I think our Mac Pro (not MacBook Pro) might have a virus - help!

Question

Level 1

8 points

I think our Mac Pro (not MacBook Pro) might have a virus - help!

Mac Pro early 2008 (NOT a MacBook Pro -- this is a tower desktop not a laptop)
2x2.8 GHz Quadcore Intel Xeon

OSX 10.8.5
4 internal hard drives

4 external hard drives

Here are most of the details of the problem:
The Finder's behavior is very, very odd.
Cannot type text into Spotlight - the text entry box will not accept any entries.
Cannot type admin password into login or for other uses.

Cannot access drop-down menus in various windows.

When I click on the desktop using the cursor, I get a strange little floating Finder window that is attached to the cursor that includes the following: New Folder, Get Info, Change Desktop Background, Clean Up, Sort By, Show View Options.

I seem to be able to access drop-down menus from top menu bar... BUT, I'm not sure about this. They seem to be general finder drop-down selection menus that include: Open, New Folder, Get Info, Change Desktop Background, Clean Up, Sort By, Show View Options.
To access any parts of the Finder (files, applications, and other content), I have to use an "Open" menu choice that is available in a separate window that pops up next to the cursor. Applications will not open by just clicking on Icons. Files will not open by clicking on their Icons, etc.

I tried repairing permissions, that helped for a while, and made it possible to access email for a short while, but didn't solve the finder problem.
The Finder problem affects all system applications.
After trashing the Finder .plist, I was able to access iTunes briefly and play a song, but that access lasted only a few minutes and then the Finder problem returned.

When I inserted a thumb drive to backup my User Library, at first I was able to use the Finder to access the contents of the thumb drive in a normal fashion, but after about 5 minutes, that normal access was no longer available and the symptoms described above appeared on the thumb drive Finder window as well.

I tried putting com.apple.finder.plist in the trash, and logout, but then I was unable to login again because I was unable to type in my administrator password - the password text box. I performed a manual shutdown and found that my User account was available without login. Then, I was able to access iTunes briefly and play a song, but that access lasted only a few minutes and then the Finder problem returned.

Recently, I updated Java from a pop-up prompt on my desktop. Also, I recently updated Adobe Flashplayer from a pop-up prompt that appeared on my desktop. Both of these just popped up while I was working with photos, checking email, etc. I fear that one or both of these were fake prompts and have installed a virus or malware.

I backed up my data to external drives, but I do not know if whatever is affecting my startup disk has also affected my external backup drives.

Is there a virus in my system?

Posted on Jul 3, 2015 12:23 PM

Reply

Answer 1

abstruse Author

Level 1

8 points

Jul 3, 2015 1:12 PM in response to abstruse

PS. We also tried booting in Safe Mode, and then restarting, but that did not make any difference.

Reply

Answer 2

Jul 3, 2015 1:14 PM in response to abstruse

Please download and install EtreCheck from http://www.etresoft.com/etrecheck

Run it and post the report here.

Reply

Answer 3

abstruse Author

Level 1

8 points

Jul 3, 2015 1:19 PM in response to Allan Eckert

We cannot install applications on the affected computer because its Finder will not operate normally and the window that requests the administrator password will not accept any text in the password text box. We tried running the Activity Monitor app on the affected computer, but could see only "my processes. The drop down menu that controls what processes are visible in the app's window was inoperative. I am writing this response using a different computer. We have disconnected the affected computer from our Airport and have shut it down.

Reply

Answer 4

Jul 3, 2015 1:21 PM in response to abstruse

That behavior has nothing to do with a virus. Try starting up in safe mode (hold the shift key before the startup chime and release when you see the Apple logo), and then downloading EtreCheck as Allan suggested.

Reply

Answer 5

abstruse Author

Level 1

8 points

Jul 3, 2015 1:24 PM in response to stevejobsfan0123

I just took a look at the EtreCheck page and noticed that it does not require a password. We will try your suggestion ... safe mode and Etrecheck...

Reply

Answer 6

abstruse Author

Level 1

8 points

Jul 3, 2015 1:36 PM in response to stevejobsfan0123

We just booted in Safe mode following your instructions, and tried to use both Safari and Firefox to reach the EtreSoft website, but neither browser will allow anything to be typed into the Google search window or the url address text box of the browser...there is a blinking text thing, but typing text into these text boxes is not allowed. Same problem with the admin password text box, the Spotlight text box, or any other text input box - input is not possible.

Reply

Answer 7

abstruse Author

Level 1

8 points

Jul 3, 2015 1:41 PM in response to stevejobsfan0123

If we download Etrecheck to a different computer (the one we're using to communicate on this thread), and copy the app to a CD, can we install the app on the affected computer with the copy on a CD? We will try this...not sure if it will work...

