Home > Malwares > How To Remove “MacAccess” Trojan

How To Remove “MacAccess” Trojan

Due to infection reports and prevalence of this threat, here’s a removal instruction for “MacAccess” trojan.

The presence of the following files indicates that the infection or installation of this tricky trojan went successfully.

installed_files

/cron.inst
/i386
/Library/Internet Plug-Ins/AdobeFlash
/Library/Internet Plug-Ins/Mozillaplug.plugin

Please take note that the files /cron.inst and /i386 may not exists since it usually gets deleted after the trojan successfully executed its code.

To fix the infection, simply delete any of these files.

Also,  this trojan creates a cron (or scheduling) job (/cron.inst) that executes a malicious Perl script named “AdobeFlash” found in “/Library/Internet Plugins/” and this  is important that you check this part through terminal.  Execute “sudo crontab -l” to list or display the scheduled job as exampled below:

***Thanks for all the feedback!; To all reader use sudo to allow a normal user to run crontab commands as root***

The cron job executes every five minutes, which triggers the backdoor to check the remote IP address. It has been observed to check for these remote IP addresses:

94.247.2.109
78.157.142.187


To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l” as exampled below:

remove

Take note: You have to open Terminal to run “crontab”. Terminal is located at ~/Applications/Utilities or you can simple search it using Spotlight as shown below:

Terminal

OSX/Jahlav aka “MacAccess” will attempt to connect to  mentioned IP address (this may vary depending on the variant) which may install another trojan often DNSChanger. So, it is best to check your DNS settings and notice if there is some dodgy entries like IP starting with 85.xx.xx.xx. To fix, just simply remove it and restore back your legitimate DNS settings.  Please check this instruction to help you fix malicious DNS entries.

If this instruction works, then i’ll be excited to hear your story.  I’m sure any info will also help other OS X users.

If not,  please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Updated 5/22/2009:

– Added information about Terminal as per request.

Updated 6/10/2009:

– Added link to How To Check Your DNS Settings

  1. D
    December 26, 2008 at 5:00 pm

    Re: the paths, \ is different from /. I think you want /.

  2. Methusela Cebrian Ferrer
    December 27, 2008 at 1:53 am

    Yes, right that’s what I mean. I already fixed it, thanks alot!

  3. mike
    December 27, 2008 at 11:14 am

    works great. thanks 🙂 i got infected from macjournal5_7014.dmg

  4. Methusela Cebrian Ferrer
    December 27, 2008 at 1:30 pm

    Good to hear Mike, stay safe! Don’t hesitate to send me an email if you find any dodgy site/s or application/installer.

  5. December 29, 2008 at 11:40 am

    worked fine with me, didn’t find the /cron.inst or /i386, as you suggested, but successfully deleted the lib files. Also, crontab -l did not show any scheduled jobs. So it seems to work fine with me. Thanks and HNY

  6. December 29, 2008 at 12:09 pm

    Good Post Man !
    Thank for sharing. I suggest to install ClamXav, and you don’ t get stress for this.

  7. freefall
    December 29, 2008 at 2:13 pm

    I got infected through this link: http://freedrivers.bee.pl/windows-driver-20002.html. It pretends to be a Mac OS firewire driver for my camcorder.

    I found the forementioned files and removed them. But I didn’t find a crontab entry. Maybe the installation failed for me being on an Airport link rather than on an ethernet connection?

  8. freefall
    December 29, 2008 at 5:10 pm

    Just for the records: CalmXav doesn’t recognize either the dmg nor the pkg file as infected.

  9. freefall
    December 29, 2008 at 5:12 pm

    Somehow my very first comment got lost. I’ve been infected by the following download: http://freedrivers.bee.pl/windows-driver-20002.html

    It pretends to be a Mac OS firewire driver for my camcorder.

  10. December 30, 2008 at 2:05 am

    thanks I got infected from here http://isocracks.com/isokeygen1/crack-converter-german.html file mediaedit3_7014.dmg

  11. Russell
    December 31, 2008 at 9:32 am

    i was using virusbarrier x5 demo when this happened to me and it stopped it as it was installing. also having little snitch running allowed me to stop it from accessing through port 80. very scary but glad to know i’m safe now.

  12. David Bishop
    January 1, 2009 at 9:34 pm

    Thanks for the info on removing this sneaky trojan horse. I got it by downloading and installing the Sony UP-D5500 driver installer from the following site:
    http://driversbaze.com/windows-driver-vista8.html

    The same trojan horse can also be downloaded from:

    http://freedrivers.bee.pl/windows-driver-printer16.html
    http://freedrivers.bee.pl/windows-driver-printer31.html
    http://freedrivers.bee.pl/windows-driver-printer16.html
    http://originaldrivers.com/windows-driver-printer29.html
    http://originaldrivers.com/windows-driver-vista1.html
    http://extradrivers.bee.pl/windows-driver-200022.html
    http://ez-drivers.com/drivers3/windows-driver-200031.html
    and probably other sites.
    I didn’t find any chron job but did find and deleted AdobeFlash and Mozillaplub.plugin

    Best regards,
    David

  13. Scott
    January 3, 2009 at 3:09 am

    Found this trojan on http://isocracks.com/serial2/crack-serial-converter.html

    Did not contain the /I386 or cron.inst files. It did create the adobe and mozillaplug. Both files removed. Checked, but no cron jobs found to be running. Fingers crossed that I got it removed.

  14. Jeff Dodge
    January 6, 2009 at 9:48 pm

    removed mozillapugin.plugin and adobeflash. No longer have a DNS starting with 85 but I do now have 4 greyed-out DNS entries and a greyed-out Search field, but still have hsd1.sc.comcast.net

    I am getting redirected to yellowpage type database sites.

