1) Assuming that the server is also malware free, and that you aren't subject to a Man in the Middle (MitM) attack, only the client and the server can monitor the connection. It's easy to see how the session can be monitored if client or server is compromised. MitM is the real attack vector against this.
With MitM, the attacker presents the client with a certificate that purports to be the server's. The attacker effectively proxies the client's requests. This does require that the client either accept a certificate warning, the attacker has attacked a certificate authority and has fraudulently issued a legitimate SSL cert to his or herself, or that the attacker has control over DNS from the client to bypass the security checks a browser does on an SSL certificate.
2) If one monitors the handshake, and knows (or can cryptographically attack) the private key used to establish the session key for the connection, one can decrypt the SSL session. Wireshark, for example, is able to do this out of the box.
3) Successfully attacking the CA is going to get you a valid certificate for a domain of your choice. Comodo was attacked a year or so ago, and issued some bad certs for Google. This is not required to successfully attack a connection, though.
As mentioned, one can man in the middle. There have been protocol vulnerabilities in SSL1 and SSL2 that allow cryptographic attacks. The current iteration of TLS is good, as far as we know, but it is an area of crypto research. Additionally, the SSL handshake negotiates the algorithm used for encryption. Multiple weak encryption algorithms are enabled by default (there's actually a null cipher suite that does no encryption!), and if used can compromise the confidentiality of your connection.
