Little worried about what i downloaded...

Discussion in 'macOS' started by i4k20c, Mar 14, 2009.

  1. i4k20c macrumors 6502a


    Sep 10, 2005
    I downloaded a .dmg from this website [] and it opened up the apple installer, claimed the instal was succesful, program titled Mac Cinema, but i can't find it in the applications, and don't see it when i search spotlight.

    help! :(
  2. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Aug 9, 2007
    Haven't found that program by Google ("Mac Cinema".)

    I doubt it's something nasty, could be a failed install. Go to the terminal, maximise the window (green circle on the menu bar) and type "ps -ax" and then hit return (no quotation marks.)

    Post the output of that here and I'll take a look to see if there's anything suspicious running in the background.
  3. ElectricSheep macrumors 6502


    Feb 18, 2004
    Wilmington, DE
    What you downloaded was a Trojan that contains (at the least) a DNS changer. You should run crontab -l in the Terminal and paste the output here.
  4. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
    1 ?? 0:01.30 /sbin/launchd
    10 ?? 0:02.16 /usr/libexec/kextd
    11 ?? 0:01.45 /usr/sbin/notifyd
    12 ?? 0:01.48 /usr/sbin/syslogd
    14 ?? 0:04.74 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ -f /var/db/ntp.drift
    15 ?? 0:49.97 /usr/sbin/update
    18 ?? 0:01.24 /usr/sbin/securityd -i
    20 ?? 0:41.58 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds
    21 ?? 0:00.44 /usr/sbin/mDNSResponder -launchd
    22 ?? 0:03.10 /System/Library/CoreServices/ console
    23 ?? 0:00.02 /usr/sbin/KernelEventAgent
    25 ?? 0:00.02 /usr/libexec/hidd
    26 ?? 0:03.65 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/fseventsd
    28 ?? 0:00.04 /sbin/dynamic_pager -F /private/var/vm/swapfile
    30 ?? 0:01.86 /usr/sbin/diskarbitrationd
    31 ?? 0:12.50 /usr/sbin/DirectoryService
    33 ?? 1:19.14 /usr/sbin/configd
    36 ?? 0:00.04 autofsd
    38 ?? 0:01.39 /usr/libexec/ApplicationFirewall/socketfilterfw
    39 ?? 0:00.02 /Library/Application Support/iStat menus/iStatMenusProcessServer
    41 ?? 0:15.80 /usr/sbin/distnoted
    44 ?? 0:06.76 /System/Library/CoreServices/coreservicesd
    45 ?? 0:01.42 /usr/sbin/blued
    52 ?? 10:54.11 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer -daemon
    70 ?? 0:01.38 /sbin/launchd
    89 ?? 0:04.66 /System/Library/CoreServices/AirPort Base Station Base Station Agent -launchd
    93 ?? 0:11.21 /System/Library/CoreServices/
    94 ?? 0:02.65 /usr/sbin/UserEventAgent -l Aqua
    95 ?? 0:00.01 /usr/sbin/pboard
    96 ?? 2:12.93 /System/Library/CoreServices/ -psn_0_32776
    97 ?? 0:10.57 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/ATSServer
    98 ?? 7:47.37 /System/Library/CoreServices/ -psn_0_36873
    99 ?? 1:45.08 /System/Library/CoreServices/ -psn_0_40970
    100 ?? 0:01.76 /usr/sbin/coreaudiod
    109 ?? 0:00.26 /Applications/ -psn_0_61455
    110 ?? 0:04.29 /Users/koonalpatel/Library/Application Support/iStat menus/Helpers/iStat menus menus Helper -psn_0_65552
    111 ?? 0:10.14 /Users/koonalpatel/Library/PreferencePanes/Growl.prefPane/Contents/Resources/ -psn_0_69649
    112 ?? 0:16.69 /Library/Application Support/Logitech/ -psn_0_73746
    115 ?? 0:00.02 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd
    120 ?? 5:39.16 /Applications/ -psn_0_86037
    124 ?? 70:28.90 /Applications/ -psn_0_94231
    133 ?? 0:12.60 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_110619
    512 ?? 0:52.23 /Applications/ -psn_0_233529
    610 ?? 1:55.14 /Applications/Microsoft Office 2008/Microsoft Word -psn_0_307275
    613 ?? 0:07.80 /Applications/Microsoft Office 2008/Office/Microsoft Database Database Daemon -psn_0_311372
    615 ?? 0:00.14 /Library/Application Support/Microsoft/MAU2.0/Microsoft AU AU D
    631 ?? 0:03.45 /System/Library/CoreServices/
    666 ?? 0:11.10 /Applications/ -psn_0_360536
    766 ?? 0:00.05 /usr/sbin/cron
    950 ?? 0:00.97 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker MDSImporterWorker
    1262 ?? 0:00.15 /System/Library/Frameworks/QuickLook.framework/Resources/
    1264 ?? 0:00.89 /Applications/Utilities/ -psn_0_479349
    1265 ttys000 0:00.16 login -pf koonalpatel
    1266 ttys000 0:00.03 -bash
    1278 ttys000 0:00.01 ps -ax
  5. neonblue2 macrumors 6502a

    Aug 25, 2006
    Port Pirie, South Australia
    Just a question; why would you download something from an obviously fake website that doesn't mention anything about "MacCinema", only eBooks? Also the fact that it alternates between two different websites whenever you access it should have tipped you off.
  6. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
    crontab: illegal option -- I
    crontab: usage error: unrecognized option
    usage: crontab [-u user] file
    crontab [-u user] { -e | -l | -r }
  7. rosey macrumors newbie

    Mar 14, 2009
    Actually, it is something nasty.