    Any ideas.

    Thank you

    • Methusela Cebrian Ferrer
      January 8, 2009 at 8:53 am

      Hi Jeff, You need to ask your ISP for a legitimate DNS server. I advise that you remove all those 4 entries in DNS search entries. It is also possible to whois these DNS entries to see which DNS settings makes sense. From the result I got here:http://whois.domaintools.com/comcast.net it seems the DNS is different.

  15. JSD
    January 7, 2009 at 4:06 am

    Thanks for this. I got the Adaobe Flash and the Mozillaplugin and removed them. I’ve run a couple of time to see if I have a crontab but terminal says no. I will keep my eye out for it. My own fault. Thanks for the help. I got this off a crack site.

  16. Ricardo Ramirez
    January 14, 2009 at 4:40 am

    I deleted AdobeFlash and Mozillaplug.plugin, tried to execute “crontab -l”, but I kept getting “no crontab” as an answer on Terminal.
    And then In Terminal I typed “sudo crontab -r”, provided my admin pass and typed “sudo crontab -l” to see the message “crontab: no crontab for root.”
    At last I rebooted my macbook.

    The link http://softandkeys.com/page42995.html.
    And I haven’t found any unusual behavior on my computer, yet. Though when I acces my DNS settings I still see a grey DNS SERVER and SERVE DOMAIN that look like this: 192.168.1.254 gateway.2wire.net

    is this Ok ? :S

    • Methusela Cebrian Ferrer
      January 17, 2009 at 2:06 am

      Yes this is safe, this should be your legitimate DNS server.

  17. Todddman
    January 15, 2009 at 3:27 am

    Found this on: http://softandkeys.com/page50244.html

    I took out the Adobe Flash and Mozillaplugs, no sign of the others, but the DNS is clean. Damn there’s some malicious aholes out there!

    • Methusela Cebrian Ferrer
      January 17, 2009 at 2:08 am

      True, this threat belongs to a serious (obviously, money driven) gang. Stay safe!

  18. January 15, 2009 at 9:47 am

    Damn! I know better! Got it looking for a Promise TX4650 SATA Controller driver.

    DONT FORGET TO LOGIN AS ROOT AND CHECK CRONTAB -L

    My main user crontab was empty, my root crontab had the 5 min command to Adobe…

  19. January 16, 2009 at 2:12 am

    It’s not over yet…a safari plugin just hijacked my page and sent me to a yellow pages site. There is more to this virus.

  20. Vince
    January 16, 2009 at 9:37 am

    I removed mozillapugin.plugin and adobeflash. got it from http://softandkeys.com/page124769.html, but then I think I can’t see the page anymore

  21. January 18, 2009 at 3:56 pm

    Hi and thanks for this. I downloaded a file, which came as a.dmg from the internet. the .dmg opened into a file called install.pkg which installed a software called Macaccess. I couldn’t find anything in the Applications folder, which was strange. After a few hours, the macbook screen started locking up for a few seconds and would unfreeze on its own. Suspecting it to be related to the macaccess install, I found your post and did the above mentioned. The crotab was only visible after login into root. the DNS’s were there, but only for the current network in use. The DNS was also not editable, but they vanished after deleting the files you suggested and changing the network connection. The macbook doesnt lock up anymore, so I’m assuming everything’s ok. Thanks for these details, wouldn’t have know what to do without your post !

  22. Alexandre Santos
    January 19, 2009 at 4:05 am

    I removed the files mozillapugin.plugin and adobeflash. but still the dns were 85.x.x.x . Then I disconected from the web, and when I returned, the dns numbers were ok. I couldn`t find any responses for the crontab -l command, I got “no crontab for alexandre”. Is that ok? how can I change dir? I got that from the site:
    http://loweimages.com/multimedia/520/ableton-live-703-keygen-crack-serial-patch.html

  23. codeblue
    January 19, 2009 at 5:08 am

    dam… got this as well, i knew it smelled fishy

    So I followed all the instructions, everything appears to be fine now. So annoyed about this, new mac, so clean and now it seems corrupted! I guess I could just reinstall.

    Anyways, just wondering if there is anything else to be done, anything I should be worried about etc…

    Also wondering if the internet plugins left such as ‘flashplayer.xpt’ are bad as well.

    As well I have been getting this message saying my drive is almost full and that I should make some space, when it is very empty (new machine). Is this related or is this something else?

    😦

    • Methusela Cebrian Ferrer
      January 20, 2009 at 5:46 am

      Hi Matthew, could you send me a copy of flashplayer.xpt as well as screenshot of that message saying drive is almost full ?

      I suspect that this unusual behavior are all related to the trojan. Do you still remember where you downloaded this ?

  24. January 19, 2009 at 12:12 pm

    Perhaps its good now. 3 days and no sign of it anymore. The yellowpages thing might have been a fluke, unknowingly clicked on an ad or something.

    I cracked open the dmg file and looked at the virus payload, the mozilla and adobe files seem to be the only plugin payloads. Follow the instructions above, and again, dont forget to check the crontab for root user.

    C

  25. Andy
    January 20, 2009 at 9:58 am

    Had this last night after downloading what I thought was some software to let me capture old Hi8 footage via my MiniDV cam.

    Installed and when couldn’t find any app in Applications I searched on the web and found this.

    No cron or the cron.inst / i386 files but the plugins were there so deleted and also had the DNS entries so removed. Scary stuff, learnt my lesson now!

