Key logger on my Mac - Help with re-install

Hi All,

I have appended the original thread below... I have new question (assuming no way out and a fresh/clean install of OSX is the only way out)

I have taken a time machine backup (of the suspect hard disk), another backup using an utility called IBackup and am also selecting particular folders (Document, Library, Music, Pictures, Zinio - digital magazines) and copying them over to a new disk.

Tonight I will reinstal (wipe and intall) OSX. I want to ask everyone this :
When I am getting the data back either through any one of the backups I have taken above, how can I make sure I don't get the damn spyware back ?
I am wondring that I would need to install all applications/programme again manually because just simply restoring the applications folder is the highest risk ?

The spyware is called DutyWatch 1.3a and is briefly listed on MacScan website under the Last tab at the top.

Thanks in advance.

Preetinder

-------original post starts here---------

Hi everyone, (Sorry this is longish)

A very peculiar problem and scary one.

I ran MacScan 2.6 - 2 days ago on my UMBP 17" and it picked up a keylogger and identified it as DutyWatch 1.3 and asked me to isolate the file , which I did. Stupidly enough I didn't check the location where it found it and am still regretting it. Anyway its one file only and its a 4kb file which opens with TextEdit and has funny 10 or so charcters in it. File name begins with opr00... (three dots are random 3 alphabets in files name)

I ran MacScan again and it didn't find anything new. I have since then ran : IAntivirus and Intego InternetSecurity suite (Intego is always on my MBP)- and they didn't find anything. Intego had a few oddities I will tell you later. I did see intego scan like a 100+ of these Opr00... files in the scan but I couldn't find the location where it was scanning and when i search in spotlight they don't show up

I ran Avast and ClamXav and they couldn't finish the scans , Avast showed 10000+ errors like err13, no threats but errors and then crashed. ClamXav also crashed but but 60% into the scan hadn't found anything.

I then ran Sophos for Mac and it found 3 files in mail/spam box from a year ago which I knew were phishing links and a couple of files (from an year ago) that were in my external drive as trojans (.exe files I think) I have never used the files ever and they've been scanned by Intego atleast 10 times.

So finaly, Macscan finds this one file, none of the other find the same file even though its still on desktop in a MacScan folder for quaratined files !

Now the oddities :

When MacScan found the file, I quickly went to Intego Internet secutity/firewall to see whats happening, and saw atleast 10 items that were allowed to access internet but had no application names against them and were slightly greyed out as if embedded into the menu. I deleted them anyway (right click and disable). Changed the Firewall to strong and installed Little snitch to be doubly sure. the no name accessig web was oddity one.

Oddity two, in Intego scan I saw 100+ opr00... files being scanned and I can't find them through spotlight.

Oddity three, when I was using camino and watching you tube i could see the picture part of the webpage blinking/flashing every 2 secs like someone's taking a picture of the screen. It doesn't happen in Safari but in Camino.

Oddity four, my disk space should have got utilized if someone was recording a lot of what is happenng on my MBP (the Macscan file was 19th July, so I presume the latest when the malware came onto my MBP would be 19th July) but that hasn't happened give or take a few MB I know the major files since I got the MBP and the can kind of account for the space used so far.

Oddity five, little snitch hasn't found a funny outgoing connection so far.

Oddity six, when i checked the Intego firewal/internet security (as mentioned earlier) I found that my default settings fo "protect against Trojans had one clicked off, I am sure I never did that and then when I changed default securiy to strong I found at least 3 of the "to be protected from Trojans in the list didn't have a tickin front of it". So I manually ticked them/switched them on.

Lastly, there are no pirated software on the MBP all legit or downloaded trials from the official product websites.

Yeah, and when I checked the DutyWatch on google , there is a company selling it as an employee productivity tracking software, and my MBP is my home MBP. My company is all windows only and they've given me a windows laptop for work.

I have submitted the file and the screen shot of MacScan identifying message to MacScan guys to confirm if this is a false positive but I am still too scared !

Could this be the new age !! since there aren't many trojans, malware bad guy could buy legit software and then sneakily distribute and infect machines. And since these have legit signtures as programmes, the antivirus, antimalware and firewalls don't log and report these are threats ?

And last question, if I format and re-instal my OS most of the programmes I can re-install from Disks etc but what about files and mails.... if I export them could I be inadvertently exporting the spyware also ? ahh.....

Any of you who had the same/similar problem please advise
Or someone who knows what are opr00... files ? Anyone strong in OSX security can advise please.


I am too tempted to format and re-install my OSX.... but all the mails and files that i need to transfer and the malware hidding somewhere and possibly able to get ino the fresh installed OSX because (piggy backing) of need to transfer mails and files is scaring me to inaction....

Help.......


Preetinder

 

Thanks,

Thats what is perplexing me ! I have freeware/trial software but it is actually from the website of the company, like aperture, onyx etc . I am always very careful of downloading stuff for website other than the company which manufactures it.

The re-install, format is going to be soooo painful !! specially with millions of updates that have to be re-downloaded and the most scary part... parallels. Now I wonder sometimes if its worth buying upgrade software online/digital edition because i have to install the first version from disk and then give new codes for the upgrade...eeks so tedious.

I have sent the suspect file to MacScan guys, they asked me to send it. Lets see what they say.

Will keep you posted.

cheers