the last I heard, rather, actually read on someone's posting here in the Apple Discussions, was that clamav virus definitions were sorely out of date for Mac DNS Changer trojan variants, only having the original RSPlugA definitions. That was a few months ago, and I have subsequently read somewhere else that Mark Allen, maker of the clamXav GUI front-end for clamav, was working, or attempting to work, with someone at clamav who actually cared, if he could find such an individual. But I don't know anything beyond that. For now, I, personally, only trust clamav to keep me from passing Windoze malware on to my Windoze-using friends.
I also read, I believe in the Apple Discussions, that the free DNS Changer Removal was not detecting the later variants of this DNS Changer trojan, but that the company who makes it, had incorporated all the latest definitions in its macScan product (this latter presumption of mine is based on this thread). Seems like macupdate and versiontracker give iAntivirus good marks, too. macScan's, I think, are lower overall because a lot of people "dissed" them early on in that product's life, because "there (was) no malware for Macs." But that's changed now, and I think macupdate/versiontracker raters are giving much higher marks for macScan now, too. I believe both of these products are still "subscription-free" unlike their 800-lb-gorilla competition.
Evil Z06 wrote:
I tried the free versions of DNS Changer Removal Tool and MacScan and they found nothing....Maybe it's because it's the free version and maybe the pay version is better.
Nope. It means you don't have that particular trojan. Just because an Apple "tech" told you you do doesn't mean it's true. Maybe you have a variant. Maybe not. Describe what's going on. Maybe it's something else. These trojans usually show up on web sites of ill repute claiming to be a video codec or some such thing. A trojan, by definition, is installed by the user. It does not get on your machine all by itself. You have to be tricked into downloading it, launching it, entering your admin password, and installing it. Remember anything like that?
Message was edited by: lkrupp
When I try to go to one of my regular forums it redirects me to other various sites.This only happens on this one forum....not one any other site I go on.There is no problem with my regular site cause when friends try it on their computers they get on.....also when on a forum it will just open another window with another various website.
to show what dns servers you are using issue the following command in the terminal.
/usr/sbin/scutil --dns | grep nameserver
Post the results of this command.
If you have the dns trojan, the other avg programs mentioned in this thread do not detect all of them.
the free version of iAntiVirus is more uptodate.
goto your Application Folder.
Then double click the Utilities folder.
Then scroll down to the Terminal application and double click that to open it.
You then will see a command line interface with your name by the cursor.
copy paste the following line
/usr/sbin/scutil --dns | grep nameserver
to do this click and drag your mouse pointer across the text, then once selected press command + C to copy it.
Then click on the terminal window and press command + V, this will paste the line of code into the terminal window. Now press enter.
The terminal will now list some numbers, using the same procedure I outlined to copy text, copy the results and paste them into a reply in this thread.
the first IP 220.127.116.11 belongs to UkrTeleGroup Ltd. in the Ukraine.
it resolves to 18.104.22.168.static.ukrtelegroup.com.ua.
the second IP 22.214.171.124 belongs to the same company.
the 3rd IP 126.96.36.199 is bogus.
So it looks like you have a dnschanger.
So goto your network preferences select ethernet or airport whichever you use click on advanced and goto dns, then remove those entries.
then restart your mac, and run that command again in the terminal, if those IP's show up then you still have the malware.
If none of the anti virus programs are detecting it then you may have a new piece of malware that is not in any of the av databases yet.
Please note that the only way you could have got this malware is by being socially engineered into installing it, this was either by using pirated software or the usual trick is visiting a page with videos of an adult nature and being prompted to install a video codec.
The script is normally stored in /Library/Internet Plug-Ins and is named plugins.settings.
So if present manually delete it.
it usually creates a crontab file also, Crontab although can be used in leopard is not used by default.
So you need to do this in the terminal
open the terminal then use the following command
cd /etc <press enter>
ls <press enter>
this will list all the files in /etc
do you see a file name 'crontab'