Virus Infected my Computer- PLEASE HELP

Hi marie and welcome to the forums!

Don't panic! 🙂

Very doubtful you have been infected by a virus that can affect the Mac OS - you would be the first to have this happen to. Much more likely that you have downloaded a Trojan. Read on:

From MacWorld, January 10, 2008:

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

http://www.securemac.com/
The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. Called DNSChanger Trojan and also known as OSX.RSPlug.A Trojan Horse the software attacks users attempting to play a fake video file.

Upon attempting to play the video, the victim receives the following message:
“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.

SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac. A white paper has recently been published on the subject by SubRosaSoft, available here:

http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174

The following may not apply to the Trojan you may or may not have accidentally installed, but it is still useful reading with some good tips:

From two posts by Tacit in Macfixit Forums, January 2008:

This does sound suspiciously like the Mac "**** codec" Trojan. The IP address 216.255.178.92 is owned by a customer of wvfiber.net, a Web site known to host other IP addresses responsible for malware written and distributed by Russian organized crime, and the IP address itself is a redirector to various pay-for-play **** sites also hosted by clients of wvfiber.net. At this point, I would say the odds are pretty good you are infected with the Mac version of the zlob Trojan.

This Trojan can not install if you do not enter a password. If you download it, an installer will run, show you a licensing agreement, and ask for your administrator password.

You can tell quickly if you are infected. Infected Macs will have a file called plugins.settings in the Internet Plugins folder inside the Library folder. Double click your hard drive icon. Inside you will see a folder called Library. Open it and find the folder called Internet Plugins. Open the Internet Plugins folder and see if you can find a file called plugins.settings; if you can, you are infected and if you can't you are not.

If you are infected:

1. Drag the plugins.settings file to the trash and empty the trash.

2. Open the Terminal. It is in your Applications folder, in a folder called Utilities.

3. In the Terminal window, type

sudo crontab -l

and hit return. (Note, the thing after the dash is the lowercase letter L, not the number 1.) You will be asked for an administrator password. Enter it.

4. If it says "crontab: no crontab for root" when you enter your password, you are no longer infected and you can stop here. If it says anything else besides "crontab: no crontab for root" then go on to the next step.

5. Type

sudo crontab -r

in the terminal and press Return. When you are asked for your password, enter it.

6. Restart your Mac. That should take care of it.

and:

The redirection in question is in fact going to spyshredderscanner.com, a URL owned by the Russian Business Network that was until recently hosted in the Ukraine and is now apparently living on an IP address assigned to a telecom company in Sweden and registered to a (most likely fake) address in Pennsylvania.

The redirection is happening by way of poisoned Flash banner ads served up by a Web advertising company called Tribal Fusion. Tribal Fusion is a legitimate Web ad company; they sell banner ads to a wide range of customers (including Microsoft and Toyota) and place those banner ads on Web sites owned by Webmasters who want to make money from their sites. A Web site owner signs a contract with Tribal Fusion; Tribal Fusion places banner ads on the site, collects money each time an ad is clicked, then shares that money with the site owner.

The site that is serving up the poisoned ads is lyricsfreak.com. This isn't a problem with them in specific, and it's likely that other Web sites displaying banner ads from Tribal Fusion are affected as well. As of a couple of days ago, the poisoned ad was coming up, as near as I can tell, about one time in each two hundred refreshes for that site.

This isn't the first time Russian organized crime has used poisoned banner ads to redirect traffic to virus droppers. The scam is pretty simple: First, people working on behalf of organized crime set up a fake company. Then, they buy banner ads for that fake company from reputable, legitimate Internet marketing companies. They craft Flash banners advertising the fake company. These banners contain Flash URL redirection code that will send the browser to a different page when the banner ad is served up. Often, the Flash banner ads look at the IP address or domain of the user's Web browser, so they do not redirect when they are being tested by Tribal Fusion or whoever the advertising company is.

The user does not need to click on the banner ad. The Flash ad redirects the user's browser as soon as the banner ad is displayed, without waiting for a click.

The poisoned banner ad directs the user's browser to a hostile server that attempts to download a virus onto the user's computer. These viruses aren't pranks; they're written specifically for profit, and virus writing has become one of the key sources of money for Eastern European organized crime in general. Most virus dropping Web sites will try a number of different exploits; I've seen virus droppers that will try as many as 20 or 25 different exploits to get the virus downloaded to the victim's computer. If the victim's computer is fully patched and secure, and none of the exploits work, the virus dropper falls back to a "Hail Mary" social engineering strategy; the two most common are to display a fake movie and provide a fake dialog box that says the movie can not be played unless the user downloads a new codec, and to display a fake virus alert and then tell the user that he is infected with a virus and he must download and run a program to get rid of it.

Marie, welcome to Apple Discussions.

If it's a virus, it would be a first for Macs since none have been reported. Antivirus software is not really necessary on a Mac, however if you receive many emails and forward them to PC users it may help them. I don't use any AV SW on my Macs. If you want to use one to detect a virus on emails, get the freeware antivirus application for Macs - ClamXav @ http://www.clamxav.com/ .

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
http://www.securemac.com/ This site also has a lot of info about Mac security.

Clear the cache on you browser to see if it makes a difference.

 Cheers, Tom

I can't help you with 'disinfecting' the windows machines, but I would recommend that you disconnect the Mac from your network until they are fixed, and concentrate on cleaning the Mac.

Next step is to do what Texas Man suggested.

Looks like an Archive & Install.

Which virus, a Mac or a PC virus, how did you remove it?
If you start a thread, get people assisting, offering help, suggestions, etc., and so forth, one would think that for the help of all users, you might be a bit more clear on the process of discovering the infection, and how you went about eradicating it, don't you think?

It might be of help, and you could help others.

My 2 cents.

guruuno,

The OP did not have a virus or trojan on her computer. The problem was with pc's on the same network. My theory is that one of the PC's was serving as a gateway, and it's DNS server was affected by a trojan. Hence the problem of the mac having the problem of being re-directed to the wrong websites.

Grant