"com.apple.fonts" popup

A Safe Mode boot deletes system caches that might help ...

To start up in safe mode:

1. Start or restart your Mac, then immediately press and hold the Shift key. The Apple logo appears on your display. If you don't see the Apple logo, learn what to do.
2. Release the Shift key when you see the login window. If your startup disk is encrypted with FileVault.

To leave safe mode, restart your Mac without pressing any keys during startup.

Use safe mode to isolate issues with your Mac - Apple Support

Kevin Kliesch wrote:

Forgot to mention that I tried that per the request of the Apple senior rep. Did not experience the problem in safe mode, but then after rebooting back into my main account, the problem was back again.

That indicates that it's some 3rd party software that's causing the problem. Download and run Etrecheck. Copy and paste the results into your reply. Etrecheck is a diagnostic tool that was developed by one of the most respected users here in the ASC and recommended by Apple Support to provide a snapshot of the system and help identify the more obvious culprits that can adversely affect a Mac's performance.

I have the same problem since I installed Mojave. It's sad that Apple didn't answered nor said they are investigating this problem yet. It appears each time I launch an App. If I close the App and relaunch it, it happens again.

Happening here as well. Called Apple support and spoke to a Senior Advisor who witnessed the problem through taking control of my screen. He then escalated the problem to engineering. Sent them my Capture Data info and am waiting to hear back. Interesting to note that the problem doesn't happen if I create a new test Admin account and login to that.

Forgot to mention that I tried that per the request of the Apple senior rep. Did not experience the problem in safe mode, but then after rebooting back into my main account, the problem was back again.

That was a great suggestion. I created a test Admin account, logged into that, searched for "com.apple.fonts" and deleted it then logged back into my main account and the problem was gone. Hope it doesn't cause any other problems in the system, although I remember the Senior Advisor asking me to delete the file anyway, so it should be all good.

I'm in the middle of helping a friend with this issue, and I think I have arrived at a disturbing conclusion: I think it's a covert key logger. If you look inside the com.apple.fonts.app bundle, the info.plist file contains this URL: http://www.widestep.com/fdbck/emailstore/submit.php?application=EliteKeyloggerMa c

First, in Terminal, run:

sudo rm /Library/LaunchAgents/com.apple.fonts.plist

Then, if the com.apple.fonts.plist process is still running, kill it in Activity Monitor or terminal.

And of course, run an anti-malware tool, and assume you've been compromised and change passwords.

Inside the com.apple.fonts application bundle, there's a log file indicating regular screenshots and web history parsing — but in my friend's case, only in 2014. I don't know whether it succeeded in uploading anything. There's also a large binary file of unknown contents.

I found the same thing - looks like a keylogger. Sophos picked it up and removed it for me.

As for the large file inside (binary.dat), it had a MIME type of image/jpeg so i renamed to jpg and found it was a screenshot...from 2014.

I cannot see any queries being made to the domain in question when looking at DNS and firewall logs, so not sure on whether it was active or not.

Hello Antonio Tejada.

Keep away from Sophos,or Intego! Its not good for a mac?

Use AV Programs for Windows,or if you use Bootcamp?

Run a test with Disk Utility,on your mac,ones in a week! Its better,and do not harm!

Regards Claus.

Hello jaitg,

It was very nice,of Sophos,to find a "Keylogger",when you ask for it?

I have been,on this Computer/mac issue for over 20 years,and i have never or ever find a "Keylogger"?

But Sophos can ?

Im impresst!

Regards Claus.

Its a shame that Apple keeps putting out new OS systems and then has the rest of the world solve problems like this. It makes me wish Jobs was still here to make this the quality product that it use to be. Same issue here loaded Majave and now the constant pop up that interupts all my work all the time. Where are the Apple software engineers>

Dude. The security messages are doing exactly what they’re supposed to be doing: stopping a security threat. You have malware on your system. Did you even read the solution on here? It tells you how to get rid of it.

Apple’s engineering didn’t fail, it’s literally the exact contrary: they built us a much more secure system, and it’s exposing (and indeed, stopping) malicious software!

Oh DUDE you are so wrong. This site has nothing to do with Apple software engineers. Its a community of "user" offering solution that many times create worse problems. The solutions offered above describe the issue but the solutions are all questioned by other "users". So no way am I trying an amateur fix that will cause more problems. So dude. Go back into your hackers closet and let real professionals fix this for people. And its Dr. Dude to you. Maybe I'll see you in one of my classes. 🙂