DNS Servers change automatically - DNSChanger virus?

Those IPs don't appear on any blacklists yet, they are located in the Ukraine.

http://whatismyipaddress.com/blacklist-check

http://whatismyipaddress.com/blacklist-check

check here:

http://www.dns-ok.us/

http://www.dcwg.org/detect/checking-osx-for-infections/

Updates: 23.11.104.143

https://support.apple.com/kb/HT1222

You should remove the malware by backing up your files and reinstalling your system.

After all it keeps changing the DNS servers on you so it will have to go.

Step by Step to fix your Mac

192.168.1.254 is the default router IP BTW, are you sure those IP's are not your ISP's?

You live in the Ukraine?

Have you applied the latest Software update?

There is no valid DNS (except perhaps inside the Ukraine) that starts with 85.xxx.yyy.zzz

I have no answers for you except to confirm what you already know, that there is some rogue DNSChanger at work here. The only thing I can think of is that it's your router that's somehow been infected, not your Mac. I assume that would be your Time Capsule which I would not think could be infected. You didn't say specifically that you checked your router's DNS settings, so you need to do that.

Although the DCWG site has mentioned router infection since day one, they never really came out with any instructions on how to clean the router or exactly how it is infected. Is it infected over the internet or by an infected computer. I really think there's something we don't fully understand about this. July 9 may be a fun day.

If I'm understanding you correctly, you are seeing this problem both on your home network and on a completely separate and unrelated 3G cellular network. Is that right? If so, either there's a massively widespread problem in your area, or the problem is the computer. Neither of those seem likely, but the former is obviously the less likely possibility.

Try running the DNSChanger Removal Tool found here:

http://www.dnschanger.com/

(Don't spend money on anything there, though.)

If that still doesn't find anything, look for anything suspicious in the following folders:

/Library/LaunchDaemons

/Library/LaunchAgents

~/Library/LaunchAgents

(Note that ~/Library is in your user folder, but that folder is invisible in Lion... hold down the option key while choosing Library from the Finder's Go menu to go straight to that folder.)

What is suspicious, you ask? Anything not related to some third-party software that you know you have installed. If you see something suspicious, move it to the desktop and then restart your computer, then check to see if the problem is continuing. If it doesn't fix the problem, you probably ought to put it back.

Eyvindj wrote:

I will try to look into the libraries.

In addition to the ones mentioned, the original DNSChanger installed a file in ~/Library/Internet Plug-Ins/ "plugins.settings" so I suggest you check there for anything you don't recognize as a browser plugin.

Another thought...if you are running WIndows it could be that version of the Trojan.

Eyvindj wrote:

I removed ALL plugins from the folder ~/Library/Internet Plug-Ins/ including finding the "plugins.settings" one, although this one in isolation did in fact not resolve the problem.

DNS settings are cached, so unless you flushed the cache after removing plugins.settings it may have stuck with it for a bit.

There is no legitabmate "plugins.settings" and since it's an executable, that was clearly one or the problems.

I only have the first Flip4Mac WMV plugin.plugin and seem to recall that there used to be two, but the second one you have may no longer be necessary.

I'm guessing that OfficeLive is OK, though I don't use it. Same with Loki.

I am pretty certain that I used to have a Mozilla but no longer do.

Even though this Mozilla site is provided for Firefox, it will work with any browser to help sort out what's current http://www.mozilla.org/en-US/plugincheck/.

In anticipation of seeing a few more cases like yours when they pull the plug on the rouge servers next week, I found all current guidance for DNSChanger removal focused on the afore mentioned DNSChanger Removal Tool 2.0 from MacScan. I really had to dig deeply to find the Macworld article from 2008 giving manual instructions for removal.

So first of all, even though you've already said it, can you confirm that you ran this tool and it did not give you any indication that you were infected? I tried it out here and it found each of the two Internet Plug-Ins that I am aware of ("AdobeFlash" and "plugins.settings").

Next you should remove the trigger mechanism that is used to launch plugins.settings every minute to reset the DNS settings in case you changed them. I isn't really doing anything now except wasting time and filling up your system and console logs each minute since you removed the executable.

Launch the Terminal app (found in /Applications/Utilities/), copy and paste the following after the "$ " prompt:

sudo crontab -l

and hit return.

Enter the admin password when asked (you will not see any typing) and hit return.

Terminal will then display any cron tasks for root. You should see this output:

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

Back to Terminal, copy and paste:

sudo crontab -r

and hit return.

Enter the admin password again if asked (you will not see any typing) and hit return.

This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message “crontab: no crontab for root.”

Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.

Reboot your Mac.

Eyvindj wrote:

On running the crontab procedure as indicated my prompt was returned:

* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

To me that suggests that the problem lies with the "QuickTime.xpt" plugin, which was in my library originally.

Well that's a little embarrassing. In checking my Internet Plug-Ins folder again I see that the file I have by that name is something I placed there several years ago along with one labeled plugins.settings which are zero length and locked to prevent the installer from ever placing files with those names there. So at some point in time I did know that was one of names used. I double checked inside the Removal Tool and it definitely doesn't look for that one.

Is it fair to suggest that people with the DNSChanger problem in fact should run the crontab process first to see which plugin is called and THEN remove that particular plugin from the library?

It took me a couple of hours to write the instructions I gave you after considerable searching around for the Macworld article written when the first RSPlug Trojan came out. I grabbed pieces of the article in the order they were in and rewrote some that I thought were confusing, etc. A couple of hours after adding the reply I thought of the same thing and have already revised my "cheat sheet" to start with that one. It's similar to a technique used to figure out what filename Flashback had picked out to install a few months back.

If you still have those two files "plugins.settings" and "QuickTime.xpt" it would really be helpful to a colleague of mine if you could send them to him for testing and we can get them to a couple of sample repositories so more of the A-V vendors have them. It would be even better if you had the installers, but I'm guessing those are long gone. If so, contact Thomas Reed on his web site and he'll give you instructions on how to send them. I'll give him a heads up when I finish here.