How do I remove DNS Changer from osx 10.4.11 Several Attempts so far documented. (screenshots attached)

Navigate to /Library/Internet Plug-Ins/ and look for either plugins.settings or AdobeFlash. If you find either drag them to the desktop.

Now check for a root level cron job. Open the Terminal app (found in /Applications/Utilities/), copy and paste:

sudo crontab -l

and hit return. Enter your admin password (you will not see any typing) and hit return.

If you see this output, it means you’ve got the malware:

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

or

* * * * * "/Library/Internet Plug-Ins/AdobeFlash">/dev/null 2>&1

If you see anything else, stop and come back here before proceeding

To remove this part, go back to the Terminal app, copy and paste:

sudo crontab -r

and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l (that's an ell not a one); you should see the message “crontab: no crontab for root.”

Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.

Reboot your Mac.

If you struck out on all those things, the problem could be with your router.

WrjLewis wrote:

Do you think that the virus is disabling all these antivirus scans and dns removal tool scans from working?

No (DNSChanger is a Trojan, not a virus, by the way), your obsolete OS is preventing it. All the vendors you mentioned are former Windows A-V providers who are new to the Mac market, so it's not surprising that they didn't release a version for your Mac.

ClamXav v2.2.1 might help confirm the presence of the malware (12 variants), but I know that it won't remove all of it.

Sophos Anti-Virus for Mac Home Edition says it's compatible and has been around for awhile. They have a blog article here http://nakedsecurity.sophos.com/2011/11/10/. Looks like it detects OSX/RSPlug-A, -B, -Gen and -F installers but may not remove the Trojan itself.

The government site at http://www.dcwg.org/ has some useful information.

MadMacs0 - what a useful gentleman you are (assuming you are a man, with most humble apologies if you are not).

My Internet Plug-ins folder is empty, but following the sudo crontab advice I nonetheless had this come up:

* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

This is neither the Adobe nor the Plug-ins one.

And I still apparently have a DNS Changer issue. Any advice for me to follow would be most gratefully received...

wjrcbrown wrote:

MadMacs0 - what a useful gentleman you are (assuming you are a man, with most humble apologies if you are not).

I am, in fact, a man.

My Internet Plug-ins folder is empty, but following the sudo crontab advice I nonetheless had this come up:

* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1

This is neither the Adobe nor the Plug-ins one.

And I still apparently have a DNS Changer issue. Any advice for me to follow would be most gratefully received...

I responded to your other thread. It sounds like you were looking in the wrong Internet Plug-ins folder. The one you want can be found by starting at the root level of your hard drive instead of your home folder.

The file you need to get rid of is "QuickTime.xpt".