Reply

Answer 8

abstruse Author

Level 1

8 points

Jul 3, 2015 1:51 PM in response to abstruse

We cannot transfer the app to the affected computer because the Finder will not allow us to open the CD tray!

We will now try to email the app to the affected computer and see what we can do through that route...

Reply

Answer 9

Jul 3, 2015 1:53 PM in response to abstruse

That should work as long the other computer is a Mac.

Copy the EtreCheck report to the CD and then send it from the Mac to post it here.

Reply

Answer 10

abstruse Author

Level 1

8 points

Jul 3, 2015 1:56 PM in response to Allan Eckert

We put the app on a CD, but could not transfer it to the affected computer because the Finder on that affected computer would not allow us to open the CD tray to insert the CD...We are now emailing the app to the affected computer and will see if we can access the app through email...I will report back. I hope we can run the app from the email message and then send the results back via email so that we can post those results here...not sure if any of this will be possible...we are trying...

Reply

Answer 11

abstruse Author

Level 1

8 points

Jul 3, 2015 2:12 PM in response to Allan Eckert

It was quite a challenge, and required a few workarounds...because of the Finder issues, but here is the EtreCheck report on the affected computer:

EtreCheck version: 2.2 (132)

Report generated 7/3/15 2:04 PM

Download EtreCheck from http://etresoft.com/etrecheck

Hardware Information: ℹ️

Mac Pro (Early 2008) (Technical Specifications)

Mac Pro - model: MacPro3,1

2 2.8 GHz Quad-Core Intel Xeon CPU: 8-core

16 GB RAM

DIMM Riser B/DIMM 1

1 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser B/DIMM 2

1 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser A/DIMM 1

1 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser A/DIMM 2

1 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser B/DIMM 3

4 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser B/DIMM 4

4 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser A/DIMM 3

2 GB DDR2 FB-DIMM 800 MHz ok

DIMM Riser A/DIMM 4

2 GB DDR2 FB-DIMM 800 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en2: 802.11 a/b/g/n

Video Information: ℹ️

ATI Radeon HD 2600 - VRAM: 256 MB

CG276 2560 x 1440

System Software: ℹ️

OS X 10.8.5 (12F2542) - Time since boot: 0:36:14

Disk Information: ℹ️

ST3320820AS_P disk0 : (320.07 GB)

disk0s1 (disk0s1) <not mounted> : 210 MB

Mr. Big (disk0s2) / : 319.21 GB (228.11 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

ST3000DM001-1CH166 disk3 : (3 TB)

disk3s1 (disk3s1) <not mounted> : 210 MB

Boot OS X (disk3s3) <not mounted> : 134 MB

Work3 (disk4) /Volumes/Work3 : 3.00 TB (785.42 GB free)

Core Storage: disk3s2 3.00 TB Online

WDC WD3003FZEX-00Z4SA0 disk1 : (3 TB)

disk1s1 (disk1s1) <not mounted> : 210 MB

Work2 (disk1s2) /Volumes/Work2 : 3.00 TB (1.15 TB free)

ST32000641AS disk2 : (2 TB)

disk2s1 (disk2s1) <not mounted> : 210 MB

Work 1 (disk2s2) /Volumes/Work 1 : 2.00 TB (169.30 GB free)

USB Information: ℹ️

EIZO EIZO USB HID Monitor

Apple, Inc. Keyboard Hub

Primax Electronics Apple Optical USB Mouse

Fitbit Inc. Fitbit Base Station

Apple, Inc Apple Keyboard

Apple Inc. Bluetooth USB Host Controller

Firewire Information: ℹ️

Lexar Pro CF Reader 400mbit - 400mbit max

Gatekeeper: ℹ️

Mac App Store and identified developers

Kernel Extensions: ℹ️

/Applications/Toast 10 Titanium/Toast Titanium.app

[not loaded] com.roxio.BluRaySupport (1.1.6) [Click for support]

/System/Library/Extensions

[not loaded] com.basICColor.driver.basICColorDISCUS (1.0.0 - SDK 10.4) [Click for support]

/Users/[redacted]/Library/Services/ToastIt.service/Contents/MacOS

[not loaded] com.roxio.TDIXController (2.0) [Click for support]

Startup Items: ℹ️

FxLicenseManager: Path: /Library/StartupItems/FxLicenseManager

ProTec6b: Path: /Library/StartupItems/ProTec6b

Startup items are obsolete in OS X Yosemite

Launch Agents: ℹ️

[not loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[loaded] com.google.keystone.agent.plist [Click for support]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]

Launch Daemons: ℹ️

[loaded] com.adobe.fpsaud.plist [Click for support]

[not loaded] com.adobe.SwitchBoard.plist [Click for support]

