Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Little worried about what i downloaded...

Haven't found that program by Google ("Mac Cinema".)

I doubt it's something nasty, could be a failed install. Go to the terminal, maximise the window (green circle on the menu bar) and type "ps -ax" and then hit return (no quotation marks.)

Post the output of that here and I'll take a look to see if there's anything suspicious running in the background.
 
Jethryn Freyman said:
Haven't found that program by Google ("Mac Cinema".)

I doubt it's something nasty, could be a failed install. Go to the terminal, maximise the window (green circle on the menu bar) and type "ps -ax" and then hit return (no quotation marks.)

Post the output of that here and I'll take a look to see if there's anything suspicious running in the background.
Click to expand...

PID TTY TIME CMD
1 ?? 0:01.30 /sbin/launchd
10 ?? 0:02.16 /usr/libexec/kextd
11 ?? 0:01.45 /usr/sbin/notifyd
12 ?? 0:01.48 /usr/sbin/syslogd
14 ?? 0:04.74 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
15 ?? 0:49.97 /usr/sbin/update
18 ?? 0:01.24 /usr/sbin/securityd -i
20 ?? 0:41.58 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds
21 ?? 0:00.44 /usr/sbin/mDNSResponder -launchd
22 ?? 0:03.10 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
23 ?? 0:00.02 /usr/sbin/KernelEventAgent
25 ?? 0:00.02 /usr/libexec/hidd
26 ?? 0:03.65 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/fseventsd
28 ?? 0:00.04 /sbin/dynamic_pager -F /private/var/vm/swapfile
30 ?? 0:01.86 /usr/sbin/diskarbitrationd
31 ?? 0:12.50 /usr/sbin/DirectoryService
33 ?? 1:19.14 /usr/sbin/configd
36 ?? 0:00.04 autofsd
38 ?? 0:01.39 /usr/libexec/ApplicationFirewall/socketfilterfw
39 ?? 0:00.02 /Library/Application Support/iStat menus/iStatMenusProcessServer
41 ?? 0:15.80 /usr/sbin/distnoted
44 ?? 0:06.76 /System/Library/CoreServices/coreservicesd
45 ?? 0:01.42 /usr/sbin/blued
52 ?? 10:54.11 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer -daemon
70 ?? 0:01.38 /sbin/launchd
89 ?? 0:04.66 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent -launchd
93 ?? 0:11.21 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
94 ?? 0:02.65 /usr/sbin/UserEventAgent -l Aqua
95 ?? 0:00.01 /usr/sbin/pboard
96 ?? 2:12.93 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_32776
97 ?? 0:10.57 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/ATSServer
98 ?? 7:47.37 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn_0_36873
99 ?? 1:45.08 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_40970
100 ?? 0:01.76 /usr/sbin/coreaudiod
109 ?? 0:00.26 /Applications/iTunes.app/Contents/Resources/iTunesHelper.app/Contents/MacOS/iTunesHelper -psn_0_61455
110 ?? 0:04.29 /Users/koonalpatel/Library/Application Support/iStat menus/Helpers/iStat menus Helper.app/Contents/MacOS/iStat menus Helper -psn_0_65552
111 ?? 0:10.14 /Users/koonalpatel/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/MacOS/GrowlHelperApp -psn_0_69649
112 ?? 0:16.69 /Library/Application Support/Logitech/LCCDaemon.app/Contents/MacOS/LCCDaemon -psn_0_73746
115 ?? 0:00.02 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd
120 ?? 5:39.16 /Applications/Adium.app/Contents/MacOS/Adium -psn_0_86037
124 ?? 70:28.90 /Applications/Safari.app/Contents/MacOS/Safari -psn_0_94231
133 ?? 0:12.60 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_110619
512 ?? 0:52.23 /Applications/Mail.app/Contents/MacOS/Mail -psn_0_233529
610 ?? 1:55.14 /Applications/Microsoft Office 2008/Microsoft Word.app/Contents/MacOS/Microsoft Word -psn_0_307275
613 ?? 0:07.80 /Applications/Microsoft Office 2008/Office/Microsoft Database Daemon.app/Contents/MacOS/Microsoft Database Daemon -psn_0_311372
615 ?? 0:00.14 /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU D
631 ?? 0:03.45 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/DashboardClient
666 ?? 0:11.10 /Applications/iCal.app/Contents/MacOS/iCal -psn_0_360536
766 ?? 0:00.05 /usr/sbin/cron
950 ?? 0:00.97 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker MDSImporterWorker com.apple.Spo
1262 ?? 0:00.15 /System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Contents/MacOS/quicklookd
1264 ?? 0:00.89 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_479349
1265 ttys000 0:00.16 login -pf koonalpatel
1266 ttys000 0:00.03 -bash
1278 ttys000 0:00.01 ps -ax
 
Just a question; why would you download something from an obviously fake website that doesn't mention anything about "MacCinema", only eBooks? Also the fact that it alternates between two different websites whenever you access it should have tipped you off.
 