  26. Fab
    January 20, 2009 at 9:08 pm

    hxxp://xwarezzz.com/adobe/280/adobe-photoshop-cs4-110-keygen-crack-serial-patch.html

    (SERIAL Adobe Photoshop CS4 11.0
    hxxp://opera-extra.com/download/serial.Adobe.Photoshop.CS4.11.0c3098.exe)

  27. Andy
    January 21, 2009 at 3:34 pm

    Got the trojan when downloading a mousedriver (better: instead of the mousedriver). After downloading the file “install.pkg” a window opened and asked me to install MacAccess. Idiot as I am, i didn´t hesitate to confirm. When I didn´t find the App I installed, it was already to late. I did as you suggested and deleted the Library files. The others i didn´t find. When i checked the terminal for crontab, I had to use “sudo crontab -l” to find the cron-job. So i deleted it. The only thing I recognized was that my airport-connection of the macbook stopped 4 times before I canceled the cron-job. I had to reconnect and enter network-password. Thanks a lot for the great help you allocated with this thread – Andy

  28. January 21, 2009 at 8:18 pm

    you name it, softkillerz.com got “it”

    quick search on what i was installing found me this post before i got infected 🙂

  29. Ricardo Ramirez
    January 23, 2009 at 1:06 am

    Methusela Cebrian Ferrer, I’ve been alert since I got this virus, (Comment by Ricardo Ramirez — January 14, 2009 @ 4:40 am) and finally I’ve seen some unusual behavior on my MacBook, my Machintosh hard drive icon has changed name. Machintosh hard drive icon apeearing on my desktop has changed name to (ok ok). I’ve changed it back already to how it was.

    So should I be worried about this unusual behavior ? :S

    Thanks for your help a lot.

    Sincerely;

  30. Ricardo Ramirez
    January 23, 2009 at 1:08 am

    Btw, I just found out another detail (I don’t know if this helps) when I posted last time (Comment by Ricardo Ramirez — January 14, 2009 @ 4:40 am) that was the exact time I made that post.

    When I posted this one (Comment by Ricardo Ramirez — January 23, 2009 @ 1:06 am) It’s actually 7:01 pm :S

  31. John Burton
    January 23, 2009 at 2:47 pm

    Need to change the instructions – I found the cron job installed as root, not my user, I had to do a “sudo crontab -l” to see it and “sudo crontab -r” to remove it.

    Thanks for te info though!

    • Methusela Cebrian Ferrer
      January 23, 2009 at 11:19 pm

      Thanks John, I’ll update the instruction.

  32. January 23, 2009 at 4:33 pm

    got it here:

    http://serialcrackfinder.com/key5/converter-german-video.html

    i found and deleted the 2 internet plugins. i don’t really know how to use terminal and i’m wary of screwing everything up. when i typed crontab -l, it said that there was nothing found am i out of the woods?

    • Methusela Cebrian Ferrer
      January 23, 2009 at 11:21 pm

      Please type “sudo crontab -l” to see and sudo crontab -r” to remove. Let me know if this works…

  33. January 23, 2009 at 4:40 pm

    ALSO – I have those 85… numbers grayed out in my DNS areas. Anything I should do with those?

    • Methusela Cebrian Ferrer
      January 23, 2009 at 11:24 pm

      You have to remove them, those are malicious DNS entry. Then replace it with a legitimate DNS, you could ask your internet provider.

  34. January 23, 2009 at 11:23 pm

    same as John Burton… had to sudo!

  35. Ricardo Ramirez
    January 24, 2009 at 4:13 am

    ?

  36. Methusela Cebrian Ferrer
    January 24, 2009 at 5:23 am

    Hi Ricardo, I just read over your comments and thanks for this! You mentioned that “Machintosh hard drive icon has changed name. Machintosh hard drive icon apeearing on my desktop has changed name to (ok ok)” this is really worrying. As I mentioned “MacAccess” has a backdoor capability, and I am afraid (probably) that your machine may have other malware installed. I recommend that you quick check all running process and network connection. I found some users are comfortable using Little Snitch, you may use this or netstat and ps in terminal will also help. Please let me know any progress you have.

  37. January 25, 2009 at 6:15 pm

    I was looking for information on a book that my wife is using for school, and I thought I had hit a site to allow a pdf download of the book. I know better!

  38. Ricardo Ramirez
    January 27, 2009 at 4:44 pm

    Hi Methusela, thanks for your reply. I’ll download Little Snitch, and I’ll check all running process and network connections. Btw, how can I ps in terminal? :S
    I’m kinda new in Mac OS X. Oh, and it just camed to my mind.. the first time I tried to remove MacAccess Trojan I followed up your instructions only on my account I share my macbook with my gf, I never tried to remove the MacAccess Trojan on both accounts, just mine. So I was thinking, maybe I should try to remove it from my gf’s acc too? Could that help? :S And, would you recommend me any suggestions on how to protect me against this? Like while I get to download Little Snitch and solve this problem, are there any things I should know of? Like (don’t use hotmail, don’t use any passwords etc. etc.) ? Thx a lot for your time.

    Sincerely;

    • Methusela Cebrian Ferrer
      January 29, 2009 at 11:22 am

      Hi Ricardo, To use “ps” open terminal and type “ps man | less” this will give you options on how to use it. However, you can use “ps aux” this provides good information about all running process. Another helpful command is “lsof -p this “list open files” relating to specified PID or process id. Since Macaccess installed and removed as root user, this should get removed regardless of account. You could double check any existence of the dropped file ex. “ls /Library/Internet Plug-Ins/AdobeFlash”. To protect yourself from threats, you should make sure to regularly backup your important files, avoid weak password (Check your password through google and if result is less than 10 then it’s good, if no result then it’s strong), avoid downloading from unsecured sources. If any dodgy or suspicious that is possible to be a threat, don’t hesitate to shoot me an email.

