menu bar mystery
December 16, 2011 12:22 PM   Subscribe

What does this Eye of Horus in my mac menu bar do? (more inside)

My sister found this on her menu bar. It's the one that looks like the Eye of Horus symbol. We think her boyfriend put that on because he does stuff like that. Anyway, we can't even turn it off because it won't allow it until you put in a password, which we don't know.
Thanks for your help and time.
posted by alteredcarbon to Technology (25 answers total) 12 users marked this as a favorite
Looks like the Refog keylogger.
posted by grouse at 12:26 PM on December 16, 2011 [2 favorites]

Looks like it has a stealth capability but maybe her boyfriend forgot to turn it on.
The program can run in stealth mode so spouses and children will have no idea their activities are being monitored.
posted by grouse at 12:27 PM on December 16, 2011

I don't recognize it right off, but you might be able to find out by going to System Preferences, selecting "Accounts", and clicking on the "Login Items" tab. That should give you a list of things that start up automatically with the account (if she has admin privileges.) She might also be able to turn it off there.
posted by Johnny Assay at 12:27 PM on December 16, 2011

jesus, call the bank to cancel credit cards, use another computer to change all the passwords and per zomg DTMFA ASAP.
posted by chasles at 12:33 PM on December 16, 2011 [11 favorites]

And shut down that computer's Wifi, until a full scan has been completed.
posted by IAmBroom at 12:35 PM on December 16, 2011

Also if you live in the same house you may want to do a very very careful sweep of your computer as well. Jesus Christ. Get this fucker away from you and your family as fast as humanly possible.
posted by WidgetAlley at 12:36 PM on December 16, 2011 [2 favorites]

Best answer: I just found a place where you can download some freeware that will let you uninsall Refog Keylogger -- and it's got the same eye-of-horus symbol on the site, which suggests that yeah, this is the problem.

So here's the freeware I found that should uninstall it.
posted by EmpressCallipygos at 12:37 PM on December 16, 2011

Best answer: If you're confused with what's making people freak out: "Keylogger" means software that spies on every single thing you type, at all times. Email, passwords, you name it, he's got it. So basically he's spying on her in a way that would be unacceptable even if he told her about it in advance; if he installed it and didn't tell her, that automatically marks him as 100% totally untrustworthy and should be dumped, avoided, and all passwords to everything changed (on a different computer) IMMEDIATELY. Do not pass go, do not collect $200, just DTMFA ASAP.
posted by Tomorrowful at 12:39 PM on December 16, 2011 [9 favorites]

Oh my crimmus.

I need a mac for testing anti-malware and dealing with things like this. Yeah, from what I'm seeing, it's what grouse says. See if you can find something in the applications folder for Refog that you can uninstall. All I've found so far is Windows instructions for removal that might be adaptable-ish.

On preview, EmpressCallipygos gets it.
posted by deezil at 12:39 PM on December 16, 2011

(Note: the link above is actually for the program MacScan, an anti-spyware program for Macs. But it claims to be able to detect the Refog program as one of those spyware programs -- and the same symbol on that page appearing there caught my eye.)
posted by EmpressCallipygos at 12:39 PM on December 16, 2011

IF her BF did this have her dump him as soon as possible. Is your sisters account an admin of the machine? If not does she know the admin password?
posted by majortom1981 at 12:41 PM on December 16, 2011

You don't have admin access to the system? Dropping to command line running as superuser should allow you to find and kill ANYTHING on the system. But safest bet is to back up all data then do a wipe and clean reinstall.
posted by caution live frogs at 12:45 PM on December 16, 2011 [1 favorite]

Dropping to command line running as superuser should allow you to find and kill ANYTHING on the system.

Yeah, but there are all sorts of tricks that can be done to start up a killed process again, or to make a process non-obvious. It would take even an expert administrator some considerable time and effort to assure herself that a piece of rogue software was completely stripped from a system. I wouldn't recommend trying to figure this out yourself unless you really know what you're doing.