    Apparently a rebooted DNS changer trojan is out there, and they seem to have blanketed a number of 'watch online' generic sites (eg for Battlestar Galactica).

    I used this and it seems to have got rid of it:
  8. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
    perfectly legit question, and the answer is stupidity.
  9. rosey macrumors newbie

    Mar 14, 2009
    And, yes, you do feel like a total idiot afterwards...

    (if you've got it, you'll start getting unavoidable pop-ups, no matter what your pop-up settings, and random spammy web-pages)
  10. rosey macrumors newbie

    Mar 14, 2009
    Just for the record, my updated Virus scan and Mac Scan both failed to pick it up. There was an alert about it two days ago on the Secure Mac site.
  11. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
    well, thanks to you! i ran the app and it said it was found, and i deleted it.. now my question is.. is there anyway to make sure via the logs or anything that it's gone completely? :confused:

    i'm usually the type of person that opens a program from the .dmg before installing it on my hdd just to be overly cautious, and ofcourse i let a stupid thing like this slip. :eek:
  12. MistaBungle macrumors 6502a


    Apr 3, 2005
    I applaud you. Most people wouldn't admit this or make some excuse.
  13. Cromulent macrumors 603


    Oct 2, 2006
    The Land of Hope and Glory
    That was a small L not an i.
  14. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
    crontab: no crontab for koonalpatel

    is this better?
  15. Loccy macrumors member

    Jan 5, 2009
    This Mac Cinema bollocks also seems to be doing the rounds of sites that purport to be driver sites. I managed to come across it earlier in the week when looking for printer drivers. There's a whole raft of sites that come up on Google if (for example) you search for "CP1217 ppd" called where XXX is a random series of three characters. Click on one of the links and you'll get a .dmg that fires straight into the installer for "Mac Cinema". I cancelled straight out of it before it "installed" anything, but the .dmg will be titled vaguely like your original Google search, so it's eminently possible for someone less computer savvy to believe they're installing drivers.
  16. slothrob macrumors 6502

    Jun 12, 2007
    I was having a couple minor but suspicious problems so I thought I'd check this out.
    I tried running this, but the .dmg won't mount. I haven't had problems mounting any other .dmg's.
  17. i4k20c thread starter macrumors 6502a


    Sep 10, 2005
  18. ElectricSheep macrumors 6502


    Feb 18, 2004
    Wilmington, DE
    You said that you already ran the removal tool before checking your crontab. The crontab entry was this trojan's means of re-installing itself should you try to remove the fake plugin that it installs.

    You should be okay, but if you are still unsure download the trial version of Little Snitch. Little Snitch would have caught the trojan's attempt to download its payload when you ran that installer package, and would have given you the chance to prevent its installation all-together.
  19. Consultant macrumors G5


    Jun 27, 2007
    Next time, to make sure an app is real, search on legit sites such as
    macupdate or versiontracker.

    Virus scan are not made to pickup trojan that the USER INSTALLED. "It works by the user being convinced that this is a program that they would like to run on their computer." It's like giving away your key and your security alarm code and wonder why your security system didn't work.


    Since there are no viruses, anti-virus cannot determine what is a virus at this time.

    Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows

    The Mac Malware Myth

    The Unavoidable Malware Myth

    Road to Mac OS X Snow Leopard: 64-bit security
  20. Veritas753 macrumors newbie

    Jun 1, 2009
    Me is stoopid, too

    I stupidly also installed the program and got wary when there was no MacCinema application to be found. I've followed the advice on this post and another I found elsewhere, and deleted the two items in the Library/Internet Plug Ins: AdobeFlash and Mozillaplug.plugin. I ran terminal and typed "sudo crontab -l" and got "no crontab for root." I then checked my DNS in both terminal and in preferences, and used the DNS Changer application that was recommended here and it came back clean with nothing out of the ordinary. I downloaded the demo version of Secure Mac and nothing came up other than a few cookies. I also installed the recommended demo of Little Snitch, and I haven't seen anything as far as what sites Firefox is going to as different from what I've been browsing to. As a relatively new OS X user, does it sound like I'm in the clear? Thanks in advance.
  21. Arne macrumors regular

    May 14, 2006
    you guys should also post the output of this command:

    cat /etc/hosts

    something might hide there, too...
  22. Veritas753 macrumors newbie

    Jun 1, 2009
    #23 localhost broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost

    I'm connected through an Airport, if that makes any difference
  23. Shake 'n' Bake macrumors 68020

    Shake 'n' Bake

    Mar 2, 2009
    That's network settings.

    IP Address

    Not sure what the others are though.
  24. Arne macrumors regular

    May 14, 2006
    looks fine.

    the /etc/hosts file can list a number of domain names and the corresponding IP-adresses. so it would be bad if someone listed a number of banks there for example, because then you would end up at a different server, not the one of your bank.
    but your file is ok, the lower parts are IPv6 btw

Share This Page