huffdesign

Q: Drop down menus changed to numbers

huffdesign

macrumors newbie

 

Join Date: Sep 2003

 

I have items in my finder menus that have changed to numbers. Example: cut is ME1, Empty trash is A3. The issue seems to keep expanding to new menu items as well. My sidebar lists my hard drive as SDS,  time machine as SD6, and places as SD8. My command click menu has numbers in place of items as well. I keep finding new things changing. What may be causing this problem problem?

iMac, Mac OS X (10.6.8)

Posted on Oct 5, 2011 7:08 AM

Close

Q: Drop down menus changed to numbers

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by X423424X,

    X423424X X423424X Oct 6, 2011 7:46 PM in response to MadMacs0
    Level 6 (14,237 points)
    Oct 6, 2011 7:46 PM in response to MadMacs0
    That has happend to at least three other people who went through this. Nobody seems to know why, but restarting a second time seems to solve it.

     

    Hmm, I can't conceive how that can happen.  But you've been tracking this problem closer than I have so I accept what you say.  It be nice to know, however, how it could happen, if for no other reasons than for our own enlightenment.  (fouled up cache perhaps?)

  • by MadMacs0,

    MadMacs0 MadMacs0 Oct 6, 2011 8:14 PM in response to X423424X
    Level 5 (4,801 points)
    Oct 6, 2011 8:14 PM in response to X423424X

    X423424X wrote:

     

    Hmm, I can't conceive how that can happen.  ...(fouled up cache perhaps?)

    That makes more sense than anything else I can think of. A login cache looking to load one of the components.

  • by fredbone,

    fredbone fredbone Feb 20, 2012 4:35 AM in response to X423424X
    Level 1 (0 points)
    Feb 20, 2012 4:35 AM in response to X423424X

    I had the exact same problem as the original poster, I only noticed it when skype stopped working and I was poking around in finder. Your solution fixed the finder menu and on reboot skype worked again. Thanks

  • by aceci,

    aceci aceci Mar 20, 2012 10:57 PM in response to X423424X
    Level 1 (0 points)
    Mar 20, 2012 10:57 PM in response to X423424X

    I have the same problem now, but couldn't understand where to do the following:

     

    'A quick and easy way to remove them and not worry about seeing them is to just delete them using the following terminal command (cut/paste the following line):

     

    rm -rf ~/.MacOSX/environment.plist

    rm -rf ~/Library/Logs/swlog

     

    You shouldn't see any messages when doing these.'

     

    Could you help me? I've already scan my computer with ClamXav, and non virus were found. I don't know what else to do.

     

    thanks!

  • by X423424X,

    X423424X X423424X Mar 20, 2012 11:28 PM in response to aceci
    Level 6 (14,237 points)
    Mar 20, 2012 11:28 PM in response to aceci

    I have the same problem now, but couldn't understand where to do the following:

     

    Open Terminal (in Utilties) and enter (copy/paste) those lines into the terminal (one at a time, hit return after enter the line).

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 20, 2012 11:42 PM in response to aceci
    Level 5 (4,801 points)
    Mar 20, 2012 11:42 PM in response to aceci

    aceci wrote:

     

    I have the same problem now, but couldn't understand where to do the following:

     

    'A quick and easy way to remove them...

    That guidance was probably OK back in October, but it really doesn't do the job any more.

     

    First I need you to do this:

    Open the Terminal application (in /Applications/Utilities/), copy and paste the following command into a terminal window and press return.

     

             defaults read ~/.MacOSX/environment

     

    If the file doesn't exist, defaults returns

     

    Domain /Users/<username>/.MacOSX/environment does not exist

     

    If it does exist, it returns its contents.

     

    The malware entry will look something like this:

    {

        "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";

    }

    If you are infected copy and paste the results here. Under no circumstances should you try to delete anything without further instruction as doing so can easily prevent you from logging into your account.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 20, 2012 11:41 PM in response to X423424X
    Level 5 (4,801 points)
    Mar 20, 2012 11:41 PM in response to X423424X

    X423424X wrote:

     

    Open Terminal (in Utilties) and enter (copy/paste) those lines into the terminal (one at a time, hit return after enter the line).

    I think we need to find out the name of the other file(s) first.

  • by X423424X,

    X423424X X423424X Mar 20, 2012 11:58 PM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 20, 2012 11:58 PM in response to MadMacs0

    I was just replying to exactly what he was requesting.  He didn't even know about the terminal.

     

    But yes, I agree, we need an more exhaustive file list.  Actually I picture a ever growing script where more and more ls's are added as more and more strains create pathname variants.  Probably a never-ending process.

     

    I haven't written my script as yet but here's a guide:

     

    defaults read ~/.MacOSX/environment

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Application\ Support/*.so

    ls -la ~/Library/Logs/vmLog

    ls -la /Users/Shared/*.so

    ls -la /Users/Shared/.svcdmp

    ls -la /Applications/Safari.app/Contents/Resources/*COAA*

    ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

     

    In a actual script I would just handle the results of each ls to report in a more user friendly way.  For example, if you just run that collection of commands in the terminal and don't have any of that stuff you got to look at each line just to see the "No such file or directory" errors between each command.  A script that handles the errors and summarizes the results that would be a lot more "elegant".  It's trivial to write.  I just haven't bothered as yet.

  • by aceci,

    aceci aceci Mar 21, 2012 12:09 AM in response to MadMacs0
    Level 1 (0 points)
    Mar 21, 2012 12:09 AM in response to MadMacs0

    That is how it comes:

     

    Last login: Wed Mar 21 10:36:27 on console

    cecilia-rochas-MacBook-Pro:~ ceciliarocha$ defaults read ~/.MacOSX/environment

    {

        "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.WondershareWMVMovie.so";

    }

    cecilia-rochas-MacBook-Pro:~ ceciliarocha$

     

     

    What should I do now?

