still regretting it. Anyway its one file only and its a 4kb file which opens with TextEdit and has funny 10 or so charcters in it. File name begins with opr00... (three dots are random 3 alphabets in files name)

    I ran MacScan again and it didn't find anything new. :) I have since then ran : IAntivirus and Intego InternetSecurity suite (Intego is always on my MBP)- and they didn't find anything. Intego had a few oddities I will tell you later. I did see intego scan like a 100+ of these Opr00... files in the scan but I couldn't find the location where it was scanning and when i search in spotlight they don't show up :eek:

    I ran Avast and ClamXav and they couldn't finish the scans , Avast showed 10000+ errors like err13, no threats but errors and then crashed.:mad: ClamXav also crashed but but 60% into the scan hadn't found anything. :mad:

    I then ran Sophos for Mac and it found 3 files in mail/spam box from a year ago which I knew were phishing links and a couple of files (from an year ago) that were in my external drive as trojans (.exe files I think) I have never used the files ever and they've been scanned by Intego atleast 10 times. :eek:

    So finaly, Macscan finds this one file, none of the other find the same file even though its still on desktop in a MacScan folder for quaratined files ! :eek:

    Now the oddities : :confused:

    When MacScan found the file, I quickly went to Intego Internet secutity/firewall to see whats happening, and saw atleast 10 items that were allowed to access internet but had no application names against them and were slightly greyed out as if embedded into the menu. I deleted them anyway (right click and disable). Changed the Firewall to strong and installed Little snitch to be doubly sure. the no name accessig web was oddity one. :eek:

    Oddity two, in Intego scan I saw 100+ opr00... files being scanned and I can't find them through spotlight. :eek:

    Oddity three, when I was using camino and watching you tube i could see the picture part of the webpage blinking/flashing every 2 secs like someone's taking a picture of the screen. It doesn't happen in Safari but in Camino. :eek:

    Oddity four, my disk space should have got utilized if someone was recording a lot of what is happenng on my MBP (the Macscan file was 19th July, so I presume the latest when the malware came onto my MBP would be 19th July) but that hasn't happened give or take a few MB I know the major files since I got the MBP and the can kind of account for the space used so far. :confused:

    Oddity five, little snitch hasn't found a funny outgoing connection so far.

    Oddity six, when i checked the Intego firewal/internet security (as mentioned earlier) I found that my default settings fo "protect against Trojans had one clicked off, I am sure I never did that and then when I changed default securiy to strong I found at least 3 of the "to be protected from Trojans in the list didn't have a tickin front of it". So I manually ticked them/switched them on.

    Lastly, there are no pirated software on the MBP all legit or downloaded trials from the official product websites. :eek:

    Yeah, and when I checked the DutyWatch on google :cool:, there is a company selling it as an employee productivity tracking software, and my MBP is my home MBP. My company is all windows only and they've given me a windows laptop for work.

    I have submitted the file and the screen shot of MacScan identifying message to MacScan guys to confirm if this is a false positive but I am still too scared ! :eek:

    Could this be the new age !! since there aren't many trojans, malware bad guy could buy legit software and then sneakily distribute and infect machines. And since these have legit signtures as programmes, the antivirus, antimalware and firewalls don't log and report these are threats ?

    And last question, if I format and re-instal my OS :(:mad: most of the programmes I can re-install from Disks etc but what about files and mails.... if I export them could I be inadvertently exporting the spyware also ? ahh.....:eek: :mad:

    Any of you who had the same/similar problem please advise :eek:
    Or someone who knows what are opr00... files ? Anyone strong in OSX security can advise please.


    I am too tempted to format and re-install my OSX.... but all the mails and files that i need to transfer and the malware hidding somewhere and possibly able to get ino the fresh installed OSX because (piggy backing) of need to transfer mails and files is scaring me to inaction....

    Help.......


    Preetinder
     
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    your computer does seem to be working oddly. Your post is intermingled with tons of emoticons that makes reading it, irritating.

    While its possible that you had malware, I'd have to say its unlikely especially given the fact that littlesnitch isn't reporting anything and there's really no news on others reports of such in the media or here.

    While keyloggers do exist for the mac, you'd have to allow it to be installed which leads me to the next question. Have you installed any shareware/freeware software lately?

    just because you saw opr... files being created doesn't mean something nefarious is occurring. This could be the result of some application creating it for their own purposes.

    For peace of mind, if you still think you have issues, then by all means the only option is to reformat and reinstall the OS (be sure you have a recent backup) but keep in mind what ever you did to allow it be installed in the first place cannot be repeated, that is be careful after you reformat/install OSX because you'll quickly find yourself in the same boat after all that work if you blindly install all apps and stuff back onto your computer.

    As I implied, there's no way for a keylogger to be installed on your computer w/o your knowledge. Unlike windows that can install activex in the background w/o any warning or interaction. That's not possible with OSX, you would need to be part of the install process by running something or granting permission.
     
  3. PreetinderBajwa thread starter macrumors regular

    Joined:
    May 30, 2009
    Location:
    HK
    #3
    Thanks,

    Thats what is perplexing me ! I have freeware/trial software but it is actually from the website of the company, like aperture, onyx etc . I am always very careful of downloading stuff for website other than the company which manufactures it.

    The re-install, format is going to be soooo painful !! specially with millions of updates that have to be re-downloaded and the most scary part... parallels. Now I wonder sometimes if its worth buying upgrade software online/digital edition because i have to install the first version from disk and then give new codes for the upgrade...eeks so tedious.

    I have sent the suspect file to MacScan guys, they asked me to send it. Lets see what they say.

    Will keep you posted.

    cheers
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    Just because a scan finds a file, doesn't mean it's a harmful file or one that effects Macs. Virus software does find false positives at times (finding malicious files that are not actually malicious).

    Spotlight is set to only look in your home directory, that is why it didn't find those files. You would need to use the Find feature from a Finder window and set it up so it searches system files as well.

    I don't see anything in your post that would make me think you have malicious software installed. Your company may have something installed doing some monitoring though, potentially. The opr files could be created by a program. Many programs create weird looking files. Your oddities simply don't look that odd to myself. That's not to say there's nothing wrong with your machine, but it's less likely to be a malicious application than an other issue.
     

Share This Page