Possible Keylogger - Not sure how to identify process in Activity Monitor

Hi,

I received an email that seemed legitimate, and clicked the link (two days ago). The link didn't 'work'. I was talking to one of my friends, who is much more fluent with computers than I am, and he said that chances are I downloaded a keylogger onto my computer.

I've been researching the processes on my Activity Monitor, but there are a lot of them, and I'm wondering if there is an easier way.

Particularly, because I have the date and time that I received the email/clicked on the link, I was wondering if these data can help me at all in identifying a bogey process. Can they? Also, is there anything else that I can do? I downloaded a free trial of mcafee and am scanning the computer currently, but I'm not entirely sure what else to do.

Konstiin

Run Activity Monitor; go to File » Save and save a text file of everything that is running; then copy/paste the contents into a reply here. We can then look over what's running.

lifeisabeach said:

Run Activity Monitor; go to File » Save and save a text file of everything that is running; then copy/paste the contents into a reply here. We can then look over what's running.

Click to expand...

N**S is the user name. Only one user on the computer. these are all of the processes.
---------------------------------

Active Memory: 1.60 GB
Free Memory: 734.3 MB
Wired Memory: 955.9 MB
Used Memory: 3.28 GB
Inactive Memory: 762.1 MB
Total VM: 136.83 GB
Number of processes: 70

PID Process Name User CPU Real Mem Virtual Mem
0 kernel_task root 25.3 303.9 MB 3.01 GB
1 launchd root 0.0 764 KB 2.34 GB
10 kextd root 0.0 9.8 MB 2.34 GB
11 DirectoryService root 0.0 4.3 MB 2.34 GB
12 notifyd root 0.0 484 KB 2.33 GB
13 diskarbitrationd root 0.0 1.2 MB 2.33 GB
14 configd root 0.0 2.4 MB 2.36 GB
15 syslogd root 0.0 540 KB 2.34 GB
16 blued root 0.0 2.1 MB 2.35 GB
19 mDNSResponder _mdnsrespo 0.1 2.3 MB 2.35 GB
20 distnoted daemon 0.0 1,004 KB 2.33 GB
24 securityd root 0.0 2.2 MB 2.35 GB
25 coreservicesd root 0.0 8.5 MB 2.39 GB
28 ntpd root 0.0 704 KB 2.32 GB
29 krb5kdc root 0.0 844 KB 2.33 GB
32 usbmuxd _usbmuxd 0.0 732 KB 2.35 GB
37 mds root 0.0 24.3 MB 2.54 GB
38 loginwindow n**s 0.0 7.0 MB 2.67 GB
39 KernelEventAgent root 0.0 512 KB 2.33 GB
41 hidd root 0.0 924 KB 2.33 GB
42 fseventsd root 0.0 1.6 MB 2.34 GB
44 dynamic_pager root 0.0 332 KB 2.32 GB
50 autofsd root 0.0 500 KB 2.33 GB
72 WindowServer _windowser 4.8 64.5 MB 2.76 GB
79 cvmsServ root 0.0 412 KB 2.33 GB
91 launchd n**s 0.0 756 KB 2.34 GB
95 Dock n**s 0.0 15.4 MB 2.69 GB
96 SystemUIServer n**s 0.0 11.7 MB 2.66 GB
97 Finder n**s 0.0 32.3 MB 2.81 GB
99 coreaudiod _coreaudio 0.0 2.4 MB 2.34 GB
101 pboard n**s 0.0 312 KB 2.32 GB
102 fontd n**s 0.0 6.0 MB 2.38 GB
114 UserEventAgent n**s 0.0 2.6 MB 2.35 GB
121 AirPort Base Station Agen n**s 0.0 2.1 MB 2.62 GB
195 AppleSpell.service n**s 0.0 4.7 MB 2.35 GB
3921 iTunes Helper n**s 0.0 1.1 MB 2.60 GB
4224 DashboardClient n**s 0.1 42.5 MB 3.75 GB
4225 DashboardClient n**s 0.0 3.6 MB 934.6 MB
4227 WebKitPluginAgent n**s 0.0 288 KB 2.34 GB
69109 Google Chrome n**s 0.6 199.7 MB 1.34 GB
69115 Google Chrome Worker n**s 0.0 50.8 MB 1.03 GB
69116 Google Chrome Worker n**s 0.0 21.8 MB 997.3 MB
69281 Google Chrome Helper n**s 0.0 25.2 MB 958.7 MB
69870 Shockwave Flash (Chrome P n**s 2.8 54.1 MB 1.00 GB
69871 mdworker n**s 0.0 18.1 MB 2.37 GB
69880 Activity Monitor n**s 14.9 32.9 MB 2.78 GB
69882 activitymonitord root 0.9 1.5 MB 2.33 GB
69903 Google Chrome Renderer n**s 0.1 80.5 MB 1.06 GB
69925 diskimages-helper n**s 0.0 12.7 MB 2.36 GB
69933 hdiejectd root 0.0 1.6 MB 2.33 GB
69936 mdworker _spotlight 0.0 9.8 MB 2.36 GB
70072 SystemStarter root 0.0 984 KB 2.33 GB
70723 fmpd root 1.2 3.1 MB 599.7 MB
70790 cron root 0.0 900 KB 2.32 GB
70863 VShieldScanManager root 1.5 3.3 MB 603.9 MB
70901 cma root 0.0 12.2 MB 628.8 MB
70908 VShieldUpdate root 0.0 50.3 MB 637.9 MB
70959 Menulet n**s 0.1 5.1 MB 892.3 MB
70962 McAfee Reporter n**s 0.0 5.1 MB 896.2 MB
70969 VShieldScanner root 0.0 109.6 MB 697.0 MB
70970 VShieldScanner root 0.0 109.5 MB 697.0 MB
70971 VShieldScanner root 0.0 100.7 MB 694.6 MB
71006 McAfee Security n**s 6.4 10.9 MB 958.9 MB
71055 VShieldService root 6.8 8.1 MB 613.4 MB
71062 Google Chrome Renderer n**s 0.1 92.9 MB 1.08 GB
71069 imklaunchagent n**s 0.0 1.9 MB 2.35 GB
71070 Keyboard Viewer n**s 0.6 34.2 MB 2.72 GB
71078 Google Chrome Renderer n**s 0.0 67.8 MB 1.07 GB
71104 VShieldScanner n**s 57.7 86.3 MB 681.0 MB
71167 Google Chrome Renderer n**s 0.4 107.6 MB 1.08 GB