I probably wouldn't trust MacScan either. This is kind of a reinstall the OS situation.
posted by mr_roboto at 12:50 PM on December 16, 2011 [2 favorites]

Response by poster: Thank you for all your answers. Love the very quick response! As I write this I'm talking to her and showing her all these scary, eye opening, thoughtful explanations. . Thanks again.
posted by alteredcarbon at 12:59 PM on December 16, 2011

If you're not totally confident with the technical side of this, I found a number of small stores and individuals providing Mac support in your area, googling things like " apple support." Telling a competent tech "My now-ex boyfriend put a keylogger on this thing, I need a total reinstall" should put you right in a hurry.
posted by Tomorrowful at 1:10 PM on December 16, 2011

Somebody's getting coal in their stocking for Christmas and deservedly so. The BF needs to explain himself and have a really, really, really good reason for installing a Keylogger on the computer. Like solving cancer good reason.

Very creepy but at least he's a bad snoop and didn't turn on the stealth setting.
posted by fenriq at 1:16 PM on December 16, 2011

From the Quick Start pdf downloaded from their website:

How to Uninstall
To Uninstall Refog and a Monitoring Tool run Refog Viewer as described in «How to Launch». Then click «Monitoring > Uninstall...» menu (This menu can also be accessed by using Refog icon in application toolbar). A confirmation dialog will appear.
If you wish to completely erase collected information and screen shots then check «Delete Logs and Screen Shots» option. This action is permanent and cannot be undone.
Click «Remove» button in a dialog sheet that appears. You will be prompted for a password to continue.
Your Mac will no longer be monitored. If you did not choose to erase collected information, then you can download and reinstall Refog later to view that information.
posted by blob at 1:16 PM on December 16, 2011

You have no idea what other crap someone might have installed. Nuke the site from orbit. It's the only way to be sure. The "uninstall" solutions supplied above are likely insufficient.

Disconnect the machine from any network, wired or wireless. Wipe it and reinstall from known clean media. File a police report, get all of your financial account numbers changed, change all your passwords.
posted by grouse at 1:23 PM on December 16, 2011 [5 favorites]

Before you string the guy up, keep in mind that it's only speculation that the BF put this on there in the first place. The machine could have been compromised in any of a number of other ways. (But the BF is an obvious suspect, I agree.)
posted by hattifattener at 1:32 PM on December 16, 2011

I agree with hattifattener. It looks to me like the best thing would be to take it to a Mac specialist and see if they can at least give things like the date of installation, and other analysis of what's been logged. Although obviously everything that might have been typed into it is now suspect.

If she does choose to challenge him and he admits it, then she should absolutely get him to show her what's been logged.
posted by ambrosen at 2:02 PM on December 16, 2011

I'd start collecting information for a potential lawsuit here, especially if financial data has been compromised. Hopefully it won't come to that, but it can't hurt to be careful. Start writing down when you noticed it, what you did, and try to figure out date of installation.

Then wipe the motherfucker.
posted by Michael Pemulis at 6:47 PM on December 16, 2011

Here's how to image the hard drive for later forensics purposes. Make sure to write down everything you do in a logbook in case it goes to the police or court. Document a signature for the disk image somewhere semi-public where it gets a timestamp that you can't alter. Later, if you want to check the keylogs and screenshots, you can mount the disk image and view it without altering the hard drive (talk to you local command line guru).

Nthing reinstall the OS. The guy must have needed the admin password to get the keylogger on, which means the machine could have all sorts of crap running on it.
posted by benzenedream at 1:48 AM on December 17, 2011 [1 favorite]

If you can, before you wipe the machine make a complete backup. I can think of no innocent reason why a keylogger has been installed, investigation might reveal who it was phoning home to.
posted by epo at 4:36 AM on December 17, 2011

N'thing the wipe and reinstall sentiment. These things are like cockroaches, if you've seen one (epecially if out in the open like this) you have to assume there will be others.
posted by epo at 4:48 AM on December 17, 2011

It would cost a little, but it might be most straightforward to simply remove the hard drive, put it on a shelf for later forensic investigation, and install from install disks onto a newly-purchased hard drive. Ask someone how to mount the old drive readonly if you need to get some files off of it.
posted by hattifattener at 11:56 AM on December 17, 2011 [2 favorites]

« Older I can write all that, but not a line on my resume.   |   Jobs for someone with an exceptionally pleasant... Newer »
This thread is closed to new comments.