Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Mac Virus?

Apr 23, 2007 6:27AM PDT

Yesterday something took over the desktop of my eMac. The desktop is framed by a transparent gray frame that pulsates in and out. If you open a window, the window begins to jump on and off the desktop, taunting you. At one point a small cartoon of a mushroom cloud came on the screen and made a sound and dissipated. Then a picture of someone's face came up. I think this is a very serious problem. Although I have no idea how to address this, why isn't anyone talking about it? Am I the first person on Earth to see this thing? Help!

Discussion is locked

- Collapse -
Yep, sounds like you are the only one
Apr 23, 2007 10:12AM PDT

to be seeing this problem.
Of course, it would help if we knew what version of the OS you are running,
what you were doing just prior to the problem,
If you had installed anything recently,
Peer to Peer downloads, Limewire, etc.?

I can make a small cartoon of a mushroom cloud appear, make a sound and dissipate. The system does that when you drag an icon off the dock and onto the desktop.

Have you run Disk Utilities yet?

What happens if you create another account and log into that? Same thing?

P

- Collapse -
more info
Apr 23, 2007 11:54AM PDT

I'm using 10.4.9.

I got worried that someone might be in my machine from the Internet so I unplugged the Inet connection and the problem disappeared. I'm running Norton right now.

Just for info, the problem basically takes over at start-up, so there is no way to log in to anything. Windows bouncing around create havoc and nothing can be launched. Thanks for your reply. Do you think Disk Utilities should also be run after Norton is finished?

- Collapse -
even more
Apr 23, 2007 11:57AM PDT

I had just downloaded music from iTunes when the problem started. iTunes started dancing around and I thought the computer was just malfuctioning. When I restarted, the problem continued.

Thanks for your input mrmacfixit.

- Collapse -
Strange,
Apr 23, 2007 9:55PM PDT

With the internet disconnected, reboot the machine and let us know if the problem still exists.

P

- Collapse -
no
Apr 23, 2007 10:44PM PDT

With the Internet disconnected, the machine appears to be fine. I started scanning everything last night, which took hours, but no virus as far as Norton was concerned. Is there any way for someone to come in through the Inet and hijack my machine like that?

- Collapse -
Possible but unlikely
Apr 24, 2007 2:46AM PDT

Make sure your Firewall is turned on.

SYstem prefs, File sharing.

Once done, reconnect the internet and see what happens

P

- Collapse -
thanks much
Apr 24, 2007 2:54AM PDT

appreciate it.

- Collapse -
I'd reply....
Apr 27, 2007 9:17AM PDT

... But it would probably be blocked.

- Collapse -
(NT) you could try
Apr 27, 2007 11:10PM PDT
- Collapse -
Hmm.
Aug 11, 2007 8:12AM PDT

It looks like someone is playing him a prank over ssh. The picture of someones face is the "preview" image viewer app which got remotelly launched over ssh, the frame and bouncy windows is the "show desktop" function being toggled on and off repeatedlly and the smoke is launchers being tossed out of the Dock.

- Collapse -
Mighty Mouse
Apr 27, 2007 10:18AM PDT

Do you have a Mighty Mouse? I had a problem with my new iMac in which windows jumped all around and were just about impossible to work with. It turned out that the side buttons on my Mighty Mouse were hyper-sensitive and were engaging Expose whenever my fingers came near them. I solved the problem by turning off the side buttons on my Mighty Mouse.

- Collapse -
Seriously strange symptoms...
Apr 27, 2007 11:07AM PDT

Sure you're not for example, clicking on Widgets and getting the dark gray screen...clicking on a widget and getting the pulsing widget launch...mistakenly dragging an icon off the dock and seeing the smoke puff...? You said if you disconnect yourself from the net it's OK. Have you reconnected to the net and it started again? Are all your dock icons still there?

How new is this Mac and how experienced a user are you? Oh, and did you recognize the person in the picture?

Unless one of your friends has a copy of Timbuktu (a remote computer management software program), installed it on your Mac and is playing a trick on you, it's almost beyond possibility that your computer could be "messed with" remotely by a stranger, especially if it's in your own home. It's just too hard to do...not to mention pointless.

- Collapse -
Sounds like a keyboard problem.
Apr 27, 2007 11:11AM PDT

Try using a different keyboard/mouse if you have one available. Turn off the computer, replace the keyboard/mouse, Turn on the computer as you would any day (with internet connected).

If you don't know, the little transparent gray frame is a feature that hides the windows if they're open (hides them by jumping on/off the screen) in order to see the desktop. This feature, if i'm correct is accessible via the F9 key (Don't quite remember, I don't own a Mac, i own a PC, but Ive had some experience with Mac's at school).

The small cartoon mushroom cloud is, as the other member mentioned, when an icon is dragged off the dock.

Where the picture of the face comes from, I don't know.. but I'm willing to bet its just a problem with your keyboard/mouse.

