Little worried about what i downloaded...

Discussion in 'macOS' started by i4k20c, Mar 14, 2009.

  1. i4k20c macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #1
    I downloaded a .dmg from this website [http://alleebooks.com/allebook1/download-djvu-ebook.html] and it opened up the apple installer, claimed the instal was succesful, program titled Mac Cinema, but i can't find it in the applications, and don't see it when i search spotlight.

    help! :(
     
  2. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #2
    Haven't found that program by Google ("Mac Cinema".)

    I doubt it's something nasty, could be a failed install. Go to the terminal, maximise the window (green circle on the menu bar) and type "ps -ax" and then hit return (no quotation marks.)

    Post the output of that here and I'll take a look to see if there's anything suspicious running in the background.
     
  3. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #3
    What you downloaded was a Trojan that contains (at the least) a DNS changer. You should run crontab -l in the Terminal and paste the output here.
     
  4. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #4
    PID TTY TIME CMD
    1 ?? 0:01.30 /sbin/launchd
    10 ?? 0:02.16 /usr/libexec/kextd
    11 ?? 0:01.45 /usr/sbin/notifyd
    12 ?? 0:01.48 /usr/sbin/syslogd
    14 ?? 0:04.74 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
    15 ?? 0:49.97 /usr/sbin/update
    18 ?? 0:01.24 /usr/sbin/securityd -i
    20 ?? 0:41.58 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Support/mds
    21 ?? 0:00.44 /usr/sbin/mDNSResponder -launchd
    22 ?? 0:03.10 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
    23 ?? 0:00.02 /usr/sbin/KernelEventAgent
    25 ?? 0:00.02 /usr/libexec/hidd
    26 ?? 0:03.65 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/fseventsd
    28 ?? 0:00.04 /sbin/dynamic_pager -F /private/var/vm/swapfile
    30 ?? 0:01.86 /usr/sbin/diskarbitrationd
    31 ?? 0:12.50 /usr/sbin/DirectoryService
    33 ?? 1:19.14 /usr/sbin/configd
    36 ?? 0:00.04 autofsd
    38 ?? 0:01.39 /usr/libexec/ApplicationFirewall/socketfilterfw
    39 ?? 0:00.02 /Library/Application Support/iStat menus/iStatMenusProcessServer
    41 ?? 0:15.80 /usr/sbin/distnoted
    44 ?? 0:06.76 /System/Library/CoreServices/coreservicesd
    45 ?? 0:01.42 /usr/sbin/blued
    52 ?? 10:54.11 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer -daemon
    70 ?? 0:01.38 /sbin/launchd
    89 ?? 0:04.66 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent -launchd
    93 ?? 0:11.21 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
    94 ?? 0:02.65 /usr/sbin/UserEventAgent -l Aqua
    95 ?? 0:00.01 /usr/sbin/pboard
    96 ?? 2:12.93 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_32776
    97 ?? 0:10.57 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/ATSServer
    98 ?? 7:47.37 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn_0_36873
    99 ?? 1:45.08 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_40970
    100 ?? 0:01.76 /usr/sbin/coreaudiod
    109 ?? 0:00.26 /Applications/iTunes.app/Contents/Resources/iTunesHelper.app/Contents/MacOS/iTunesHelper -psn_0_61455
    110 ?? 0:04.29 /Users/koonalpatel/Library/Application Support/iStat menus/Helpers/iStat menus Helper.app/Contents/MacOS/iStat menus Helper -psn_0_65552
    111 ?? 0:10.14 /Users/koonalpatel/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/MacOS/GrowlHelperApp -psn_0_69649
    112 ?? 0:16.69 /Library/Application Support/Logitech/LCCDaemon.app/Contents/MacOS/LCCDaemon -psn_0_73746
    115 ?? 0:00.02 /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd
    120 ?? 5:39.16 /Applications/Adium.app/Contents/MacOS/Adium -psn_0_86037
    124 ?? 70:28.90 /Applications/Safari.app/Contents/MacOS/Safari -psn_0_94231
    133 ?? 0:12.60 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_110619
    512 ?? 0:52.23 /Applications/Mail.app/Contents/MacOS/Mail -psn_0_233529
    610 ?? 1:55.14 /Applications/Microsoft Office 2008/Microsoft Word.app/Contents/MacOS/Microsoft Word -psn_0_307275
    613 ?? 0:07.80 /Applications/Microsoft Office 2008/Office/Microsoft Database Daemon.app/Contents/MacOS/Microsoft Database Daemon -psn_0_311372
    615 ?? 0:00.14 /Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU D
    631 ?? 0:03.45 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/DashboardClient
    666 ?? 0:11.10 /Applications/iCal.app/Contents/MacOS/iCal -psn_0_360536
    766 ?? 0:00.05 /usr/sbin/cron
    950 ?? 0:00.97 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker MDSImporterWorker com.apple.Spo
    1262 ?? 0:00.15 /System/Library/Frameworks/QuickLook.framework/Resources/quicklookd.app/Contents/MacOS/quicklookd
    1264 ?? 0:00.89 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_479349
    1265 ttys000 0:00.16 login -pf koonalpatel
    1266 ttys000 0:00.03 -bash
    1278 ttys000 0:00.01 ps -ax
     
  5. neonblue2 macrumors 6502a

    Joined:
    Aug 25, 2006
    Location:
    Port Pirie, South Australia
    #5
    Just a question; why would you download something from an obviously fake website that doesn't mention anything about "MacCinema", only eBooks? Also the fact that it alternates between two different websites whenever you access it should have tipped you off.
     
