Welcome to the MacNN Forums.

Trucker B · 10:46 AM

For the second time, since the first Mac concept virus was announced, a strange thing has happened to my Mac running OS 10.28.

Occasionally I have to download a piece of seldom used software, which I will use and then disgard.

The software in question Microsoft Media Player 9.0.( 6.1mb )
Twice I have downloaded the free version, from the link on Apples website, to the download page on Microsofts website.

After I view the files I delete the program, or attempt to.
This is when the trouble starts, I get a message: cannot be deleted because wmp.htm is in use.
This is the app file. Everything else I was able to track down and delete except this app which will not go away.
After messing with it, the app became property of the root,and my computer started acting strange.

My trash changed from 2 stages, to one stage, and if my computer is sitting idol, the cable modem blinks occasionally, and the computer takes unusually long to boot.
Other than that it has no effect,as long as I don't play with it.
At one point I had a blue screen and a beachball, and nothing else, and had to unplug it.

I used the install disc to load a new system,and began playing again, I put the app in an empty folder and the folder became property of the root, and eventually I loaded a third sysyem, and am still playing with it.

It produced a dmg copy of itself, also encased in a root owned folder,which I managed to get rid of, and the folder that it enclosed itself in. ( I'm turning into a geek )

Now it appears as the Apple menu bar app icon, and if I try to change permissions, after I close the info window,it reverts.

Last time I had to back up my files and erase my HD.

So..........., hows your day going, any suggestions.

Applefreak01 · May 20, 2004, 05:09 PM

Weird. I've never heard of MS Media Player 9 doing that on a Mac. I would put in your OS CD and do a low level format also called write all zeros and then reinstall Mac OS X.

I tried the link to MS Media Player 9 on http://www.macupdate.com and it doesn't work. I just tied all the links on the MS Media Player 9 page from Microsoft and none of them work.

I know there was a flaw in the MS Media Player 9 series for Windows that could allow a hacker to gain control of a PC maybe the same flaw is in the Mac version. Who knows with Microsoft. But most likely that's not the case. But the fact that all the links even the links on the offical page are down must mean they found something wrong and a working on a fix or their web site got hacked again

Trucker B · May 21, 2004, 06:44 AM

Thanks for the comeback.

I'm going to keep playing with it, and eventually, I think I'm going to have to erase my HD again.
I can gain access to everything no problem,even all my root properties, but not this thing. Bizarre!
If I drag it anywhere, it makes a duplicate.

It's a real pain, but a good learning experience. It's amazing how much you forget, if you have not had to do something for awhile.

I sure miss my old 233 imac with OS 9, at times like this.

theolein · May 21, 2004, 08:42 AM

Originally posted by Trucker B:
Thanks for the comeback.

I'm going to keep playing with it, and eventually, I think I'm going to have to erase my HD again.
I can gain access to everything no problem,even all my root properties, but not this thing. Bizarre!
If I drag it anywhere, it makes a duplicate.

It's a real pain, but a good learning experience. It's amazing how much you forget, if you have not had to do something for awhile.

I sure miss my old 233 imac with OS 9, at times like this.

The thing is, I think I'm not really sure what you're talking about when you refer to a number of things here:
1.What do you mean that the file wmp.htm is an application? This would normally be a html file. I just did a search for a file called wmp.htm on my disk and couldn't find one. Or are you referring to the whole applcation itself?
2.This whole application is called Windows Media Player. The player is available from Microsoft's site: Right here or here.
3.When you say delete, I assume you mean you drag the application to the trash and then try to empty the trash, at which point it gives you the message that that file is in use? You could delete the application from the terminal in that you could use the rm- rf command on the WHOLE application instead of individual files. I won't explain that here because I have a feelin that you're not sure of what you are doing and you could cause some serious damage with rm -rf. When you get that message, you could simply reboot and the file should no longer be in use after you restart.
4.I'm not sure at all what you mean when you say "messin with it and then it becomes the property of the root". Did you do a get info on the application and try to change the owner there? or did you do a chown in the terminal?
5.Here you totally confuse me: Your trash "changes from 2 stages to one stage". what on earth does that mean? Do you mean two folders or does the warning go away?
6.You put the app in a folder and the folder became root. Do you mean you put the WMP application in a folder and the folder suddenly became owned by root? Are you sure you aren't logged into your system as root by chance?
7.When you say it produced a .dmg copy of itself, do you mean it did this without any help from you, or after you double clicked it?

It is certainly possible that that application is a trojan, masquerading as "Microsoft Media Player", which, as I said, doesn't exist (It's offical name is Windows Media player), unless you're just calling it that. There is a known trojan masquerading as the Office 2004 beta, that someone put onto P2P filesharing networks recently, (It even had the Microsoft icon). It is possible that someone made a version of the trojan with the WMP icon. Download the version from one of the links above, it should download a file called "WindowsMediaInstaller.hqx" or "WindowsMediaInstaller.bin" and try that (And they do work btw.) See if it behaves the same way. BUt before you do that, do a reformat and a clean install (without your version of the player btw!) to make sure you have no viruses or trojans. If after the reinstall and the real versions of WMP from the links above still behave thta way then the problem lies somewhere else. If it however behaves normally then the version you downlaoded was a trojan. If thtat's the case please report it here and on apple's site (Link where you got it from, filename, size etc) so that other's can be warned.

Arkham_c · May 21, 2004, 09:05 AM

There are .htm files in the application bundle, for each language provided (English, French, German, Japanese, Spanish, and Swedish). These files are here:

Windows Media Player.app/Contents/Resources/[language].lproj/HelpPages/HTM/

However, there does not appear to be a wmp.htm in the bundle.

In any case, I don't think a reformat is necessary. Just delete the files and forget about it.

Applefreak01 · May 21, 2004, 10:12 AM

I just tried the links on the offical MS page for Windows Media Player 9 for OS X and they are working now. Might have been my ISP not working yesterday or something but you can get it directly from MS now.

Trucker B · May 22, 2004, 12:55 AM

I'll try to be more clear, trying to explain this.
Regarding your questions:

1. When I first began attempting to delete this file,wmv 9, application, 6mb), I would get a message window which read to the effect, the file could not be deleted because wmphelp.htm was being used.
I could not find it either.

2.These are the exact steps I took.
page:
http://www.apple.com/downloads/macos...formacosx.html
link from page:
http://wsidecar.apple.com/cgi-bin/np...aInstaller.bin
which forwarded me to this address:
http://download.microsoft.com/downlo...aInstaller.bin

3. Your asumption regarding the trash is correct, and yes I am just learning to use the terminal.

4&6. I dragged the file from my apps folder to the desktop,where I could get easy access, created a folder, and placed the app in the folder.
By accident,while selecting a group of folders,this folder went with them as I placed onto my HD folder.
When I attepted to drag the folder back to the desktop,it remained on the HD, and the folder, and it's contents, became property of the route,and the folder had the red dot with the locked sign. I had not attempted the terminal,as I was a little scared, but willing.

5At one point,between the time I downloaded it,and the time I deleted it, my trash went from the usual two stages of, move to trash,(drag and drop or key command),delete trash, get pop-up warning, delete trash? / yes, to a single stage of, move to trash, get pop-up warning, delete trash? / yes, and the warning window had changed appearance.

7.Yes, I double clicked it a number of times,before and after it wound up on the HD.
As I said,this is my second time since the first one, and I have an idea of what to expect and what I can get away with.
I don't remember what I did to get the dmg.

7.I believe you are right, that this may be a trojan, and right again, it's Windows Media Player.
I don't use p2p, but I surf wildly, and have everything as secure as I can get it.
None of my software is set to auto execute.

Since I began my ordeal, I have backed up my files and took the opportunity to act like a teenager on steroids.
Since my machine was infected, I downloaded a couple p2p apps and went looking for some hard to find music,games and video, put what I wanted on a disc, then erased my HD and installed a new system.
My back-ups shall remain on disc, until I can get my buddy to scan them for me.
I will report it, and thanks for being concerned.

To everyone else, WATCH OUT, they're gunning for us.!

Trucker B · May 22, 2004, 01:43 AM

Once the application had become property of the root, when attempting to open it, the message had changed from "wmphelp.htm in use", to the " you do not have permmision, property of root" message.
I tried everything I am capable of, which is somewhere between better slightly than average and not quite a geek, trying to get rid of this thing.

"You live, You learn."

theolein · May 22, 2004, 06:08 AM

Originally posted by Trucker B:
....

To everyone else, WATCH OUT, they're gunning for us.!

Mmmm, you don't seem to have much computer knowledge to be honest. The file wmphelp.htm, (you called it wmp.htm originally, make up your mind) does exist! It's within the WMP application itself. On Mac OSX applications are actually folders and contain lot's of folders within them. If you did download the applicatio from the links you gave then it is NOT a trojan, but something is fu�ked with your system.

Solution1.

Throw your Mac out, or better yet send it to me.

Solution2.

1.Back up your data. This means NOT your applications, got that? This means your data from your user folder such as Documents, Music etc. (Not the Library folder within your user folder!) Only Documents, Music, Pictures, Movies and Sites.
2.Boot from the fu�king CD that came with your Mac (Or 10.3 Panther if you bought it later). Reformat the WHOLE disk. There's a big SHINY button there called ERASE. Do it.
3.Reinstall.
4.Learn how to use MacOSX.

Sorry if this is all quite rude, but your explanations mainly indicate that you have almost no idea of what you're doing, and misreporting stuff like wmphelp.htm as wmp.htm and root as route etc only serve to make everything more confused.

P.S. look in the Finder Preferences, in the advanced tab, there's an option to "Show warning before emptying the trash". This is your "2 stage" to "1 stage" trash.

Trucker B · May 22, 2004, 08:53 AM

[QUOTE]Originally posted by theolein:

Actually, from what I read from you, I believe I have more knowledge about macs, than you apparently do.
Are you a troll?