Hi and welcome to the forum Konstiin.

So just from hitting a link in a email and it not working, your friend has said its chances are you downloaded a keylogger onto your computer ??? How did he come up with that ??

Sorry but it sounds as if your friend is scaring you for no good reason.
Can you give us a reason or a indication that a Keylogger would be on your machine ??

Cheers

Offhand, it all looks kosher to me. Honestly…. the likelihood that you accidentally acquired malware is very very very low. Like Tattooed suggested, your friend pulled that out of his ***. There are exploits out there that do use phony web pages like that, but the later versions of OS X actually do have anti-malware features that it silently updates.

One other thought… were you prompted for your user name and password when you clicked on that link? If not, then there is absolutely no chance you acquired malware. Installing anything like that requires your explicit permission.


EDIT: and go ahead and get rid of McAfee. It's a drain on your system and otherwise just not necessary.

EDIT 2: WOW! I had no idea Chrome had so many processes going at once. That's crazy!

TattooedMac said:

Hi and welcome to the forum Konstiin.

So just from hitting a link in a email and it not working, your friend has said its chances are you downloaded a keylogger onto your computer ??? How did he come up with that ??

Sorry but it sounds as if your friend is scaring you for no good reason.
Can you give us a reason or a indication that a Keylogger would be on your machine ??

Cheers

Click to expand...

Yes:
1) I am 100% sure that the email was from someone posing to be someone that they weren't. Ie. it looked like it was from [video game company] but after more careful inspection it is proved to not be from [video game company].
2) These emails have recently been reported as an issue within the community of [video game].

--The thing that I am not 100% sure of is that there was anything downloaded. The email that was sent was certainly designed to get me to click the link, which linked to some 404 page or something. I passed it off as nothing because somewhere in the email it said that this might be resulting from a bug in the system. When I was talking to my friend later, he told me that this was a common way of getting me to inadvertently download something on to my computer.

So basically, I know that the email was fake, and that it was an email that has been used to trick others. However, I don't know if the email (and the link on which I clicked) did actually download something such as a keylogger onto my computer.

And thanks for the welcome

lifeisabeach said:

Offhand, it all looks kosher to me. Honestly…. the likelihood that you accidentally acquired malware is very very very low. Like Tattooed suggested, your friend pulled that out of his ***. There are exploits out there that do use phony web pages like that, but the later versions of OS X actually do have anti-malware features that it silently updates.

One other thought… were you prompted for your user name and password when you clicked on that link? If not, then there is absolutely no chance you acquired malware. Installing anything like that requires your explicit permission.


EDIT: and go ahead and get rid of McAfee. It's a drain on your system and otherwise just not necessary.

Click to expand...

Thanks! It did not prompt me for anything like my username or password. The only time that I have been prompted for my username and password in the last week or so is the mcafee installer.

I'll get rid of mcafee. Thanks for the help guys!