      Regards,
      ~ Meths

  39. brownstein
    January 28, 2009 at 2:19 pm

    sudo crontab -r worked for me. Thanks so much for posting this inforrmationn. You’re a real lifesaver.

  40. January 28, 2009 at 4:22 pm

    IMPORTANT UPDATE,

    while removing these files and checking / disable the network services will remove any spoof dns entries you are forgetting one simple step,

    in the folder /Library/Reciepts you will find the packages for the items you have installed in the past, and oh guess which one is in there, MacAccess entitled installer.pkg with a date of 12/8/2008.

    Nuke this bitch too secure delete the trash . the REBOOT!!!

    I would also scan for any create date folders of the date of your self infection and the timestamp of 12/8/2008 just to be safe.

    Hope that helps every one

    • Methusela Cebrian Ferrer
      January 29, 2009 at 10:37 am

      I definitely agree on this findings!

      OS X users has to regularly purge unnecessary junk in /Library/Receipts especially when there’s infection history.

  41. January 28, 2009 at 4:54 pm

    Hi! Thanks for your article!

    I downloaded the trojan from bluedrivers.orge.pl (http://bluedrivers.orge.pl/drvs3/driver-windows-printer12.html) while looking for a ricoh printer driver.. Things are working again now, but somehow it fucked up my tls secure wlan connection. 😦

    trip

  42. downfall
    January 28, 2009 at 9:32 pm

    http://loweimages.com/multimedia/823/boujou-401-keygen-crack-serial-patch.html
    the last link gets you the beloved dmg with the install package
    btw, when i saw the application was named mac access i imediatly turned off my airport. the installer exited with error, not being able to finish. that was fishy so i googled it.
    tnx for the post.

    • Methusela Cebrian Ferrer
      January 29, 2009 at 10:38 am

      Thanks for this feedback! It’s good that you are able to interrupt the installation.

  43. wit
  44. wit
  45. January 29, 2009 at 7:43 pm

    Got it at

    http://reddrivers.osa.pl/driver12/driver-printer-windows.html

    look for a PPD for an Oki b6200n

    you will then get the file: okib6200ppd_7014.dmg

  46. Jeremy
    January 31, 2009 at 11:23 am

    thankyou so much!!!! i already sent an email, but was just wondering – is it possible to download a trojan by clicking a link, which in fact downloads the trojan without any download activity being reported??

    btw, im using safari

    • Methusela Cebrian Ferrer
      January 31, 2009 at 11:51 am

      Hi Jeremy, Thanks for dropping by. Regarding your question, supposedly the answer is NO. It should not download anything in background without user consent. However, I have incidents where I find my download folder full with files ex. , which indicates it has been downloaded N times. However, this trojan requires manual execution to get installed unless we are now looking on a new attack vector.

      Again back to your question, Is it possible to download by clicking a link ? YES this is possible using exploit, please refer this post:
      https://ithreats.wordpress.com/2008/06/20/zero-day-os-x-ard-agent-root-escalation-vulnerability/

  47. michele
    January 31, 2009 at 10:07 pm

    The mac access trojan horse can be downloaded from:
    http://downloadkeyzz.com/crack3/serial-crack-video-free.html

  48. emptii
    February 1, 2009 at 8:22 am
  49. Liane
    February 5, 2009 at 4:32 pm

    Hmm…I knew something was fishy when I couldn’t find the file in my applications. Couldn’t find the /cron.inst and /i386 files – is there also a possibility that they are hidden? How would I check?
    Managed to delete both the /Library/Internet Plug-Ins/AdobeFlash and /Library/Internet Plug-Ins/Mozillaplug.plugin from the main library (they weren’t installed in my user library).
    Also saw the 85.x… DNS servers. Couldn’t delete them, but there were replaced when I renewed my DHCP lease. Also deleted the receipt.

    While the trojan was still on, I opened my system preferences (thinking that the “application” would be there like some plugins). Now the system prefs won’t open.
    Gonna reboot & see if it works. WIll come back here & update. Hmm…while I was writing this the computer paused for about 5 seconds. And again. Scary.

  50. Liane
    February 5, 2009 at 4:51 pm

    Oh, yeah – also had to delete the crontab in terminal…
    Back now from the restart. Looks like none of the files I deleted are back. The weird DNS also did not return, and I can open System Prefs no problem. Changed my system password just in case…do you think that was necessary?

    Also, a bit confused about the ps & netstat commands. What should I be looking for? How do I know if something is legit or not?

    Thanks!

    • Methusela Cebrian Ferrer
      February 7, 2009 at 3:18 am

      Hi Liane, Thanks for dropping by. Regarding your question on “ps & netstat commands, what should I be looking for ?”, ex. executing “ps -A” will give you list of process running in your system, as user you have to get familiar on a day to day basis on what’s normal process running versus to a strange one such as name of application that you never remember installing. Also another good command is “top” (to exit just type “q”) it also display and list process and displays which process consumes high %CPU. For netstat, ex. executing “netstat -p TCP” will provide you information regarding your background TCP connection specifically what IP address.

  51. Darren
    February 8, 2009 at 3:17 pm

    Hi, I think I got infected. But I’m on a PowerPC Mac. Does this thing only work on Intel Macs, or should PPC users be worried too?

    • Methusela Cebrian Ferrer
      February 9, 2009 at 11:02 am

      Yes, it works on both. The instruction should work as well.

  52. Amandeep Sapra
    February 12, 2009 at 6:21 am

    I just received and cleaned the virus. I got the virus from the installer at http://booksdownload4free.com/ebooks5/.

    I have the installer on my hard disk. I will keep it for 2-3 days. If you need the trojan installer for some testing, drop me an email.

  53. Manolita Faroles
    February 14, 2009 at 7:07 pm

    Hi Methusela;
    First of all, Thanks a lot for that useful tutorial.