Good luck with that, call Apple support if the hardware doesn't seem to be the problem.

- Collapse -
is your password a simple word?
Apr 27, 2007 1:58PM PDT

Here's the thing to remember - if your password is a single word and you have SSH turned on, someone may have kept trying random words until they found your password. Check to see if you have SSH (Remote Login) turned on by going to the Apple menu, System Preferences, Sharing, and see if Remote Login is checked (or Apple Remote Desktop). If you do, uncheck it. If your password is a simple word that can be found in the dictionary, change it, and pick something that is a combination of some upper/lower-case letters and numbers.

There aren't any viruses in the wild for Macs, but if you've left the door open by having a simple password and remote login turned on, people can come in. I've seen a small Mac-based company have this happen. Simple fix - don't use dictionary-word passwords. Also, might as well turn on the firewall (also in System Prefs -> Sharing).

One more thing, in the Finder, go to your Applications folder, open the Utilities folder, launch Activity Monitor, choose All Processes in the popup menu, then click in the list of programs it shows, choose Select All from the Edit menu, then Copy. Paste that into a message here - maybe there will be something obvious in the list that would show if someone has managed to login to your machine.

Either way, it's not a virus, but it could be a malicious person if your password was easy to guess and you had remote login turned on.

- Collapse -
Thanks everyone
Apr 28, 2007 3:18AM PDT

I used Norton after I disconnected from the net, updated secuirty software, turned on firewall and will follow the other suggestions you all have given. All seems to be well.

Thanks all!

- Collapse -
Keep this in mind
Apr 30, 2007 7:59AM PDT

I would avoid using Norton's from now on. They've stopped support for the Mac a couple of years ago. Use either TechTool Pro 4 or DiskWarrior 4 for disk maintenance. And if you have to, use either MacAfee Virex or Intego VirusBarrier X. Always leave the firewall on in the Network System Preferences, it's in place for a reason. This shouldn't cause in issues for you when downloading from Limewire or any other P2P client. You can always allow specific IP addresses in the settings, but only if you know they are safe.

You may have downloaded a file with a Trojan. Trojans aren't necessarily a virus, but can disrupt the normal functions of your system. And it can be set up that it will only be activated when it notices a live internet connection. Probably connecting to an IP address to get it's instructions. Have you noticed internet activity on your modem, when your system was acting up, while connected to the net?

Try checking your start up menu, under Accounts, and uncheck anything that seems suspicious. Anything checked off is a startup item, and will launch on startup.

Although everything is running fine now (probably due to you putting your firewall up again), the suspect files are still in your system. The antivirus warez above should be able to eliminate any Trojan files, and virus if they are in your system. Just as long as the virus definitions is up to date. I run MacAfee about every three months, as part of my system maintenance.

Just like cars and people, you need to do check ups every so often so that it's healthy. Remember, just because it's a Mac, it doesn't mean it's invulnerable to attacks. Being a Mac gives you peace of mind that the chances of you being hit by virii, is extremely unlikely compared to a PC. But not impossible. Especially with the new Intel chips and cross platform capablities of the new Mac. A little preventive measure on Mac goes a long, long way.

- Collapse -
Activity Monitor
Apr 28, 2007 3:32AM PDT

Here's the list, "swarren" is me. Check out line 196, who do you think "nobody" is?