Konstiin said:

Yes:
1) I am 100% sure that the email was from someone posing to be someone that they weren't. Ie. it looked like it was from [video game company] but after more careful inspection it is proved to not be from [video game company].
2) These emails have recently been reported as an issue within the community of [video game].

--The thing that I am not 100% sure of is that there was anything downloaded. The email that was sent was certainly designed to get me to click the link, which linked to some 404 page or something. I passed it off as nothing because somewhere in the email it said that this might be resulting from a bug in the system. When I was talking to my friend later, he told me that this was a common way of getting me to inadvertently download something on to my computer.

So basically, I know that the email was fake, and that it was an email that has been used to trick others. However, I don't know if the email (and the link on which I clicked) did actually download something such as a keylogger onto my computer.

And thanks for the welcome

Click to expand...

lifeisabeach said:

One other thought… were you prompted for your user name and password when you clicked on that link? If not, then there is absolutely no chance you acquired malware. Installing anything like that requires your explicit permission.

Click to expand...

As lifeisabeach has posted, unless you put in a Admin Password then there is no chance what so ever that you have anything Malicious going on with your machine.
Why the big secret on what video game company we are talking about ?? It would be nice to know as i would like to go and do some research on this so called fake email and what it does. Forgive me for saying and i mean nothing from it but you sound super paranoid about all this.

I doubt very much unless you put in a Admin password that you have a key logger

Cheers

It's Jagex, the game is Runescape.

There are constantly fake emails reported. I left it out because I thought that it would just distract more from the answer that I was looking for.

TattooedMac said:

So just from hitting a link in a email and it not working, your friend has said its chances are you downloaded a keylogger onto your computer ??? How did he come up with that ??

Click to expand...

In the Windows world, this is ENTIRELY plausible and possible.

But it's NOT possible in the Mac world, so I agree with the rest of you ... nothing amiss.