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 21, 2012 12:33 AM in response to aceci
    Level 5 (4,801 points)
    Mar 21, 2012 12:33 AM in response to aceci

    aceci wrote:

     

        "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.WondershareWMVMovie.so";

     

    What should I do now?

    Select "Go to Folder" from the "Go" menu of the Finder (or type Command-Shift-G).

    In the window copy and paste the following: 

     

         ~/.MacOSX/ and hit return.

     

    Make note of the date the file "environment.plist" was created / modified then drag it to the trash.

     

    Open the Terminal app (found in /Applications/Utilities/)

    Copy and paste the following commands into a Terminal window after the "$ " prompt, followed by the return key: 

     

         rm -rf "~/Library/Application Support/.WondershareWMVMovie.so"

     

         rm -rf ~/Library/Logs/vmlog

     

         rm -rf /Users/Shared/.WondershareWMVMovie.so

     

         rm -rf /Users/Shared/.svcdmp

     

    You will not receive confirmation of deletion, but you may be told that some of the files do not exist as not all have been found by all users.

     

    Holding down the option key, select "Empty Trash" from the Finder menu, then restart your computer. All the visible signs of the Trojan should be gone at this point.

     

    Again I want to emphasize that we do not know enough about this Trojan to be confident all the damage has been repaired. You are still advised to make certain you have a solid backup of your data and using the original installation disks, install and upate OS X and all your applications from a trusted source. Then restore your data files from backup. Or use TimeMachine to take you back to the date you were infected.

     

    And lastly, Intego has discovered that the Trojan attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways, and sends them back via Twitter. You should assume that happened and change the passwords for all such accounts that you have visited since being infected along with any other accounts that use the same password.

  • by aceci,

    aceci aceci Mar 21, 2012 2:47 AM in response to MadMacs0
    Level 1 (0 points)
    Mar 21, 2012 2:47 AM in response to MadMacs0

    Thanks a lot, the skype is back, the finder is normal.

    And thanks for the patience and great explanation!

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 23, 2012 1:11 AM in response to X423424X
    Level 5 (4,801 points)
    Mar 23, 2012 1:11 AM in response to X423424X

    X423424X wrote:

     

    I haven't written my script as yet but here's a guide:

     

    defaults read ~/.MacOSX/environment

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Application\ Support/*.so

    ls -la ~/Library/Logs/vmLog

    ls -la /Users/Shared/*.so

    ls -la /Users/Shared/.svcdmp

    ls -la /Applications/Safari.app/Contents/Resources/*COAA*

    ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

    That matches most everything that I have scattered around in my notes. I can't get the last one to work in an AppleScript, which is what was holding me up.

     

    But then I found F-Secures writeup on what they call Trojan-Downloader:OSX/Flashback.I which has a detailed procedure to remove either of two installations, depending on whether you are a user with an admin password or not. It reveals a couple of files that nobody else has picked up yet.

     

    So add defaults read /Applications/Safari.app/Contents/Info LSEnvironment

     

    and change your first one to defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • by X423424X,

    X423424X X423424X Mar 23, 2012 2:04 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 23, 2012 2:04 AM in response to MadMacs0

    Yes, I saw your reference to the "I" strain (fitting name at this point "eye strain") in another post.  Wonder what happened to "H"? 

  • by X423424X,

    X423424X X423424X Mar 23, 2012 2:24 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 23, 2012 2:24 AM in response to MadMacs0

    (missed the forum edit time out again)

     

    Ok, here's the current updated list:

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Application\ Support/*.so

    ls -la ~/Library/Logs/vmLog

    ls -la /Users/Shared/*.so

    ls -la /Users/Shared/.svcdmp

    ls -la /Applications/Safari.app/Contents/Resources/*COAA*

    ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

  • by X423424X,

    X423424X X423424X Mar 23, 2012 3:09 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 23, 2012 3:09 AM in response to MadMacs0

    Just as an exercise I wrote a shell script (feel more comforatable with bash than applescript) to do what those F-Secure instructions describe.  Below is the the untested script.  What is missing is the exact pathname extractions from those __ldpath__ greps.  I am not sure what the syntax of the line that results from those greps so I don't know how to parse it.

     

    #!/bin/bash

     

    # Flashback.I Removal

    # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

     

    # step 1, 2

    safari_info_environment="$(defaults read "/Applications/Safari.app/Contents/Info" DYLD_INSERT_LIBRARIES)"

     

    # step 3

    if [ "$safari_info_environment" ]; then

        # step 4, 5

        ldpath="$(grep -a -o '__ldpath__[ -~]*' "$lsenvironment")" ## extract pathname

        # step 6

        sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment 2> /dev/null

        sudo chmod 644 /Applications/Safari.app/Contents/Info.plist 2> /dev/null

        # step 7

        rm -rf "$safari_info_environment"

        if [ "$ldpath" ]; then

            rm -rf "$ldpath"

        fi

    fi

     

    # step 8, 9

    macos_environment="$(defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES)"

    if [ "$macos_environment" ]; then

        # step 10, 11

        ldpath="$(grep -a -o '__ldpath__[ -~]*' "$macos_environment")" ## extract pathname

        defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null

        launchctl unsetenv DYLD_INSERT_LIBRARIES 2> /dev/null

        # step 12

        rm -rf "$macos_environment"

        if [ "$ldpath" ]; then

            rm -rf "$ldpath"

        fi

    else

        echo "Your system is clean."

    fi

Previous Page 2 of 3 last Next