Malware? Something has my Mac in a knot!

However, along the way, it had asked for an administrator name and password.

What had asked for an administrator password? What did you authorize?

Please read this whole message before doing anything.

This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software – potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions – they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, press the key combination shift-command-U. The application is in the folder that opens.

☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” (without the quotes) and press return. You should then get a new line ending in a dollar sign.

Step 1

Copy or drag – do not type – the line below into the Terminal window, then press return:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.)

Step 2

Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Important: If you synchronize with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

Step 5

osascript -e 'tell application "System Events" to get name of every login item'

Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer – no typing, except your password. Also remember to post the output.

You can then quit Terminal.

Would you provide your mother's maiden name, your birthdate, your SSN to an anonymous caller? I doubt it. Don't provide names and passwords just because a popup advertisement requests it.

I have a Time Capsule. Could I just restore from two days ago and not have to worry about any of the above actions?

That may be the easiest solution.

Change your passwords. All of them.

And, bam, a pop-up came up saying I was a Michigan winner. How the heck does this pop up know I am from Michigan????

Your IP address is not hidden. It's trivial to correlate it to an approximate geographic location.

Never install anything without knowing what it is, and never provide your name and password without knowing what you are doing. Nothing can prevent phishing attempts.

It is possible that it was, since it is normal to encounter that before shutting down when a user is connected.

My response was predicated on the following:

... along the way, it had asked for an administrator name and password. ...

1. I probably came across a similar malware issue
2. I probably gave my password to an enemy ....

Given your uncertainty my advice remains the same.

Did the dialog look similar to this? If you're absolutely sure that it did, you should be OK. Otherwise please respond to my last post.

If you boot Lion Recovery restoring from a TM backup will erase the target disk anyway, but if erasing it first will ease your mind then go ahead.

Makes me a little anxious as I haven't had to test my time machine/time capsule before now.

Only one way to find out!

It is a bit unsettling in that there is no way to determine in advance that your TM backup is going to work or not. However, I have done this many times with no problems. Time Machine is pretty reliable.