    Package name: papers18macrapidsahre.dmg
    After execute the install, when I haven’t found the app in my drive, I have suspected from it and disconnected the computer from internet.
    Anyway I think that the malware has been executed because I didn’t found the archives ” ” ” “. just the “adobeflash” and the “Mozillaplug.plugin”

    I think that I’ve successfully follow all the steps and I’ve no more this archives, but I’ve noticed something strange: my drive capacity is now 1Gb less than before and I’m wondering if it could be related with that comment made for codeblue (n. 26), because I have too this ‘flashplayer.xpt’.
    Have you checked that?
    Thanks in advance for the answer and help

  54. Manolita Faroles
    February 14, 2009 at 8:08 pm

    Hi again,
    After rebooting for a second time, the missing Gb has come back!
    I don’t understand why, but it runs fine.
    thanks

    • Methusela Cebrian Ferrer
      February 17, 2009 at 11:35 am

      That’s good to know…. I was bit worried before reading this update, i’m thinking that you might be infected with something new. Anyway, feel free to drop by anytime!

  55. Jorge
    February 18, 2009 at 12:54 am

    I found it here:
    http://superdownloads.uol.com.br/busca/youmehub.s5.html
    (youmehub archive)

    I suspected about the installer and didn’t make the installation. After reading your article I made a search for the “adobeflash” file etc. and were not present but also I made a search for “flashplayer.xpt” file and it is present so THIS FILE IS OK or is not installed by the macaccess trojan.

  56. Jorge
    February 18, 2009 at 12:59 am

    Sorry, I found it here:

    http://3.madbe.net/

    • Methusela Cebrian Ferrer
      February 18, 2009 at 8:07 am

      Thanks Jorge.

      Btw, flashplayer.xpt is not malicious. Since you did not install it, I don’t see any reason to be worried about. Your system is safe, just be careful.

  57. Emma
    February 24, 2009 at 4:14 pm

    Alright alright but do we have to wait for this kind of article to realize someone is spying on our hard disk? Trojans could be on our computers anytime dont you think guys? Any of us has done at list one not 100% secure installation! How do we check our computer for real! How are we sure no trojan named “Whatever” is inside our computer! Does anybody know or care about it?

  58. Keith
    March 1, 2009 at 12:15 am

    sorry about the previous comment, i was commenting on the comment feature of the site, not the suggestions laid out in the article.

  59. Keith
    March 1, 2009 at 12:26 am

    Downloaded it when looking for an ebook. Knew something was wrong when nothing showed up in the applications folder. Did some quick research and came across a story on macworld about deleting trojans. I ran the sudo crontab -l command in terminal and got the following response:
    Library/Internet Plug-Ins/plugins.settings:>/dev/null 2>&1
    I then ran sudo crontab -r and since then have been getting the response “crontab: no crontab for root: when I run sudo crontab -l.
    I turned m computer off for the night and the next time I logged in I could not connect to the internet. I used my wife’s computer to look for more information and came across this site. After reading the article, I deleted the mozilla and adobe plugins (could not find the i386 or cron files) and downloaded a trial of virus barrier and moved it over to my computer. after scanning my computer, virusbarrier found the packages in the receipts folder. I deleted the entire “install.pkg” in the receipts folder. I have checked my settings in the system preferences and terminal (using scutil and the command “show State:/Network/Global/DNS”) and never found any forein DNS servers. Despite all this (and multiple restarts) I am unable to connect to the internet. I can see my network in Airport, but when I run diagnostics, it says the problem is in Network Settings. The settins are exactly the same as my wife’s computer, save for the fact that in the Advanced menu under the TCP/IP tab, my computer does not specify the router. Could this be the problem, or is the malware still affecting me somehow? I have since run virusbarrier and it is not detecting any problems. let me know if I need to clarify anything.

  60. david
    March 3, 2009 at 11:20 pm

    Thanks alot.I have done according to your instructions but could not delete the DNS numbers,So I turned off airport and turn it on again few times untill the
    2 DNS numbers starting with 85… desepeared.do I have to do anything else?
    I got it from this website http://moviesfreebay.com/avi1/download-camrip-free.html
    Do I have to re instal anything like the files I have deleted?
    thanks alot,
    david

    • Methusela Cebrian Ferrer
      March 4, 2009 at 12:04 am

      Hi David,

      It seems your machine is now clean from this threat. You don’t have to re-install anything since those files you deleted are all malicious dropped files. If there’s any dodgy or suspicious behavior just let me know.

  61. david
    March 4, 2009 at 12:02 am

    By the way the DNS numbers start with 80… and they are back again.but they might be the normal DNS numbers.Do I have to execute “sudo crontab -r”?
    where do I start for doing this?
    thanks,david

  62. Melissa
    March 4, 2009 at 3:32 am

    I got the VIRAL FILE from: http://celebnudestars.net/index.php?q=Nip/Tuck%20Season_5%20Episode_21

    I deleted the internet plugins; I think there were two: one that said movie.file.plugin or something similar. When I ran the crontab commands in terminal, it was saying no root found, but the 85. DNS numbers kept coming back when I would reestablish my AirPort internet connection. I tried emptying my trash, but it was saying that the files were in use and that I could continue or stop. I tried both ways and they remained in the trash. I finally download the trial of VirusBarrier and started the scan. After it started scanning, I was then able to empty the plugin files from my trash. VirusBarrier just finished scanning and said NO VIRUS DETECTED. I am hoping that the files did not morph into something undetectable once they realized a virus program had been installed. I just check my DNS and it has a gray 192.

    I’m fairly new to Mac and not very computer saavy when it comes to viruses…does it sound like my precious notebook is now SAFE?