[running] com.fitbit.galileod.plist [Click for support]

[loaded] com.google.keystone.daemon.plist [Click for support]

[loaded] com.microsoft.office.licensing.helper.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]

[loaded] com.oracle.java.JavaUpdateHelper.plist [Click for support]

User Launch Agents: ℹ️

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.amazon.cloud-player.plist [Click for support] [Click for details]

[running] com.amazon.music.plist [Click for support]

User Login Items: ℹ️

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application (/Applications/Dropbox.app)

YouSendIt Desktop App UNKNOWN (missing value)

ColorNavigator 6 Application (/Applications/ColorNavigator 6.app)

Fitbit Connect Menubar Helper Application (/Applications/Fitbit Connect.app/Contents/MacOS/Fitbit Connect Menubar Helper.app)

Internet Plug-ins: ℹ️

JavaAppletPlugin: Version: Java 8 Update 45 Check version

FlashPlayer-10.6: Version: 18.0.0.194 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.1

AdobePDFViewerNPAPI: Version: 10.1.5 [Click for support]

Flash Player: Version: 18.0.0.194 - SDK 10.6 [Click for support]

SharePointBrowserPlugin: Version: 14.5.2 - SDK 10.6 [Click for support]

AmazonMP3DownloaderPlugin101750: Version: Unknown

Silverlight: Version: 5.1.30317.0 - SDK 10.6 [Click for support]

iPhotoPhotocast: Version: 7.0 - SDK 10.8

3rd Party Preference Panes: ℹ️

Flash Player [Click for support]

Java [Click for support]

Time Machine: ℹ️

Time Machine not configured!

Top Processes by CPU: ℹ️

1% WindowServer

1% fontd

0% ColorNavigator 6

0% Fitbit Connect Menubar Helper

0% imagent

Top Processes by Memory: ℹ️

197 MB Mail

131 MB mds

82 MB Dropbox

66 MB Finder

66 MB WindowServer

Virtual Memory Information: ℹ️

13.00 GB Free RAM

2.69 GB Used RAM

0 B Swap Used

Diagnostics Information: ℹ️

Jul 1, 2015, 08:16:00 PM /Library/Logs/DiagnosticReports/App Store_2015-07-01-201600_[redacted].hang

Jul 3, 2015, 01:26:40 PM Self test - passed

Reply

Answer 12

Jul 3, 2015 3:05 PM in response to abstruse

protec6b is a copy protection mechanism that checks in with a web site. At a minimum, I would set it aside until things are working better.

the 2600 display card is a certifiable antique. It could be the entire source of the problems.

Reply

Answer 13

Linc Davis

Level 10

209,547 points

Jul 3, 2015 3:35 PM in response to abstruse

You don't have a virus, and the "etrecheck" stuff is irrelevant.

Please read this whole message before doing anything.

This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

The purpose of this test is to determine whether the problem is localized to your user account. Enable guest logins* and log in as Guest. Don't use the Safari-only “Guest User” login created by “Find My Mac.”

While logged in as Guest, you won’t have access to any of your documents or settings. Applications will behave as if you were running them for the first time. Don’t be alarmed by this behavior; it’s normal. If you need any passwords or other personal data in order to complete the test, memorize, print, or write them down before you begin.

Test while logged in as Guest. Same problem?

After testing, log out of the guest account and, in your own account, disable it if you wish. Any files you created in the guest account will be deleted automatically when you log out of it.

*Note: If you’ve activated “Find My Mac” or FileVault in OS X 10.7 or later, then you can’t enable the Guest account. The "Guest User" login created by "Find My Mac" is not the same. Create a new account in which to test, and delete it, including its home folder, after testing.

Reply

Answer 14

abstruse Author

Level 1

8 points

Jul 3, 2015 5:30 PM in response to Linc Davis

Linc -- We logged out of our User account and logged in as Guest. While logged in as Guest, the Finder behaved normally for a minute or two, and then the same abnormal behavior experienced in the User account resumed. One of the tests we performed as Guest was to open a Finder window and click on various applications, which we were able to do without the strange floating menu attached to the cursor. We were also able to adjust the columns in the Finder window. And, we were able to double click on iTunes application without the strange menu of options appearing next to the cursor. Then, suddenly, the strange Finder behavior resumed and as Guest we could not adjust Finder columns, we could not type search terms into Spotlight, and the strange menu attached to the cursor reappeared for every action.

Reply

Answer 15

Linc Davis

Level 10

209,547 points

Jul 3, 2015 5:37 PM in response to abstruse

Let's take the simplest part first. The floating menu is due to right-clicking instead of left-clicking. If you're sure that you're providing the correct input, then the input device (mouse, trackpad, or trackball) isn't working. Disconnect it and try another one, if possible.

Reply