Have I got some malware when my Mac screen shows lines from Unix script on login, instead of going to the password dialogue box?

Very helpful note from, MrHoffman! I plan to follow the procedure you outlined, over the next few days, and come back with a copy of the diagnostic report if it seems to have additional pointers you can use. Thanks again.

Thanks MrHoffman. I've spent much of the past two days securing my business files, and associated software properly (including cold-storage stuff that will allow me to get back to work after a major attack); as well as keeping really sensitive business stuff off my internal drive.

Here is a follow-up report.

I am beginning the process of trying to track down which of the three programs installed last week has caused the sudden spontaneous (uninvited) appearance (on Thursday last) of what seems like Unix script on my screen during startup of Mac OS High Sierra (and Mojave also, I have just discovered following installing it in a separate partition, and migrating all software to run under it). In the mean time, I share with you some snippets of information connected with this odd development.

The opening lines of the visible login script are:

"waiting for DSMOS

Darwin/BSD (localhost) (console) login: SDXC

108211 controller: data ... "

The script suddenly appears on the screen after the progress bar of the Mac OS startup process has gone about 60% of the way to its end.

On opening the Terminal window I see that processing of Unix code began at the moment of login and there is this odd line: " -bash: /Users/lestone2/.profile: No such file or directory".

So I am asking myself, what is this file X that is missing, whose code caused the file to be sought, and how did we get that code (the search for missing file X) to execute automatically on login?

In the log (in Library) there is an "ims.log", and a folder named "CoreTelephonyTraceScratch". Inside this folder are two more "ims...log" files, and a "CSI.scratch" folder containing a file named "..x000...csi.txt". Lines in these files suggest to me (a dummy at this stuff, of course) that some kind of tracking is being set up (is someone setting up migrating info. from my computer over to their's, since the word "tracking" is used at least twice on one of these files), and one line includes explicit naming of my iCloud account email address.

I suppose this is all legitimate stuff linked to my free access to this wonderful OS built by Apple staff and supporting developers; but can you tell me very briefly what this is meant to achieve?

Thanks in advance.

PS. If you want to know which program is causing the uninvited piece of "verbose login script" to pop up on my screen let me know. I'll slowly figure out which one is the culprit over the coming days, as I pursue this search as a low-priority project, via OS installations in special test partitions (volumes on external drives).

Sorry I missed your question about "Etrecheck report", which is new to me. I just did a search to learn about it, and it seems I have to download some 3rd party software. I will do all of this over the next few hours and report again. Cheers!

A *big* thanks, MrHofman, for teaching me about EtreCheck, whose report I just scanned fairly carefully. Yes, indeed, the Intego Virus Barrier was recently updated, and am also targeting Teamviewer, Flash Player, the Paragon software, the MySQL app installed here, as well as MAMP Pro, all of which have been changed or installed in the last 10 days and do low-level operations.

I forgot to tell you that in my weekend tests, I did a clean install of High Sierra to a wiped partition and no migration of stuff from my old setup before shutting down and starting again. There was no appearance of the problem I have reported when I did the start-up. That result left me confident that I could take my time and find the bad-behaving code and then decide what to do once I found it; since I am fully protected against a major crash, and no testing is done with my main work system other than the use of the motherboard while a test i underway. (All loaded software and data for the tests are coming from external drives.)

Your note is very helpful, MrHoffman. I will follow the procedures you describe.

Hello again MrHoffman! I have just sent two email messages to "discussions ...", and one has the EtreCheck report. Thanks in advance for your attention.

Thanks MrHoffman. These are my two top priorities for removal in the next few hours.