  63. David Nobel
    March 7, 2009 at 11:08 am

    I picked up the Trojan here: http://icanmix.net/download/3046697a74673d3d5457bdad/keygen-plextools_professional_xl_3_13.exe

    This link now appears to be broken.

    After finding this site, I trashed the AdobeFlash and Mozillaplug.plugin files. That stopped this message from showing up in my Console log every minute:
    05/03/09 3:42:00 PM com.apple.launchd[1] (0x10c420.cron[1538]) Could not setup Mach task special port 9: (os/kern) no access

    I later deleted the cron and the install.pkg receipt.

    My Leopard firewall is set up to restrict access of all incoming connections, so I am hoping this will have protected me from the Trojan downloading any additional malicious files during the short time window (about 15 minutes) before I trashed the components.

    I am curious to know what the purpose of this Trojan is–hijack the Mac as a spam bot?

    Both my VirusBarrier trial and iAntivirus are now showing my disk to be clean. Fingers crossed! This is scary stuff.

    Thanks a million, Meths, for your hard work and diligence in maintaining this site. I would have been screwed without it!

  64. Jaime
    March 18, 2009 at 9:34 am

    Got the file at: http://mp3uploadzz.com/free3/megaupload-karaoke2.html, the file name was: Download Jaco Pastorius Last Flight Essence, instead of a rar file a DMG file was downloaded with the installer.
    Your instructions for removal are superb! it all worked exactly as the scenarios described, removed the files first, restarted and the DNS (with 85) dissapeared, and finally run terminal to get rid of the crontab.
    Amazing help you are providing, and giving a little education to us Mac users, who occasionally forget that we are subject to these malwares attacks.
    Thanks!

  65. Hillary
    March 20, 2009 at 3:06 am
  66. March 24, 2009 at 11:36 am

    Hey,

    I downloaded a file from piratebay. it stated that to play the file you had to go download a hdtvxvid player from here > http://www.hdtvxvid.org/other/index.php

    Like an idiot I did that and installed it and nothing happened..when there was no application in the application list ..i found this site.. thanks a million.. your instructions appear to have worked.. thanks

  67. abe
    March 25, 2009 at 1:43 pm

    i’m new to mac, and i caught maccinema while downloading a trial.
    how can i remove it ?
    thx

  68. Chris
    March 28, 2009 at 3:43 am

    I couldn’t find any of the files, but ran the sudo crontab -l thing and found something. I did the -r command and now can’t find anymore, yet my mac is still acting a bit weird.

    For example, my cursor is not calibrated in my web browser, I have to aim about an inch to the left of whatever I want to click. Performance is definitely slower. Some programs have disappeared from my Dock, and all my network connection settings have been restored to the defaults.

    I’m going to reinstall the OS tomorrow if I can find my disks.

  69. Rai
    March 31, 2009 at 2:07 am

    I was infected by flashcodec.dmg which was downloaded from here:
    http://celebnudestars.net/index.php?q=Chuck%20Season_2%20Episode_18

    which I was taken to from here
    http://online-tvshow-movies.blogspot.com/2009/03/watch-chuck-season-2-episode-18-chuck.html

    I thought it was fake before I downloaded it but installed anyway (stupid) but it took all of 5 seconds to confirm my suspicions and than google how to remove (which got me here).

    Thanks!

  70. Bruno
    April 3, 2009 at 3:27 pm

    Hey! First of all, thanks for the instructions. I followed all of the instructions, it all looked fixed (no DNS’s, crontabs or whatsoever) and my macbook seems… to be getting worse.

    I got infected last night and it took me around 10 mins to fix it. Then, my hard drive started to make a strange noise, but after a reboot it disappeared. But this morning when I turned on the computer, It just made the starting sound and kind of “white screened”. It didn’t start at the first time, so I reseted it and it looks of for now.

    I am new to all this mac thing since I have been using windows forever, so I got fooled pretty easy. I am also affraid that this thing ain’t over…

    I’ve downloaded the iAntivirus just in case, but is it that effective? Which is the most powerful way to prevent my computer from malicious software and stuff?

    Best regards,

    Bruno

  71. Carl
    April 13, 2009 at 2:43 am

    Downloaded crap file from here: http://movie-megaupload.com- do not go there! Thank you for fix, much appreciated.

  72. April 14, 2009 at 4:18 am
  73. Alvin
    April 22, 2009 at 5:57 pm

    Thank you so much for the help you give in this site. I got infected by maccinema. I simply followed your instructions and I think I’m okay now.

    • Methusela Cebrian Ferrer
      April 23, 2009 at 12:19 am

      That’s good to know, thanks for dropping by!

  74. April 23, 2009 at 5:07 am

    Thanks dude!

    I’m not sure if it worked though….

    * */5 * * * “/Library/Internet Plug-Ins/AdobeFlash” vx 1>/dev/null 2>&1
    cody-howards-macbook-pro:~ Cody$ sudo crontab -r
    cody-howards-macbook-pro:~ Cody$ sudo crontab -l
    crontab: no crontab for root

  75. Hilary
    April 24, 2009 at 7:11 am

    I too got infected by MacCinema through: http://www.mixx.com/stories/4880292/watch_hells_kitchen_season_5_episode_12_online_free_s05e12 which lead me to http://4-23-episodes.blogspot.com/2009/04/watch-hells-kitchen-season-5-episode-12.html

    There were also a bunch of different sites that lead to the second one. I saw a bunch of familiar starting websites listed in the comments thus far like http://www.celebnudestars.net/(…) Mine all got linked to me in Google search. After the first download and following your instructions (both with mycomputer$ crontab -r & -l and mycomputer$ sudo crontab -r & -l) as well as removing the receipt and resetting my dhcp I can’t seem to access any of the previous sites. I thought that might be an interesting tibbit to add on.
    Also, I had the “85.” DNS servers greyed out and untouchable (undeletable) until I renewed my dhcp lease.
    I wanted to thank you for putting this on the web but as a little thing… I didn’t know what you were talking about with the crontab stuff until I read about terminal in the comments. For those of us unfamiliar with Terminal you might want to mention that in the main body 🙂 Thank you so much.