  6. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #6
    crontab: illegal option -- I
    crontab: usage error: unrecognized option
    usage: crontab [-u user] file
    crontab [-u user] { -e | -l | -r }
     
  7. rosey macrumors newbie

    Joined:
    Mar 14, 2009
    #7
    Actually, it is something nasty.

    Apparently a rebooted DNS changer trojan is out there, and they seem to have blanketed a number of 'watch online' generic sites (eg for Battlestar Galactica).

    I used this and it seems to have got rid of it:

    http://www.dnschanger.com/
     
  8. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #8
    perfectly legit question, and the answer is stupidity.
     
  9. rosey macrumors newbie

    Joined:
    Mar 14, 2009
    #9
    And, yes, you do feel like a total idiot afterwards...

    (if you've got it, you'll start getting unavoidable pop-ups, no matter what your pop-up settings, and random spammy web-pages)
     
  10. rosey macrumors newbie

    Joined:
    Mar 14, 2009
    #10
    Just for the record, my updated Virus scan and Mac Scan both failed to pick it up. There was an alert about it two days ago on the Secure Mac site.
     
  11. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #11
    well, thanks to you! i ran the app and it said it was found, and i deleted it.. now my question is.. is there anyway to make sure via the logs or anything that it's gone completely? :confused:

    i'm usually the type of person that opens a program from the .dmg before installing it on my hdd just to be overly cautious, and ofcourse i let a stupid thing like this slip. :eek:
     
  12. MistaBungle macrumors 6502a

    MistaBungle

    Joined:
    Apr 3, 2005
    #12
    I applaud you. Most people wouldn't admit this or make some excuse.
     
  13. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #13
    That was a small L not an i.
     
  14. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
    #14
    crontab: no crontab for koonalpatel

    is this better?
     
  15. Loccy macrumors member

    Joined:
    Jan 5, 2009
    #15
    This Mac Cinema bollocks also seems to be doing the rounds of sites that purport to be driver sites. I managed to come across it earlier in the week when looking for printer drivers. There's a whole raft of sites that come up on Google if (for example) you search for "CP1217 ppd" called driverXXX.co.cc where XXX is a random series of three characters. Click on one of the links and you'll get a .dmg that fires straight into the installer for "Mac Cinema". I cancelled straight out of it before it "installed" anything, but the .dmg will be titled vaguely like your original Google search, so it's eminently possible for someone less computer savvy to believe they're installing drivers.
     
  16. slothrob macrumors 6502

    Joined:
    Jun 12, 2007
    #16
    I was having a couple minor but suspicious problems so I thought I'd check this out.
    I tried running this, but the .dmg won't mount. I haven't had problems mounting any other .dmg's.
     
  17. i4k20c thread starter macrumors 6502a

    i4k20c

    Joined:
    Sep 10, 2005
  18. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #18
    You said that you already ran the removal tool before checking your crontab. The crontab entry was this trojan's means of re-installing itself should you try to remove the fake plugin that it installs.

    You should be okay, but if you are still unsure download the trial version of Little Snitch. Little Snitch would have caught the trojan's attempt to download its payload when you ran that installer package, and would have given you the chance to prevent its installation all-together.
     
  19. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #20
    Next time, to make sure an app is real, search on legit sites such as
    macupdate or versiontracker.

    Virus scan are not made to pickup trojan that the USER INSTALLED. "It works by the user being convinced that this is a program that they would like to run on their computer." It's like giving away your key and your security alarm code and wonder why your security system didn't work.

    THERE ARE NO VIRUSES on OSX.

    Since there are no viruses, anti-virus cannot determine what is a virus at this time.

    Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
    http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows

    The Mac Malware Myth
    http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/

    The Unavoidable Malware Myth
    http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/

    Road to Mac OS X Snow Leopard: 64-bit security
    http://www.appleinsider.com/articles/09/01/16/road_to_mac_os_x_snow_leopard_64_bit_security.html
     
  20. Veritas753 macrumors newbie

    Joined:
    Jun 1, 2009
    #21
    Me is stoopid, too

    I stupidly also installed the program and got wary when there was no MacCinema application to be found. I've followed the advice on this post and another I found elsewhere, and deleted the two items in the Library/Internet Plug Ins: AdobeFlash and Mozillaplug.plugin. I ran terminal and typed "sudo crontab -l" and got "no crontab for root." I then checked my DNS in both terminal and in preferences, and used the DNS Changer application that was recommended here and it came back clean with nothing out of the ordinary. I downloaded the demo version of Secure Mac and nothing came up other than a few cookies. I also installed the recommended demo of Little Snitch, and I haven't seen anything as far as what sites Firefox is going to as different from what I've been browsing to. As a relatively new OS X user, does it sound like I'm in the clear? Thanks in advance.
     
  21. Arne macrumors regular

    Joined:
    May 14, 2006
    Location:
    Germany
    #22
    you guys should also post the output of this command:

    cat /etc/hosts

    something might hide there, too...
     
  22. Veritas753 macrumors newbie

    Joined:
    Jun 1, 2009
    #23
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost


    I'm connected through an Airport, if that makes any difference
     
  23. Shake 'n' Bake macrumors 68020

    Shake 'n' Bake

    Joined:
    Mar 2, 2009
    Location:
    Albany
    #24
    That's network settings.

    IP Address
    Subnet

    Not sure what the others are though.
     
  24. Arne macrumors regular

    Joined:
    May 14, 2006
    Location:
    Germany
    #25
    looks fine.

    the /etc/hosts file can list a number of domain names and the corresponding IP-adresses. so it would be bad if someone listed a number of banks there for example, because then you would end up at a different server, not the one of your bank.
    but your file is ok, the lower parts are IPv6 btw
     

Share This Page