finder corrupt? - Strange characters in menu

You lost nothing. Put back the files you moved, log out, and log back in.

I never said he lost anything, only that he could "break" stuff. Yes you can always put the stuff back. I was only trying to point out that it's a lot easier just to work with a copy so you don't have to put all the stuff back.

Can I take the .plist that is related to keychain in preferences and move it back?

If you can get it back in with the same permissions owner and group I don't see why not.

Any more ideas? Anything in the hidden files? I really appreciate all your help.

Whatever happened to replacing the entire ~/Library/Preferences directory? While there is stuff "above that" in ~/Library as implied by Davis earlier you got to start somewhere.

The fact that you say only your specific account has the problem and no others tells me the finder is fine. But if insist on playing around with system components I'll reiterate again, have a backup.

The finder must be where that article you reference says it is,

/System/Library/CoreServices/Finder.app

All you have to do in terminal is the following to confirm that:

ls -ld /System/Library/CoreServices/Finder.app

The command to copy it from some other volume would be,

sudo cp -rp /Volumes/volumename/System/Library/CoreServices/Finder.app /System/Library/CoreServices/

where volumename is the name of the source volume. Sudo will cause a prompt for your admin password.

Although you seem to have ruled it out, you should check that you're not infected with the "Flashback" trojan by download and running the malware detector ClamXav. See the following thread:

Finder shows strange letter and number...: Apple Support Communities

mudpize wrote:

I'm running the scan. It's going to take a long time.

I don't believe that ClamXav will be able to find it as it only looks for the installer which destroys itself when finished with the installation. There is also evidence that the installer signatures are being changed by the bad guys periodically.

The only way I know of to be sure whether you have been infected or not is to look for those five files that Linc pointed out. If you only have the first one in the hidden folder, then that's OK, but the other four are unique to this Trojan.

If you have been infected, you need to remove all five files during the same session. If you don't you might not be able to log back into your account.

But I can already tell you I am seeing things like Trojan-234 & BC. Heuristic.Trojan being reported in some instances. UGH!

If the infection names don't contain the letters "OSX" then chances are good that they are not Mac OS X malware. The Heuristic one might possibly be since it bases it's judgement on a best guess rather than a specific signature, but there are often false alarms with the heuristic ones.

mudpize wrote:

I've located all 5 of those files that you have referenced on the other thread.

.MacOSX/environment.plist is a hidden file but I turned on Tinker Tool to locate. Shall I remove the whole folder there or just the file there?

Just the file. The folder is normally present in every user account and sometimes contains a good environmental.plist, but the installer completely replaces whatever is there with the one you have.

Edit: Instead of trashing the files, can you temporarily move them all to a folder somewhere like your desktop. I may need to ask you to upload them to a couple of AV Sample databases so we can get the AV community working on coming up with signatures for them.