DNS = 85.255.113.114?

You're right, it's a nasty, persistent lil' bugger.

Thank you for putting me on the right track, BD.

Appears to be two critters onboard: "plugins.setting" and "Mozillaplug.plugins" - no sign of 3rd "sendreq" file. Nothing else running/pending that I can find. We'll see what MacScan does.

(MacScan no longer appears to be posted on Apple's site for some reason.)

Apple store-listed utility apps (all):

http://store.apple.com/us/browse/home/shop_mac/software/utilities?s=alpha

Thinking OS upgrade with new/current security would help (10.6+ at least), along with anti-virus app (for those who might download a trojan). Been a walk down memory lane reading about Mac malware past and present, haven't missed all that jive, but here we are.....

DNS IP addresses were edited out of my post, but there are a dozen of 'em listed by Symantec in a nice writeup about the RSPlug-A/Puper trojan (2007): http://www.symantec.com/security_response/writeup.jsp?docid=2007-110101-2320-99& tabid=2

Thanks again! Workin' on it.....

;-)

Quick followup here.....

MacScan ran all afternoon but found nothing. :-(

Gray DNS Server entries keep coming back - as soon as ethernet or Airport is connected.

Meanwhile, Console's System log shows a new entry every minute, over and over:

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"

Tried the suggested chrontab commands, result was the same in all cases: "Command not found."

DNS server entries finally went away after deleting three known problem files:

/Library/Internet Plug-Ins/plugins.settings

/Library/Internet Plug-Ins/Mozillaplug.plugins

/Library/Internet Plug-Ins/QuickTime.xpt

(plus the "sendreq" file that apparently deletes itself)

However, those "...Could not setup Mach task special port 9: (os/kern) no access" error messages keep coming to System log each and every minute.

Next step will an upgrade from OS 10.5.8 to the top of 10.6 Snow Leopard which should eliminate those error messages and better secure DNS entries, yes?

More info on this annoying problem may be found here:

"Mach port 9 trouble" thread:

https://discussions.apple.com/thread/1593565?answerId=7543410022#7543410022&messageID=7543410#7543410?messageI D=7543410

"Could not setup Mach task special port 9" thread:

https://discussions.apple.com/thread/2094558?tstart=0

MacWorld article about the OSX.RSPlug.A trojan:

http://www.macworld.com/article/60823/2007/10/trojanhorse.html

Four machines connected to router (+1 wireless), none of them have the "85.xxx.113.xxx" and "85.xxx.112.xxx" DNS server addresses except the one (infected, 10.5.8) notebook. All other machines have correct ATT server/network info. But, whathaheck, no harm in resetting router. (Have to do that periodically anyway, seems like.)

Those "85" servers only disappeared (on the one notebook) when I got rid of the 3rd and last Internet Plug-In file, QuickTime.xpt. No doubt about it, you were right, BD. That machine had the DNS trojan x3 going back to 2009 and possibly back to 2007 (along with a slew of other crud!).

BTW: I've had lil'Snitch onboard for years - amazing how much background traffic goes on these days. Probably enough to scare most folks, and not without reason. Might havta pull the ethernet plug when offline ;-)

As for security, yeah, hard to find suspects with so many places to hide now - especially with no help from Spotlight.

Thanks again for all your help over the years!