just ran ClamXav found KeyLogger

It's OK to be cautious and suspicious when browsing the web and receiving emails. Read the user tip that iDrisSeabirght linked to as it have excellent tips on keeping your Mac safe.

Also set Safari's General preference pane to not open downloads after they've been downloaded, i.e. don't check this box:

Also, make sure the System/Safety and Security/General preference pane has either App Store or App Store or Identified Developers selected:

You cant install a keylogger remotely on a mac, you need to facilitate it from an operator sitting at the keyboard so if you didn't do it who else has or known the password to admin account on that system?

InsecureSpike wrote:

otherwise other security apps would've detected it, before?

What other security apps have you installed? Mac's own built-in security is enough. Other security apps are unnecessary and not recommended. At best they will slow your system by using resources and at worst they will cripple it. ClamX is the most benign of the bunch but I'd only used ClamX to scan and not to be actively running in the background.

tats a good way to get your system to just struggle and likely to throw all kinds of false info. I wouldn't even do that on a PC and anyway not recommendedas many of these products will interfere with one another in Windows. MWB is the only one of the 3 you mention that will not interfere with OS X. The other two have historically caused serious problems so if you mac starts to tank, bsod, rainbow wheel, lock up or outright kernel panic the first place you should look is Sophos or Avira running.

Personally, I see running one AV software package as likely to cause problems but running two of them is almost certain to cause grief in the longer run. My suggestion is to uninstall both Sophos and Avira.

I haven't had AV software installed on my Mac since.... System 7? Maybe System 8. Then came the awful day I updated my system software and discovered, rather too late, that the Norton anti-virus I had installed crashed my machine almost immediately after start up. It took me the better part of a day to fix it. The risks of AV software are far greater than the risks of malware, at least in my estimation.

It's easy to get worried. I absolutely understand.

In the end, you need to do what makes you feel safe and comfortable. But, in about twenty years of using Macs, I've had precisely on virus (back in the 90's). Is there bad stuff out there? Sure. Should you take reasonable precautions? Absolutely. Should you let the worry take over? Try not to. 🙂

"ClamXav" may have identified something as a false positive, but if you obtained something from "Mac Update" it is quite likely to contain malware. Sites such as that one exist for the sole purpose of distributing targeted advertising, — mostly for garbage products that no Mac user should ever install — and are notorious for bundling malware with otherwise legitimate programs. It wouldn't be the first time "Mac Update" did that.

Quoting from that developer's website http://www.findingoptimism.com/,

"The Optimism apps were launched in 2007 and developed and supported for 7 years, however since then they have been in a hiatus and are now being discontinued. We hope that you'll be able to find another app to meet your needs."

What "MacUpdate" is doing with it any more is a question open to your imagination. If you require software that is not available from the Mac App Store, be sure to obtain it from a source specifically authorized by its developer.

The app is also identified as a keylogger by Dr. Web. Also, the agent installed by the app, which ClamXav is detecting, is detected as a keylogger by both Dr. Web and Ikarus.

Of course, Ikarus throws TONS of false positives on Mac files... I tend to assume that Ikarus is always wrong these days.

I'm not seeing any signs of keylogging activity. The agent doesn't appear to be writing to any suspicious files, and I wasn't able to locate some key phrases that I typed saved into any files anywhere. Of course, this isn't conclusive evidence, as it could be caching keystrokes and writing them infrequently.

However, I notice this app and the agent were written in REALbasic, and I believe there actually is a real keylogger that was written in REALbasic. Which makes me think this may be a false positive, picking up on some commonality between REALbasic apps. This wouldn't be the first time an AV app has detected legit REALbasic apps as something malicious because of this kind of thing.

I have been able to confirm that the last version of Optimism for Mac does install an applications that matches the signature for PUA.OSX.BobKeylogger.

InsecureSpike wrote:

oh cool, so you both think there's not much to worry about otherwise other security apps would've detected it, before?

First, it's important to note that this was labeled as a PUA (Potentially Unwanted Application), so it's simply a warning that it may be something you didn't expect when you installed it. It may be doing exactly what you want it to do, but in this case is using a known keylogger that could be used for nefarious purposes. In reading though the description of the app and observing the screenshot, I don't see why it would need to monitor key strokes, with or without recording them, but not communicate anything outside of your computer. So the developer could have included a freely available or license version of the Bob Keylogger to accomplish this for legitimate purposes.

Since the matching signature is a hash value, the odds are extremely high (way over 99%) that this is not a False Positive.

It appears that someone uploaded this file to VirusTotal earlier today where two other scanners identified it as a Keylogger:

Another submission from last year shows an additional detection from AVG.

Seeing as the developer has been out of business for a decade now and you have no indication of identity theft, you probably have nothing to worry about. You could double-check to see if the app is attempting to communicate outside of your Mac, but that would require the use of additional software and expertise to monitor your Internet communications.

MadMacs0 wrote:

Since the matching signature is a hash value, the odds are extremely high (way over 99%) that this is not a False Positive.

Just to clarify my statement here. The odds are that the file is the one identified as PUA.OSX.BobKeylogger is the intended file. As thomas_r. covered, it could still have been misidentified as malicious by one or more of the other scanners and picked up by ClamXav based on their assessment.

I'd definitely recommend deleting the app. I can't find any behavioral indication that it's actually a keylogger, but it's definitely ancient! It's got old PowerPC code in it, which is the equivalent of seeing a dodo on the streets of New York.