DNS Changer Trojan

Google the name. I believe there is a utility out there that removes it. The only free anti-virus program that may remove it would be ClamXAV - VersionTracker or MacUpdate.

Try the freeware DNSChanger Trojan Horse Removal Tool.

the last I heard, rather, actually read on someone's posting here in the Apple Discussions, was that clamav virus definitions were sorely out of date for Mac DNS Changer trojan variants, only having the original RSPlugA definitions. That was a few months ago, and I have subsequently read somewhere else that Mark Allen, maker of the clamXav GUI front-end for clamav, was working, or attempting to work, with someone at clamav who actually cared, if he could find such an individual. But I don't know anything beyond that. For now, I, personally, only trust clamav to keep me from passing Windoze malware on to my Windoze-using friends.

I also read, I believe in the Apple Discussions, that the free DNS Changer Removal was not detecting the later variants of this DNS Changer trojan, but that the company who makes it, had incorporated all the latest definitions in its macScan product (this latter presumption of mine is based on this thread). Seems like macupdate and versiontracker give iAntivirus good marks, too. macScan's, I think, are lower overall because a lot of people "dissed" them early on in that product's life, because "there (was) no malware for Macs." But that's changed now, and I think macupdate/versiontracker raters are giving much higher marks for macScan now, too. I believe both of these products are still "subscription-free" unlike their 800-lb-gorilla competition.

Evil Z06 wrote:
I tried the free versions of DNS Changer Removal Tool and MacScan and they found nothing....Maybe it's because it's the free version and maybe the pay version is better.

Nope. It means you don't have that particular trojan. Just because an Apple "tech" told you you do doesn't mean it's true. Maybe you have a variant. Maybe not. Describe what's going on. Maybe it's something else. These trojans usually show up on web sites of ill repute claiming to be a video codec or some such thing. A trojan, by definition, is installed by the user. It does not get on your machine all by itself. You have to be tricked into downloading it, launching it, entering your admin password, and installing it. Remember anything like that?

Message was edited by: lkrupp

to show what dns servers you are using issue the following command in the terminal.

/usr/sbin/scutil --dns | grep nameserver

Post the results of this command.

If you have the dns trojan, the other avg programs mentioned in this thread do not detect all of them.

the free version of iAntiVirus is more uptodate.

Do the command I posted in my previous post in your terminal app and post the results. This will give us the chance to check your dns servers.

goto your Application Folder.

Then double click the Utilities folder.

Then scroll down to the Terminal application and double click that to open it.

You then will see a command line interface with your name by the cursor.

copy paste the following line


/usr/sbin/scutil --dns | grep nameserver


to do this click and drag your mouse pointer across the text, then once selected press command + C to copy it.

Then click on the terminal window and press command + V, this will paste the line of code into the terminal window. Now press enter.

The terminal will now list some numbers, using the same procedure I outlined to copy text, copy the results and paste them into a reply in this thread.

the first IP 85.255.112.196 belongs to UkrTeleGroup Ltd. in the Ukraine.

it resolves to 5.255.112.196.static.ukrtelegroup.com.ua.

the second IP 85.255.112.89 belongs to the same company.

the 3rd IP 1.2.3.4 is bogus.

So it looks like you have a dnschanger.


So goto your network preferences select ethernet or airport whichever you use click on advanced and goto dns, then remove those entries.

click apply,

then restart your mac, and run that command again in the terminal, if those IP's show up then you still have the malware.

If none of the anti virus programs are detecting it then you may have a new piece of malware that is not in any of the av databases yet.

Please note that the only way you could have got this malware is by being socially engineered into installing it, this was either by using pirated software or the usual trick is visiting a page with videos of an adult nature and being prompted to install a video codec.

The script is normally stored in /Library/Internet Plug-Ins and is named plugins.settings.

So if present manually delete it.

it usually creates a crontab file also, Crontab although can be used in leopard is not used by default.

So you need to do this in the terminal

open the terminal then use the following command

cd /etc <press enter>

ls <press enter>

this will list all the files in /etc

do you see a file name 'crontab'

in the dns setting window select the IP then press the '-' sign to remove the entry.