Skip navigation
This discussion is archived

DNS Changer Trojan

11724 Views 27 Replies Latest reply: Oct 18, 2009 10:53 AM by osihara RSS
1 2 Previous Next
Evil Z06 Calculating status...
Currently Being Moderated
Jul 1, 2009 12:39 PM
Hello guys I have a slight problem.....My Macbook has a DNS Changer Trojan Virus.....This is what Apple tech told me.......What anti-virus programs are you using to get rid of this? The Apple tech told me the last time he heard of this was 8 months ago...Thanks
Macbook, Mac OS X (10.5.7)
  • Kappy Level 10 Level 10 (221,015 points)
    Currently Being Moderated
    Jul 1, 2009 12:42 PM (in response to Evil Z06)
    Google the name. I believe there is a utility out there that removes it. The only free anti-virus program that may remove it would be ClamXAV - VersionTracker or MacUpdate.
    Mac Pro 2.66 Ghz; MBP Unibody; MBP C2D 2.33 Ghz; MBP 2.16 Ghz, Mac OS X (10.5.7), iMac C2D 17"; MB 2.0 Ghz; 80GB iPod Video; iPod Touch; iPod Nano 2GB
  • varjak paw Level 10 Level 10 (167,155 points)
    Currently Being Moderated
    Jul 1, 2009 12:54 PM (in response to Evil Z06)
    iMac 2.8 Core 2 Duo 24" 4GB ATI 2600, Mac OS X (10.5.7), PowerMac G5 2.0GHz DP, Dell w/ Windows Vista Unlimited SP2, several others VM
  • j.v. Level 5 Level 5 (4,150 points)
    Currently Being Moderated
    Jul 1, 2009 5:06 PM (in response to Evil Z06)
    the last I heard, rather, actually read on someone's posting here in the Apple Discussions, was that clamav virus definitions were sorely out of date for Mac DNS Changer trojan variants, only having the original RSPlugA definitions. That was a few months ago, and I have subsequently read somewhere else that Mark Allen, maker of the clamXav GUI front-end for clamav, was working, or attempting to work, with someone at clamav who actually cared, if he could find such an individual. But I don't know anything beyond that. For now, I, personally, only trust clamav to keep me from passing Windoze malware on to my Windoze-using friends.

    I also read, I believe in the Apple Discussions, that the free DNS Changer Removal was not detecting the later variants of this DNS Changer trojan, but that the company who makes it, had incorporated all the latest definitions in its macScan product (this latter presumption of mine is based on this thread). Seems like macupdate and versiontracker give iAntivirus good marks, too. macScan's, I think, are lower overall because a lot of people "dissed" them early on in that product's life, because "there (was) no malware for Macs." But that's changed now, and I think macupdate/versiontracker raters are giving much higher marks for macScan now, too. I believe both of these products are still "subscription-free" unlike their 800-lb-gorilla competition.
    2008 Mac Pro, 2001 Quicksilver, Mac OS X (10.5.7)
  • lkrupp Level 4 Level 4 (3,085 points)
    Currently Being Moderated
    Jul 1, 2009 6:08 PM (in response to Evil Z06)
    Evil Z06 wrote:
    I tried the free versions of DNS Changer Removal Tool and MacScan and they found nothing....Maybe it's because it's the free version and maybe the pay version is better.


    Nope. It means you don't have that particular trojan. Just because an Apple "tech" told you you do doesn't mean it's true. Maybe you have a variant. Maybe not. Describe what's going on. Maybe it's something else. These trojans usually show up on web sites of ill repute claiming to be a video codec or some such thing. A trojan, by definition, is installed by the user. It does not get on your machine all by itself. You have to be tricked into downloading it, launching it, entering your admin password, and installing it. Remember anything like that?

    Message was edited by: lkrupp
    Aluminum 24" iMac (2.8Ghz Intel Penryn), Mac OS X (10.5.7), Apple TV 2.3.1 / Sharp Aquos 46" HDTV
  • Tim Haigh Level 7 Level 7 (24,190 points)
    Currently Being Moderated
    Jul 2, 2009 1:46 AM (in response to Evil Z06)
    to show what dns servers you are using issue the following command in the terminal.

    /usr/sbin/scutil --dns | grep nameserver

    Post the results of this command.

    If you have the dns trojan, the other avg programs mentioned in this thread do not detect all of them.

    the free version of iAntiVirus is more uptodate.
    Mac Mini 2009 2ghz, Leopard Server 10.5.6 ; MacBookPro 2.2ghz, Mac OS X (10.5.7), Be Pro 24megabit ADSL2+
  • Tim Haigh Level 7 Level 7 (24,190 points)
    Currently Being Moderated
    Jul 2, 2009 2:14 PM (in response to Evil Z06)
    Do the command I posted in my previous post in your terminal app and post the results. This will give us the chance to check your dns servers.
    Mac Mini 2009 2ghz, Leopard Server 10.5.6 ; MacBookPro 2.2ghz, Mac OS X (10.5.7), Be Pro 24megabit ADSL2+
  • Tim Haigh Level 7 Level 7 (24,190 points)
    Currently Being Moderated
    Jul 2, 2009 2:33 PM (in response to Evil Z06)
    goto your Application Folder.

    Then double click the Utilities folder.

    Then scroll down to the Terminal application and double click that to open it.

    You then will see a command line interface with your name by the cursor.

    copy paste the following line


    /usr/sbin/scutil --dns | grep nameserver


    to do this click and drag your mouse pointer across the text, then once selected press command + C to copy it.

    Then click on the terminal window and press command + V, this will paste the line of code into the terminal window. Now press enter.

    The terminal will now list some numbers, using the same procedure I outlined to copy text, copy the results and paste them into a reply in this thread.
    Mac Mini 2009 2ghz, Leopard Server 10.5.6 ; MacBookPro 2.2ghz, Mac OS X (10.5.7), Be Pro 24megabit ADSL2+
  • Tim Haigh Level 7 Level 7 (24,190 points)
    Currently Being Moderated
    Jul 2, 2009 4:25 PM (in response to Evil Z06)
    the first IP 85.255.112.196 belongs to UkrTeleGroup Ltd. in the Ukraine.

    it resolves to 5.255.112.196.static.ukrtelegroup.com.ua.

    the second IP 85.255.112.89 belongs to the same company.

    the 3rd IP 1.2.3.4 is bogus.

    So it looks like you have a dnschanger.


    So goto your network preferences select ethernet or airport whichever you use click on advanced and goto dns, then remove those entries.

    click apply,

    then restart your mac, and run that command again in the terminal, if those IP's show up then you still have the malware.

    If none of the anti virus programs are detecting it then you may have a new piece of malware that is not in any of the av databases yet.

    Please note that the only way you could have got this malware is by being socially engineered into installing it, this was either by using pirated software or the usual trick is visiting a page with videos of an adult nature and being prompted to install a video codec.

    The script is normally stored in /Library/Internet Plug-Ins and is named plugins.settings.

    So if present manually delete it.

    it usually creates a crontab file also, Crontab although can be used in leopard is not used by default.

    So you need to do this in the terminal

    open the terminal then use the following command

    cd /etc <press enter>

    ls <press enter>

    this will list all the files in /etc

    do you see a file name 'crontab'
    Mac Mini 2009 2ghz, Leopard Server 10.5.6 ; MacBookPro 2.2ghz, Mac OS X (10.5.7), Be Pro 24megabit ADSL2+
1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.