231 Safari swarren 2.20 6 42.49 MB 168.95 MB PowerPC
228 pmTool root 2.20 1 3.32 MB 36.47 MB PowerPC
227 Activity Monitor swarren 13.70 2 19.73 MB 108.88 MB PowerPC
220 SecurityAgent securityagent 0.00 2 5.51 MB 89.89 MB PowerPC
199 pipedaemon swarren 0.00 1 216.00 KB 26.64 MB PowerPC
196 mdimport nobody 0.00 3 2.20 MB 38.76 MB PowerPC
195 TADaemonHelper swarren 1.40 3 1.80 MB 69.52 MB PowerPC
194 mdimport swarren 0.00 4 3.13 MB 46.93 MB PowerPC
193 TADaemon root 0.10 4 1.44 MB 30.32 MB PowerPC
192 cupsd root 0.00 2 1.37 MB 27.84 MB PowerPC
187 NortonMissedTask root 0.00 1 684.00 KB 26.69 MB PowerPC
185 TADaemonStub root 0.00 2 988.00 KB 27.73 MB PowerPC
178 mds root 0.00 7 3.43 MB 41.98 MB PowerPC
174 UniversalAccessApp swarren 2.50 1 3.46 MB 98.63 MB PowerPC
156 SymSecondaryLaunch swarren 0.00 1 1.57 MB 82.95 MB PowerPC
155 ScanNotification swarren 0.00 1 1.66 MB 83.06 MB PowerPC
154 HP Communications swarren 2.60 7 3.51 MB 89.81 MB PowerPC
153 iTunes Helper swarren 0.00 1 1.63 MB 82.86 MB PowerPC
152 CFD swarren 3.10 9 5.07 MB 91.67 MB PowerPC
144 Finder swarren 0.00 3 10.54 MB 121.68 MB PowerPC
143 crashreporterd root 0.00 1 204.00 KB 26.61 MB PowerPC
140 SystemUIServer swarren 0.30 2 6.02 MB 107.38 MB PowerPC
137 Dock swarren 0.00 2 2.93 MB 76.76 MB PowerPC
130 automount root 0.00 3 1.04 MB 28.73 MB PowerPC
124 automount root 0.00 3 1.09 MB 29.02 MB PowerPC
121 rpc.lockd root 0.00 1 196.00 KB 26.67 MB PowerPC
117 pbs swarren 0.00 2 1.86 MB 54.07 MB PowerPC
109 nfsiod root 0.00 5 184.00 KB 28.62 MB PowerPC
95 ntpd root 0.00 1 372.00 KB 26.86 MB PowerPC
80 lookupd root 0.00 3 1.26 MB 29.04 MB PowerPC
71 loginwindow swarren 0.00 3 3.94 MB 96.48 MB PowerPC
70 ATSServer swarren 0.00 2 3.29 MB 49.44 MB PowerPC
69 coreservicesd root 0.00 3 9.76 MB 40.68 MB PowerPC
65 WindowServer windowserver 5.50 2 11.90 MB 102.50 MB PowerPC
55 update root 0.00 1 220.00 KB 26.61 MB PowerPC
52 distnoted root 0.00 1 784.00 KB 27.02 MB PowerPC
51 DirectoryService root 0.00 3 2.07 MB 29.51 MB PowerPC
50 securityd root 0.00 2 1.52 MB 28.63 MB PowerPC
48 notifyd root 0.00 2 464.00 KB 27.21 MB PowerPC
47 memberd root 0.00 3 600.00 KB 27.66 MB PowerPC
45 diskarbitrationd root 0.00 1 1.03 MB 27.13 MB PowerPC
44 coreaudiod root 0.00 1 988.00 KB 28.04 MB PowerPC
43 configd root 0.00 3 1.73 MB 29.23 MB PowerPC
42 xinetd root 0.00 1 588.00 KB 26.74 MB PowerPC
41 cron root 0.00 1 500.00 KB 26.89 MB PowerPC
40 syslogd root 0.00 1 404.00 KB 26.64 MB PowerPC
39 netinfod root 0.00 1 564.00 KB 26.95 MB PowerPC
38 mDNSResponder root 0.00 4 1.05 MB 28.41 MB PowerPC
37 KernelEventAgent root 0.00 2 596.00 KB 27.19 MB PowerPC
32 kextd root 0.00 2 1,004.00 KB 27.55 MB PowerPC
28 dynamic_pager root 0.00 1 164.00 KB 26.63 MB PowerPC
1 launchd root 0.00 3 460.00 KB 27.68 MB PowerPC
0 kernel_task root 1.90 37 39.75 MB 626.95 MB PowerPC

- Collapse -
Line 196
Apr 28, 2007 8:33AM PDT

is Spotlight doing its indexing thing.

P

- Collapse -
Spotlight
Apr 30, 2007 11:07PM PDT

Is this a question for me? Sorry, but I don't know what spotlight does.

- Collapse -
Not a question, a statement
May 1, 2007 3:42AM PDT

Spotlight is that search tool which lives in the top right hand corner of the screen.
It index's the files on your HD and enables you to find things really quickly. It will even search inside documents to find parts of a sentence, if that is all you can remember of the document.

The entry in the log is a record of Spotlight indexing things.

Take a look at Spotlight, you will be surprised just how fast it is.

P

- Collapse -
Odd
Aug 16, 2007 7:34AM PDT

I know that cookies from different sites can slow your browser down, put something like this?

I wonder if someone did hack your Mac. You'd think that most sharing preferences would be turned off. But who knows? When I went on vacation, my friend and I hopped on the free, community network and both other residents and our iTunes libraries could be seen under iTunes. But that was because I accidentally left iTunes sharing on.

You said that you downloaded files from the iTMS right when it happened, so maybe iTunes sharing is on and someone else on your network is pulling a prank on you. Most likely, someone has traced your computer and planted something.

Come on people! If someone logged in under YOUR account, you can't login again, unless you set it up like that. That means that whenever this person downloaded something from iTunes, someone also hacked into the Mac while the person was still logged in. That's a hack, not a second login.

The only other explanation is that the Mac has multiple accounts, and one has been remotely logged into that has admin access, or enough access to wreck havoc with the system files. I assumed that the person only had one in my above words, but this could be possible too.

Post about your accounts on your Mac or how many people have admin access to it. If there are more admin accounts on the Mac, then a remote login would allow complete control over the system.

Hope you post back so that we can help more if needed. Hope you fix it.
-BeatleMegaFan