  76. joy
    May 6, 2009 at 3:41 am

    help! i know i installed the package, i’m new to mac, itried following the instructions above but i cant find it anywahere… what shoul i do?

  77. Lily W
    May 15, 2009 at 7:56 pm

    WAW! I’ve never known about terminal before and forced myself to figure it out to get rid of this trojan thing.
    I was amazed after following ALL the steps provided. Greyed out DNS that showed malicious 85XX were gone and everything’s back to normal!
    Thanks!

    Learnt my lesson!

  78. jimmy
    May 28, 2009 at 2:49 am

    how do you delete i386? i was able to get the sudo to remove the cron, deleted the other two files from internet plug ins, but could not find i386.

    • Methusela Cebrian Ferrer
      May 28, 2009 at 10:27 am

      The trojan deletes this file “i386” after installation. So, you don’t have to worry if it doesn’t exist anymore. I just added it in the instruction in case, for some reason the file wasn’t deleted.

  79. Sonjie
    May 28, 2009 at 3:33 pm

    So after having let this thing get installed I feel very silly indeed…

    I deleted the two items in Internet Plug-Ins and found no trace of i386 or cron.inst. I ran “crontab -l” and nothing came up. I even ran MacScan and a “DNSChanger Removal Tool” which both came up negative. I checked my DNS setting in Setting Preferences and there was nothing out of the ordinary there. So that all seemed good.

    But I was having trouble accessing a website still, so I went back into terminal and entered “cat /etc/resolv.conf” (on advice from someone else). I got back two nameserver 85.xx.xx.xxx. [Panic!] I rebooted Airport as someone had mentioned in the comments. Then I reran “cat /etc/resolv.conf” in terminal and now my nameserver is back to the normal 192.xxx.x.x

    But all that backstory to ask a simple question. Should I reset all my passwords??? I know I probably should never save them but I am guilty of doing that at times. I also logged on to email while I was “infected”. I’m not sure if it’s a silly question. Better to ask tho.

    I’d appreciate any reply!!! Thanks!

    • Methusela Cebrian Ferrer
      May 31, 2009 at 12:34 pm

      If you have been exposed/infected for a period of time, then it is best to reset all your password – just to be safe.

      Although it is recommended(regardless of infection) that password should be kept updated/changed periodically – 30, 90 or 180 days. Changing password depends on your activity, there’s high risk involved especially when accessing through shared or public computer.

      Thanks for this good question!

      • Sonjie
        May 31, 2009 at 4:14 pm

        Thanks! I was only exposed for an hour or so, but I reset all the important passwords to emails and bank accounts.

        But you’re absolutely right, I will start updating my passwords periodically.

  80. John
    May 31, 2009 at 9:33 pm

    Thanks, but i dont know how to delete the dns server because i go in preferences to the part that is a list of dns servers and i have this two: 85.255.112.95 and 85.255.112.207 I DONT KNOW WHAT TO DO… PLEASE HELP!!!

  81. Eric
    June 2, 2009 at 12:02 am

    I stupidly also installed the program and got wary when there was no MacCinema application to be found. I’ve followed the advice on this post and another I found elsewhere, and deleted the two items in the Library/Internet Plug Ins: AdobeFlash and Mozillaplug.plugin. I ran terminal and typed “sudo crontab -l” and got “no crontab for root.” I then checked my DNS in both terminal and in preferences, and used the DNS Changer application that was recommended on another site and it back clean with nothing out of the ordinary. I downloaded the demo version of Secure Mac and nothing came up other than a few cookies. I also installed a recommended demo of Little Snitch, and I haven’t seen anything as far as what sites Firefox is going to as different from what I’ve been browsing to. As a relatively new OS X user, does it sound like I’m in the clear? Thanks in advance.

  82. Eric
    June 2, 2009 at 1:20 am

    Additional question. I don’t know if it’s related to this, since I think it’s showed since I first got this computer about a week ago, but where I have Devices, Shared, Places, Search For, etc there is under Shared a PC server called fachp-2628 that I can’t get info on or connect to. I DO have a PC laptop connected to the same Airport as my MacBook. Does that have something to do with it? I’m just slightly more paranoid about it after getting this trojan. Thanks

    • Eric
      June 2, 2009 at 1:30 am

      Sorry to keep replying to myself. I noticed that it’s only when I’m connected to the internet, either wirelessly with the Airport or directly with an ethernet cable from the Airport. So, is it just the airport? And, like I said, I’m being overly paranoid?

    • Eric
      June 2, 2009 at 1:54 am

      Really wish there were an edit feature :-). When I unplug from the Airport and just connect directly from the modem to the MacBook, the server doesn’t show up. So, I guess it has to do with that. Whew.

      • Methusela Cebrian Ferrer
        June 10, 2009 at 11:16 am

        Yes, I have been receiving this report for awhile now although I can’t re-create it. Type “df -i” in Terminal and see where it is mounted on.

  83. June 2, 2009 at 5:37 pm

    Hello,

    I got infected from the site: http://prolinesoft.com/album-cover-finder-v652.html
    There’s big link where you can download the .dmg file.

    Stan The AntiTrojanDude

    • Methusela Cebrian Ferrer
      June 10, 2009 at 10:18 am

      Thanks, this is very helpful!

