Previous 1 2 Next 18 Replies Latest reply: Mar 8, 2013 5:38 PM by ThatPellirojo Branched to a new discussion.
ThatPellirojo Level 1 (0 points)

I am afraid that I might have a keylogger, and I went to look at my activity monitor and everything is good except I have 2 different Safari Web Content processes running at the same time. Could this be a keylogger?

MacBook Pro, Mac OS X (10.7.3)
  • pennbank Level 4 (1,680 points)

    I doubt but you can never say never

    Just use the red button and quit the processes  and restart


    Antivirus is available


    You can use CLAM XAV free from App store


    or Sophos free for home use  (Which I use)  and run a scan ition.aspx



  • John Galt Level 8 (44,625 points)

    Keylogger programs are not viruses or malware and will not be detected as such.


    I know of three Mac keylogger apps:


    ABK a/k/a AOBO Keylogger installs in a hidden folder: /Library/.A_o_b_o/


    Its process will appear in Activity Monitor with the name A_o_b_o. The underscore characters are exactly that.


    In Safari's URL field, type file:///Library/.A_o_b_o/

    You should a grey screen with the result "No file exists at the address file:///Library/.A_o_b_o/"


    Refog Mac Keylogger installs in a hidden folder: /Library/.smoke/


    In Safari's URL field, type file:///Library/.smoke/

    You should see the result "No file exists at the address file:///Library/.smoke/"


    Spector Soft installs its keylogger app at /usr/local/sps/

    In Safari's URL field, type file:///usr/local/sps/

    You should see the result "No file exists at the address file:///usr/local/sps/"


    If any one of these actions results in Safari switching to a Finder window then it is installed.

    Other keylogger apps may exist. If you are still concerned please explain the reasons for your concern and I will suggest another test for you to conduct.

  • ThatPellirojo Level 1 (0 points)

    Well my son went on skype and some stranger friended him and sent him some files for him to recieve from skype. Well my son downloaded them on skype to see them and saw there were like 7 pictures of a naked girl and 2 files, well he clicked "open with preview" on the files and it said something like it has to download stuff from the internet and he then stopped that. He realized this was a scammer. The person then said that  the computer had been keylogged. So I got on the mac and went to finder to find the files and pictures and deleted them. Although he never got the files from the internet, I am still worried that it could be keylogged. The scammer sent a chat message saying it only works on pc's with windows 7,8, and vista. But I want to be 100% before I enter secure information about my bank accounts and such. I saw where most of them appeared on the activity monitor so I checked them out and nothing strange was on the activity monitor.Like I said earlier I dragged the pics and 2 files from finder to the trashcan and emptied it quickly. So I figure I am ok but like I sai, I want to be sure that it cant be compromised. Thanks for all the help. By the way, my son is in a TON of trouble and it wouldn't ever happen again. Thanks

  • John Galt Level 8 (44,625 points)

    The scams such as you describe are common. It is only the latest variation on a century's old confidence game. The way they work is to convince you to download and install a program that can be subsequently used to harvest data or for other malicious purpose. From what you describe that did not occur.


    The caution that you exercise - knowing what information you are providing, to whom, and for the purpose for providing it - is the best way to avoid trouble.


    Your son became justifiably concerned at the solicitation to download something unknown. No harm done, and he probably won't make that mistake again.


    By the way this is what my Activity Monitor showed, filtering for "web"


    Screen Shot 2013-03-07 at 6.36.05 PM.png


    If you see something similar it is not cause for concern.

  • ThatPellirojo Level 1 (0 points)

    That is exactly like what is on my activity. So based on what all I did would you say it is ok to look up things such as bank accounts etc..? I have checked most of the other processes in my activities and they check out. I am glad my son did stop and delete he files from "finder". We ended up deleting the files from finder and checking the activites. Is there anything else you would suggest us do? Once again I just want to be sure before I do anything. Thanks so much for your help!

  • John Galt Level 8 (44,625 points)
    Is there anything else you would suggest us do?



    Nothing other than what you have hopefully been doing already - use reasonably good passwords and change them once in a while, have a reliable backup strategy, keep your Mac up to date with software updates from Apple, don't supply your name and password merely because something or someone asks for them, don't click on links in unknown emails, and be on guard whenever you talk to strangers. Whether they are on the street or Skype chat makes no difference.


    More to read:


    OS X Mountain Lion: Keep your information safe


    Generally applicable to Lion or any OS for that matter.

