Hi there, I'm having an issue. I am certain that there is a "keylogger" on my computer at the moment. My world of warcraft password is being continually changed. Someone logged onto my account and stole all of my items. I changed my password, and they were on again today. I continue to find the password changed without my doing it.
What I'm trying to do now is figure out what the keylogger is, so that I can google it and find how to remove it.
I've installed a network monitor named Little Snitch. I'm watching it and these are the processes that have been using the internet thus far:
- ntpd (system clock synchronization)
- mDNSResponder (some network thing. contacts my ISP, charter, it looks like)
- Dropbox (? I used to use this.)
- Firefox (duh :])
- DirectoryService (don't understand what it does, seems legitimate
- Dashboard Service (desktop apps?)
- Airport Base Station Agent (wireless music from upstairs, I think)
The only thing that seems like it could possibly be sending my "keys" would be Dropbox, right? Has anyone heard of a keylogger that uses dropbox to send data? I admit I am not Mac savvy. :X Does anyone know if I can see just what is being sent/received via Dropbox? It just seems to be accessing the internet very frequently. Which makes sense, since it's for synching files, but it seems fishy (maybe I'm paranoid :X)
I'm going to attach here, as well, the results of entering the "ps -ef" command into terminal. I'm not familiar with a large portion of these, and as such it's difficult for me to tell which seem legitimate.
If there's information in there that I shouldn't be sharing online, do tell me. >.>If you see anything fishy, please post!
What I'm trying to do now is figure out what the keylogger is, so that I can google it and find how to remove it.
I've installed a network monitor named Little Snitch. I'm watching it and these are the processes that have been using the internet thus far:
- ntpd (system clock synchronization)
- mDNSResponder (some network thing. contacts my ISP, charter, it looks like)
- Dropbox (? I used to use this.)
- Firefox (duh :])
- DirectoryService (don't understand what it does, seems legitimate
- Dashboard Service (desktop apps?)
- Airport Base Station Agent (wireless music from upstairs, I think)
The only thing that seems like it could possibly be sending my "keys" would be Dropbox, right? Has anyone heard of a keylogger that uses dropbox to send data? I admit I am not Mac savvy. :X Does anyone know if I can see just what is being sent/received via Dropbox? It just seems to be accessing the internet very frequently. Which makes sense, since it's for synching files, but it seems fishy (maybe I'm paranoid :X)
I'm going to attach here, as well, the results of entering the "ps -ef" command into terminal. I'm not familiar with a large portion of these, and as such it's difficult for me to tell which seem legitimate.
Code:
Sh######:~ bunkerking1214$ ps -ef
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 0:00.14 ?? 0:00.19 /sbin/launchd
0 10 1 0 0:01.08 ?? 0:04.17 /usr/libexec/kextd
0 11 1 0 0:00.51 ?? 0:01.09 /usr/sbin/DirectoryService
0 12 1 0 0:00.21 ?? 0:00.28 /usr/sbin/notifyd
0 13 1 0 0:00.08 ?? 0:00.17 /usr/sbin/syslogd
0 14 1 0 0:01.47 ?? 0:02.61 /usr/sbin/configd
1 15 1 0 0:00.25 ?? 0:00.55 /usr/sbin/distnoted
65 16 1 0 0:00.14 ?? 0:00.24 /usr/sbin/mDNSResponder -launchd
0 21 1 0 0:00.05 ?? 0:00.12 /usr/sbin/securityd -i
0 25 1 0 0:00.11 ?? 0:00.16 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
0 26 1 0 0:00.33 ?? 0:00.74 /usr/sbin/cupsd -l
0 27 1 0 0:00.10 ?? 0:00.46 /usr/sbin/httpd -D FOREGROUND
0 28 1 0 0:01.00 ?? 0:01.00 /usr/sbin/update
0 29 1 0 0:00.01 ?? 0:00.02 /sbin/SystemStarter
0 33 1 0 0:01.14 ?? 0:02.07 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds
501 34 1 0 0:01.04 ?? 0:02.19 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
0 35 1 0 0:00.00 ?? 0:00.00 /usr/sbin/KernelEventAgent
0 36 1 0 0:00.08 ?? 0:00.14 /usr/sbin/kdcmond -n -a
0 38 1 0 0:00.00 ?? 0:00.00 /usr/libexec/hidd
0 39 1 0 0:00.19 ?? 0:00.28 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Version
0 41 1 0 0:00.01 ?? 0:00.01 /sbin/dynamic_pager -F /private/var/vm/swapfile
0 44 1 0 0:00.07 ?? 0:00.15 /usr/sbin/diskarbitrationd
0 48 1 0 0:00.23 ?? 0:00.47 /usr/sbin/blued
0 49 1 0 0:00.01 ?? 0:00.01 autofsd
0 51 1 0 0:00.19 ?? 0:00.81 /usr/libexec/ApplicationFirewall/socketfilterfw
0 52 1 0 0:00.43 ?? 0:01.17 /Library/Little Snitch/lsd
0 57 1 0 0:00.85 ?? 0:01.58 /System/Library/CoreServices/coreservicesd