  84. June 6, 2009 at 6:33 am

    Thank so much! Downloaded MacCinema from a random website. i was able to find the adobeflash threat in the terminal by using your instructions.

    Saved me a headache–thanks!

  85. klipp
    June 7, 2009 at 8:05 pm

    hey, i just followed all the helpful stuff to remove the four listed files, but i’m no tech by any means. how do i check this DNS stuff? i’m really worried…

    • Methusela Cebrian Ferrer
      June 10, 2009 at 8:51 am

      To check & modify your DNS settings, choose any of the following options:

      Option #1
      To Check: Open Terminal (Drive>Applications>Utilities) and type cat /etc/resolv.conf. You can also type “scutil –dns”. This will display domain name and name servers.
      Option #2 Click apple icon in your upper left corner, then click “System Preferences”
      Click “Network” then look for DNS Server IP address. To modify, click on “DNS Server” and input the correct IP address, then click “Apply”.

      or You can release and renew your IP address. You can simply do this in terminal, type:

      sudo ifconfig en1 down
      sudo ifconfig en1 up

      Check your option #1 to check if your DNS has been corrected.

      There’s another way, unplug your internet and reconnect. This also works (“,)

      **Note: In most cases, en1 is interface to Wireless and en0 to LAN. Just try en1 or en0 and see which works.

  86. ACarelessWanderer
    June 13, 2009 at 6:34 am

    I comfort in seeing so many stupids ahead of me! Mine was called Flash.Player.HD.v10.0.dmg, may be I’ll send it to you sometime. The arrogance that osx doesn’t have trojans led to this! Anyways, there wasn’t ‘/i386’ and ‘/cron.inst’ but the others existed which I removed along with the cron entry and corrected resolv.conf – back to normalcy (hopefully)

  87. Richard
    June 14, 2009 at 9:56 pm

    Searching for Blackberry help on the Rogers BIS interface. Got a Google hit at http://www.maha-mask.com which lead to vizabelarus.com and megafucklist.com – masquerading as a movie.
    I have now turned off open safe files in Safari.
    Didn’t actually install but a pain in the neck when something happens so quickly that you know something is wrong but can’t tell what happened without a lot of digging.
    Thanks for the removal in formation.

  88. Juliana
    June 30, 2009 at 10:42 pm

    AHH, I too got infected, I hope this works.

    Here is the website it came from http://ourtrustplace.com/
    It was listed at a MacCinema application.

  89. July 3, 2009 at 1:32 pm

    thank’s for write this article

    i got this trojan, i tried to follow your instruction, however when i check My DNS, it still 85.xxx.xxx.xxx and couldn’t be removed or changed, fortunately i try to restart my macbook , check my DNS … voilaa, DNS settings already back to the original

  90. davids
    July 23, 2009 at 5:44 am

    Thanks, this worked wonderfully. I was able to remove the AdobeFlash and Mozilla plugin files, but the i386 and the cron.inst were not there… I was able to also remove the crontab schedule as mentioned, and use the terminal to rid of the 85.xxx ip addresses in the DNS area, I hope this fixes it!!! What a piece of crap, here is where I got mine:
    http://appzznews.com/tag/berrypopup by downloading either the crack or the key gen, same thing, this will go through the legit looking mac install of ‘MacCinema’ and load up the trojan horese… bastards! Thanks you for putting the solution out there!!!

  91. Christine
    July 31, 2009 at 1:55 am

    Hi! I am extremely new to Mac and I’m not 100 percent sure that I did everything you suggested to fix my beloved computer correctly. I sent mozilla/adobe to my trash and then permanently deleted. I opened Terminal (have no idea what this is) and typed in “sudo crontab -r” and “sudo crontab -l” and it just said no root for both of them. Is that what you are supposed to do? In addition I clicked apple>system preferences>network and under DNS server I had two gray numbers that started with 85. I wasn’t sure how to fix this. In that box I simply wrote the IP address listed above. Is that also what I was supposed to do? I am going to unplug my internet and reboot now. Am I safe?! Please help me and thank you SO MUCH. This article was a life saver. 🙂

  92. Taylor
    August 16, 2009 at 9:32 am

    Hello! Thanks for the help. I think I got everything removed.. did the Terminal commands, deleted the files. I was trying to watch a movie online and was asked to download QuickTimeUpdate.dmg and then I really noticed something when during the installation Little Snitch authorized something and that made a red flag go up. Hopefully I got everything removed, thank you for your help!

  93. Eric
    August 28, 2009 at 1:45 pm

    I started the download as a maccinema application after trying to look up some info on some current news. After trying to install, my computer said that the install was unsuccessful which made me suspicious. I searched “maccinema” which led me here. I found and deleted the adobeflash and the mozillaplugin but I had to search around for the “library” folder. I did not find it under the applications folder but under the hardrive icon. I also ran the terminal commands for crontab and then ran them under “sudo” and came back clean. I’ve never done anything in the terminal before so this was a little weird but I just followed your instructions. My DNS looks the same so I rebooted and everything seems to be normal. Crossin’ my fingers! Thanks for the info.

  94. September 3, 2009 at 2:16 am

    i got it by downloading a trial of matlab – but not from their site. silly me.
    i saw the installer was for a program called ‘MacCinema’ and a simple google search lead me here.
    This all gave me a good chuckle. They don’t make it easy to get infected!

  95. October 30, 2010 at 2:44 am

    Best you should change the webpage name How To Remove “MacAccess” Trojan iThreats to more better for your content you make. I loved the post even sononetheless.

  1. January 26, 2009 at 5:37 am
  2. March 17, 2009 at 11:12 am
  3. March 18, 2009 at 10:57 am
  4. October 31, 2009 at 10:16 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: