Q: My computer is infected with the DNS changer virus. I installed the Macscan DNS Changer Removal Tool but after restarting the virus is still there!

Contact MacScan?

http://macscan.securemac.com/help/

Try running ClamXav. The DNS changer (trojan, not a virus) is included in its definitions.

http://www.clamxav.com/download.php

Contact both MacScan and ClamXav, you might have a new version of the trojan and they would like to get a source copy.

Don't install anything from unreliable sites or if they tell you you need a update, treat that as suspicious.

Go to these sites directly with your own bookmarks, not via a web page link.

Flash

http://get.adobe.com/flashplayer/

Perian

http://www.perian.org/

VLC

http://www.videolan.org/vlc/

And perhaps Silverlight and Flip4Mac if needed. Disable Java in all your browsers, only turn on if needed.

My computer is infected with the DNS changer Virus.

That would be quite impossible, as no such virus exists (at least for OS X).

HACKINT0SH wrote:

 

no such virus exists (at least for OS X).

"[…] the term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the ability to replicate themselves. Malware includes computer viruses, computer worms, Trojan horses, most rootkits, spyware, dishonest adware and other malicious or unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different."

<http://en.wikipedia.org/wiki/Computer_virus>

Bruno Decoster wrote:

 

the virus is still there .

How do you know?

Bruno Decoster wrote:

 

My computer is infected with the DNS changer Virus.

Did you verify that at http://dns-ok.us/? At the bottom of that page you will find FBI instructions on how to change your DNS settings. Also take a look in /Library/Internet Plug-Ins/ and make sure that the MacScan removal tool got rid of the file "plugins.settings".

EDIT: Also look in that same directory (folder) for "QuickTime.xpt" which is another component of the Trojan.  There may also be a crontab to run the Trojan periodically, but we can clean that up later. If those two files are gone it won't work (unless it's something new, which is highly doubtful since the developers are all sitting in jail right now).

MadMacs0 wrote:

Did you verify that at http://dns-ok.us/?

I notice that the German site (sponsored by Federal authorities)

<http://www.dns-ok.de/>

contains a warning absent from the US site

"Hinweis: Für die korrekte Durchführung dieses Tests dürfen keine Proxy-Server in den Einstellungen Ihres Webbrowsers aktiviert sein. Diese werden häufig bei Firmenrechnern verwendet. Sie sollten daher im Zweifel Ihren IT-Support kontaktieren, der Ihnen mitteilen kann, ob dieser Test in ihrer Umgebung genutzt werden kann."

Does the US site use a different script, which works even when proxies are used?

"Hinweis: Für die korrekte Durchführung dieses Tests dürfen keine Proxy-Server in den Einstellungen Ihres Webbrowsers aktiviert sein. Diese werden häufig bei Firmenrechnern verwendet. Sie sollten daher im Zweifel Ihren IT-Support kontaktieren, der Ihnen mitteilen kann, ob dieser Test in ihrer Umgebung genutzt werden kann."

Google Translate:

Note: For proper implementation of this test may not be a proxy server enabled in your browser settings. These are often used in corporate machines. You should contact your IT support in doubt, you can tell whether this test can be used in their environment.

and

fane_j wrote:

 

Does the US site use a different script, which works even when proxies are used?

No idea.