0 59 36 0 0:00.02 ?? 0:00.04 /usr/sbin/krb5kdc -n -r LKDC:SHA1.8F28A77D7B20653814284A845CF99C2E37C15D28
26 65 26 0 0:00.03 ?? 0:00.11 Canon_MP610_series 105 bunkerking1214 band pass.bmp 1 Resolution=600x600dpi AP_D_InputSlot= pserrorh
26 66 26 0 0:03.05 ?? 0:04.58 Canon_MP610_series 105 bunkerking1214 band pass.bmp 1 Resolution=600x600dpi AP_D_InputSlot= pserrorh
26 68 26 0 0:00.01 ?? 0:00.02 usb://Canon/MP610%20series?serial=101FA3 105 bunkerking1214 band pass.bmp 1 Resolution=600x600dpi AP
26 69 26 0 0:01.38 ?? 0:03.56 HP_Photosmart_C5200_series 135 bunkerking1214 Microsoft Word - Disc12-101Handout.doc 1 AP_D_InputSlo
26 70 26 0 0:00.02 ?? 0:00.02 usb://HP/Photosmart%20C5200%20series?serial=MY76EBD2S704XQ 135 bunkerking1214 Microsoft Word - Disc1
70 74 27 0 0:00.00 ?? 0:00.00 /usr/sbin/httpd -D FOREGROUND
88 108 1 0 0:24.54 ?? 0:59.11 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources
89 110 1 0 0:00.24 ?? 0:00.56 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/m
0 124 1 0 0:00.57 ?? 0:00.71 /Library/StartupItems/ParallelsTransporter/llipd
0 190 1 0 0:02.46 ?? 0:11.94 /Library/StartupItems/SymAutoProtect/SymAutoProtect nodaemon
0 264 1 0 0:00.07 ?? 0:00.13 /usr/sbin/nmbd -F
501 272 1 0 0:00.08 ?? 0:00.11 /sbin/launchd
0 284 1 0 0:00.29 ?? 0:00.38 /Library/StartupItems/Parallels/pvsnatd
501 307 1 0 0:00.23 ?? 0:00.63 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/m
501 318 272 0 0:01.40 ?? 0:09.27 /Library/Little Snitch/Little Snitch Network Monitor.app/Contents/MacOS/Little Snitch Network Monito
501 319 272 0 0:00.49 ?? 0:07.74 /Library/Little Snitch/Little Snitch UIAgent.app/Contents/MacOS/Little Snitch UIAgent
501 320 272 0 0:00.02 ?? 0:00.05 /Library/PrivilegedHelperTools/RazerDeathAdderDaemon.app/Contents/MacOS/RazerDeathAdderDaemon
501 321 272 0 0:00.03 ?? 0:00.08 /Library/Application Support/Tablet/PenTabletDriver.app/Contents/MacOS/PenTabletDriver
501 322 272 0 0:00.03 ?? 0:00.08 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agen
501 326 272 0 0:00.05 ?? 0:00.17 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
501 327 272 0 0:00.12 ?? 0:00.18 /usr/sbin/UserEventAgent -l Aqua
501 328 272 0 0:00.00 ?? 0:00.01 /usr/sbin/pboard
501 329 272 0 0:00.90 ?? 0:01.68 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/ATSServer
501 330 272 0 0:00.41 ?? 0:01.05 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_57358
501 332 272 0 0:00.01 ?? 0:00.03 /Library/Application Support/Tablet/PenTabletDriver.app/Contents/Resources/TabletDriver.app/Contents
0 333 1 0 0:00.06 ?? 0:00.11 /usr/sbin/coreaudiod
501 334 272 0 0:01.06 ?? 0:01.98 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn_0_77843
501 335 272 0 0:13.03 ?? 0:38.60 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_81940
501 350 272 0 0:00.24 ?? 0:01.54 /Library/Application Support/Norton Solutions Support/SymQuickMenu/SymQuickMenu.app/Contents/MacOS/S
0 351 272 0 0:00.03 ?? 0:00.27 /Library/Application Support/Norton Solutions Support/Norton AntiVirus/SAVDiskMountNotify.app/Conten
501 352 272 0 0:00.04 ?? 0:00.45 /Library/Application Support/Norton Solutions Support/Norton AntiVirus/ScanNotification.app/Contents
501 355 272 0 0:00.01 ?? 0:00.03 /Library/Application Support/Norton Solutions Support/Scheduler/SymSecondaryLaunch.app/Contents/MacO
501 360 272 0 0:00.03 ?? 0:00.06 /Applications/iTunes.app/Contents/Resources/iTunesHelper.app/Contents/MacOS/iTunesHelper -psn_0_1188
501 361 272 0 0:00.06 ?? 0:00.19 /Applications/Caffeine.app/Contents/MacOS/Caffeine -psn_0_122910
501 362 272 0 0:01.81 ?? 0:05.63 /Applications/Dropbox.app/Contents/MacOS/Dropbox -psn_0_127007
501 363 272 0 0:00.14 ?? 0:00.29 /Users/bunkerking1214/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/C
-2 368 1 0 0:00.01 ?? 0:00.01 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd
501 458 272 0 0:16.37 ?? 1:13.12 /Applications/Firefox.app/Contents/MacOS/firefox-bin -psn_0_147492
501 470 330 0 0:00.26 ?? 0:01.32 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashboar
501 471 330 0 0:00.28 ?? 0:01.05 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashboar
501 508 272 0 0:00.15 ?? 0:00.82 /Applications/Little Snitch Configuration.app/Contents/MacOS/Little Snitch Configuration -psn_0_1638
501 524 272 0 0:00.08 ?? 0:00.32 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_188462
0 525 524 0 0:00.02 ttys000 0:00.02 login -pf bunkerking1214
501 526 525 0 0:00.01 ttys000 0:00.01 -bash
0 539 526 0 0:00.00 ttys000 0:00.00 ps -ef
If there's information in there that I shouldn't be sharing online, do tell me. >.>If you see anything fishy, please post!