  • Linc Davis Level 10 (184,525 points)

    Well my son went on skype and some stranger friended him and sent him some files for him to recieve from skype.


    That's a matter for the police. Your son was the intended victim of a crime.

  • ThatPellirojo Level 1 (0 points)

    Well I reckon I worded that wrongly. He knew that the scammer was going to be sending nude photos and thats why he went on with it.

  • Linc Davis Level 10 (184,525 points)

    I'm not going to give you parenting advice, but if the "scammer" was someone your son doesn't know, in your place I'd be on the phone to the police or the FBI. This is a classic MO for sexual predators.

  • MadMacs0 Level 5 (4,700 points)

    John Galt wrote:


    I know of three Mac keylogger apps:


    Other keylogger apps may exist.

    MacScan has a reasonably complete list here. It's about the only thing MacScan is good for.

  • ThatPellirojo Level 1 (0 points)

    I have looked at Security programs and found ClamXav and saw how it's free and found an article with the top 10 mac anti-virus programs... 7lK...thats the link to the article and here is the link to ClamXav.. What are your opinions on this?

  • MadMacs0 Level 5 (4,700 points)

    ThatPellirojo wrote:


    I have looked at Security programs and found ClamXav and saw how it's free and found an article with the top 10 mac anti-virus programs... 7lK

    I'm not in the habit of recommending A-V software for reasons that will be clear later. There are plenty of others who do that here routinely. I'll start by pointing out that the article is old (last updated in May 2011). Since then PCTools no longer supports iAntiVirus and the name is being used by Norton for a scaled back version of their software. Most of the ones listed were brand new at the time from formerly PC software vendors that thought they saw a chance for a new Mac market. A few of them still haven't shown that they fully understand OS X. Some have not provided sufficient resources. Some don't even provided updates to their databases. Note that the article doesn't really compare them. Most all of these have not been effective at identifying any of the Zero-day exploitations until several days after they were found in-the-wild. You can find a few other sites that will tell you they have done comparative testing, but most accept advertisement and / or payments from the vendors.


    One comparison that does exist today is provided by Thomas Reed, a frequent contributor in the ACS forum and a colleague of mine Mac anti-virus testing, part 2.


    Although I personally have four A-V programs installed, none of them are currently in use, except for testing. Many of us feel that a fully up-to-date OS X 10.6.8 and above provide adequate protection against all currently known malware that can impact OS X. If I frequented shady web sites, left Java turned on in my browsers, ignored warnings and entered my admin password indiscriminately, or exchanged files with Windows users, I might feel differently.


    Full disclosure: I do uncompensated tech support on the ClamXav Forum.

  • thomas_r. Level 7 (30,640 points)

    I see that you've already gotten some very good advice here. In particular, I want to stress the importance of what Linc has said. What happened was a very serious crime, and needs to be reported. For all you know, the creep on the other end of the line was trying to get a webcam hack installed, not a keylogger, in hopes that he could spy on your son. Call the police, please!


    Now, as to the software that was sent... Most likely, it really was a Windows-only exploit. However, we really don't know how deep a conversation your son had with this man, and it's entirely possible that it was actually a Mac backdoor that was sent. We also don't know what the message was about something needing to be downloaded... I don't see any reason for that message, as a malicious app or installer would be able to download stuff without asking, once it got its foot in the door (so to speak). Worst of all, it sounds like you have deleted the files, so those of us who could help you figure out what they might have been cannot do that.


    Ultimately, your response to this is your decision. I have an extremely good relationship with my teenagers, and yet if the same thing happened here, I would not make any assumptions. I would consider the worst-case scenario - that some stranger might have gotten something installed that will let them spy on my child - and would respond to that.


    In that case, there's only one reliable way to handle that worst-case scenario. Completely erase the hard drive. Then, if you have one, restore to a backup from before this incident happened. If you don't have one, reinstall the system and all applications from scratch, and copy personal documents only (no settings files, and no using Setup Assistant or Migration Assistant for the import) from a backup.

  • ThatPellirojo Level 1 (0 points)

    Well What the files were that he sent was a couple pictures of a naked girl and there was a file, well he looked at the pictures in preview but when he saw the file and clicked "open in preview" it asked to download something from the internet, and this is when my son knew what was going on. So he then went to finder and deleted the pics of the girl and the file. I then went on here and looked up way to find out how to get rid of the keylogger and I saw many different people who looked at the activity monitor and I didn't find any strange processes running. However I am still just wary of there still being something on my mac. How would I erase the hard drive? Will it take a while to do this?

Previous 1 2 Next