why so many httpd servers

PID COMMAND %CPU TIME #TH #WQ #POR #MREG RPRVT RSHRD RSIZE VPRVT VSIZE PGRP PPID
336 qmgr 0.0 00:00.00 1 0 22 27 400K 324K 1484K 17M 2378M 334 334
335 pickup 0.0 00:00.00 1 0 22 27 396K 324K 1448K 17M 2378M 334 334
334 master 0.0 00:00.01 1 0 22 37 480K 324K 1492K 19M 2379M 334 1
328- Google Chrom 0.3 00:11.33 5 1 94 406 106M+ 52M 159M+ 162M 1180M 199 199
317 ocspd 0.0 00:00.01 2 0 41 36 668K 304K 1392K 45M 2406M 317 1
305- Google Chrom 0.0 00:01.99 5 1 93 267 36M 40M 64M 102M 1084M 199 199
296 AppleSpell 0.0 00:00.13 2 1 34 59 3380K 8324K 5124K 47M 2428M 296 130
266- Google Chrom 0.0 00:27.01 5 1 94 319 64M 43M 102M 119M 1120M 199 199
262 VDCAssistant 0.0 00:00.04 4 1 90 77 1144K 5984K 4400K 43M 2676M 262 130
260- Skype 0.4 00:11.70 26 2 387 441 76M 37M 137M 178M 1108M 260 130
253- Google Chrom 0.0 00:03.57 5 1 94- 234- 34M- 32M 61M- 108M- 1076M- 199 199
236- Google Chrom 0.0 00:00.97 5 1 93 199 12M 30M 28M 81M 1050M 199 199
222- Google Chrom 1.3 00:30.07 22 1 278 3291 50M 102M 118M 95M 1274M 199 199
214- Google Chrom 0.0 00:03.38 5 1 94 230 31M 31M 51M 99M 1067M 199 199
210- Google Chrom 0.0 00:06.29 5 1 94 343 61M 33M 84M 126M 1105M 199 199
205- Google Chrom 0.0 00:08.56 4 1 117 607 39M 125M 165M 79M 1250M 199 199
204- Google Chrom 0.0 00:00.42 5 1 87 153 8776K 28M 22M 77M 753M 199 199
199- Google Chrom 0.5 01:29.66 25 1 251 437 56M 108M 114M 237M 1393M 199 130
198 top 4.4 01:00.10 1/1 0 42 33 1952K 244K 2532K 17M 2378M 198 195
195 bash 0.0 00:00.01 1 0 17 24 400K 856K 1064K 17M 2378M 195 194
194 login 0.0 00:00.03 1 0 22 53 540K 244K 1648K 19M 2379M 194 192
192 Terminal 7.6 00:20.65 5 1 110 111 5036K 9844K 14M 53M 2721M 192 130
191 mdworker 0.0 00:02.11 3 1 50 82 10M 7900K 18M 59M 2437M 191 1
190 mdworker 0.0 00:00.45 3 1 52 75 7680K 8736K 13M 55M 2434M 190 1
168 LxkNetworkSe 0.0 00:00.02 5 1 42 56 760K 244K 2476K 42M 2403M 168 130
167- Lexmark Butt 0.0 00:00.05 3 1 71 73 1040K 1096K 2512K 51M 636M 167 130
162 1PasswordAge 0.0 00:00.50 2 1 97 99 5432K 6796K 11M 53M 2704M 162 130
158 AirPort Base 0.0 00:00.06 4 1 82 86 1864K 8284K 6112K 49M 2448M 158 130
151 UserEventAge 0.0 00:00.50 3 1 183 122 3700K 6020K 7348K 61M 2438M 151 130
147 quicklookd 0.0 00:00.40 6 2 82 78 6112K 5924K 6744K 563M 2939M 147 130
142 fontd 0.0 00:00.57 3 1 99 105 3440K 4416K 4508K 51M 2457M 142 130
141 pboard 0.0 00:00.00 1 0 22 37 376K 248K 860K 19M 2379M 141 130
136 Finder 0.0 00:01.56 5 1 165 388 6072K 18M 20M 38M 2728M 136 130
135 SystemUIServ 0.0 00:01.10 3 1 237 247 24M 11M 31M 69M 2732M 135 130
134 Dock 0.0 00:00.83 3 1 116 246 2504K 19M 13M 30M 2711M 134 130
130 launchd 0.0 00:00.10 2 0 210 62 624K 476K 1072K 56M 2417M 130 1
127 coreaudiod 0.0 00:00.10 3 1 159 84 1304K 1200K 2284K 51M 2413M 127 1
117 cvmsServ 0.0 00:00.00 1 0 47 32 376K 248K 844K 22M 2383M 117 1
113 httpd 0.0 00:00.00 1 0 8 280 100K 6768K 524K 100K 2391M 50 90
112 httpd 0.0 00:00.00 1 0 8 280 104K 6768K 524K 104K 2391M 50 90
111 httpd 0.0 00:00.00 1 0 8 280 104K 6768K 524K 104K 2391M 50 90
110 httpd 0.0 00:00.00 1 0 8 280 104K 6768K 524K 104K 2391M 50 90
109 httpd 0.0 00:00.00 1 0 8 280 112K 6768K 524K 112K 2391M 50 90
96 fontd 0.0 00:00.24 2 1 79 96 2484K 4300K 3436K 50M 2456M 96 1
95 WindowServer 2.4 00:48.78 4 1 263 1485 11M 95M 75M 65M 3153M 95 1
93 coreservices 0.0 00:01.14 4 1 282 186 3532K 8800K 11M 28M 2426M 93 1
90 httpd 0.0 00:00.29 1 0 22 280 48K 6768K 5076K 48K 2391M 50 50
81 java 0.3 00:57.95 71/1 1 632 563 247M 9560K 297M 651M 4057M 49 49
59 taskgated 0.0 00:00.02 1 0 40 30 588K 244K 1160K 44M 2405M 59 1
52- SierraTDI 0.0 00:00.04 3 1 32 54 380K 4084K 1436K 13M 603M 52 1
51- SierraSWoCMo 0.0 00:00.06 2 1 59 69 512K 6804K 2208K 41M 634M 51 1
50 bash 0.0 00:00.00 1 0 14 24 168K 852K 712K 9656K 2378M 50 1
49 bash 0.0 00:00.00 1 0 14 24 180K 852K 728K 9656K 2378M 49 1
46 autofsd 0.0 00:00.01 2 1 29 40 512K 244K 1008K 37M 2397M 46 1
40 dynamic_page 0.0 00:00.01 1 0 20 25 296K 240K 796K 9656K 2378M 40 1
38 fseventsd 0.0 00:00.37 16 1 111 77 1368K 244K 1876K 54M 2415M 38 1
37 hidd 1.4 00:14.14 4 2 70 55 952K 264K 1764K 26M 2395M 37 1
35 KernelEventA 0.0 00:00.01 3 1 31 43 560K 244K 1052K 31M 2392M 35 1
34 loginwindow 0.0 00:00.59 2 1 237 120 2468K 9624K 8708K 46M 2699M 34 1
33 mDNSResponde 0.0 00:00.34 3 1 64 62 1252K 280K 2188K 60M 2421M 33 1
32 mds 0.0 00:04.06 3 2 93 915 133M 8392K 109M 448M 2863M 32 1
29 securityd 0.0 00:00.18 2 0 128 43 2024K 4176K 3240K 45M 2420M 29 1