ElectricSheep said:
What you downloaded was a Trojan that contains (at the least) a DNS changer. You should run crontab -l in the Terminal and paste the output here.
Click to expand...

crontab: illegal option -- I
crontab: usage error: unrecognized option
usage: crontab [-u user] file
crontab [-u user] { -e | -l | -r }
 
Actually, it is something nasty.

Apparently a rebooted DNS changer trojan is out there, and they seem to have blanketed a number of 'watch online' generic sites (eg for Battlestar Galactica).

I used this and it seems to have got rid of it:

http://www.dnschanger.com/
 
neonblue2 said:
Just a question; why would you download something from an obviously fake website that doesn't mention anything about "MacCinema", only eBooks? Also the fact that it alternates between two different websites whenever you access it should have tipped you off.
Click to expand...

perfectly legit question, and the answer is stupidity.
 
And, yes, you do feel like a total idiot afterwards...

(if you've got it, you'll start getting unavoidable pop-ups, no matter what your pop-up settings, and random spammy web-pages)
 
Just for the record, my updated Virus scan and Mac Scan both failed to pick it up. There was an alert about it two days ago on the Secure Mac site.
 
rosey said:
Just for the record, my updated Virus scan and Mac Scan both failed to pick it up. There was an alert about it two days ago on the Secure Mac site.
Click to expand...

well, thanks to you! i ran the app and it said it was found, and i deleted it.. now my question is.. is there anyway to make sure via the logs or anything that it's gone completely? :confused:

i'm usually the type of person that opens a program from the .dmg before installing it on my hdd just to be overly cautious, and ofcourse i let a stupid thing like this slip. :eek:
 
This Mac Cinema bollocks also seems to be doing the rounds of sites that purport to be driver sites. I managed to come across it earlier in the week when looking for printer drivers. There's a whole raft of sites that come up on Google if (for example) you search for "CP1217 ppd" called driverXXX.co.cc where XXX is a random series of three characters. Click on one of the links and you'll get a .dmg that fires straight into the installer for "Mac Cinema". I cancelled straight out of it before it "installed" anything, but the .dmg will be titled vaguely like your original Google search, so it's eminently possible for someone less computer savvy to believe they're installing drivers.
 
rosey said:
Actually, it is something nasty.

Apparently a rebooted DNS changer trojan is out there, and they seem to have blanketed a number of 'watch online' generic sites (eg for Battlestar Galactica).

I used this and it seems to have got rid of it:

http://www.dnschanger.com/
Click to expand...
I was having a couple minor but suspicious problems so I thought I'd check this out.
I tried running this, but the .dmg won't mount. I haven't had problems mounting any other .dmg's.
 
i4k20c said:
crontab: no crontab for koonalpatel

is this better?
Click to expand...

You said that you already ran the removal tool before checking your crontab. The crontab entry was this trojan's means of re-installing itself should you try to remove the fake plugin that it installs.

You should be okay, but if you are still unsure download the trial version of Little Snitch. Little Snitch would have caught the trojan's attempt to download its payload when you ran that installer package, and would have given you the chance to prevent its installation all-together.
 
Next time, to make sure an app is real, search on legit sites such as
macupdate or versiontracker.

rosey said:
Just for the record, my updated Virus scan and Mac Scan both failed to pick it up. There was an alert about it two days ago on the Secure Mac site.
Click to expand...

Virus scan are not made to pickup trojan that the USER INSTALLED. "It works by the user being convinced that this is a program that they would like to run on their computer." It's like giving away your key and your security alarm code and wonder why your security system didn't work.

THERE ARE NO VIRUSES on OSX.

Since there are no viruses, anti-virus cannot determine what is a virus at this time.

Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows

The Mac Malware Myth
http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/

The Unavoidable Malware Myth
http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/

Road to Mac OS X Snow Leopard: 64-bit security
http://www.appleinsider.com/articles/09/01/16/road_to_mac_os_x_snow_leopard_64_bit_security.html
 
Me is stoopid, too

I stupidly also installed the program and got wary when there was no MacCinema application to be found. I've followed the advice on this post and another I found elsewhere, and deleted the two items in the Library/Internet Plug Ins: AdobeFlash and Mozillaplug.plugin. I ran terminal and typed "sudo crontab -l" and got "no crontab for root." I then checked my DNS in both terminal and in preferences, and used the DNS Changer application that was recommended here and it came back clean with nothing out of the ordinary. I downloaded the demo version of Secure Mac and nothing came up other than a few cookies. I also installed the recommended demo of Little Snitch, and I haven't seen anything as far as what sites Firefox is going to as different from what I've been browsing to. As a relatively new OS X user, does it sound like I'm in the clear? Thanks in advance.
 
you guys should also post the output of this command:

cat /etc/hosts

something might hide there, too...
 
Arne said:
you guys should also post the output of this command:

cat /etc/hosts

something might hide there, too...
Click to expand...

127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost


I'm connected through an Airport, if that makes any difference
 
looks fine.

the /etc/hosts file can list a number of domain names and the corresponding IP-adresses. so it would be bad if someone listed a number of banks there for example, because then you would end up at a different server, not the one of your bank.
but your file is ok, the lower parts are IPv6 btw
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back