malware/Trojan/google hack?! HELP

right first post here so here goes!

On our network we have macs and pcs all of which were having a problem when following links from google... So I have now hard reset our router and am in the process of reintroducing each computer to the network after vigarous virus checks... My MacBook was first to go back on network a d the problem remains... Virus barrier has picked up nothing...

Please help as our network cannot be fully reinstated until I have figured out the cause of this problem and how go solve it.

Kind regards.

Anyone?!

For someone to help you, you need to give out a little more information on the nature of the problem.

Because you state that this problem exists on both OS X and windows, it may not be what you are suggesting.

Are you talking about DNS redirects links going to the wrong sites

If so check your routers DNS servers, the problem may be there

Thanks Rman I'll try and give a little more detail.

Firstly this is a problem that our computers only suffer with when using our network. Friends and public wifi spots are fine and uninfected.

Although the problem was present on Pcs and Macs on the network, it is now only worrying me on the macs as all pcs on the network have had a fresh installation + security update and are awaiting the problem to be resolved on our macs before being reintroduced to network.

The issue on the macs is now this - when following a link on google, instead of taking me to the requested site I see the address bar at the top of firefox scan through various sites and eventually end of at a random page.

This random page usually includes my original google search term but bears no relevance to requested page - ie band's myspace page.

I have done some online research into this and have found various pages: -

The first seems to come to the conclusion that the problem we are having is a trojan named - OSX.RSPlug.A.
How to Remove the OSX.RSPlug.A Trojan Horse from your Mac | eHow.com
However the solution detailed on the page does not solve the problem.

-Virus Barrier has found no problems.
-There is no file entitled 'plugin.settings' in the Internet Plug-Ins folder
-I have opened Terminal and followed the insturctions from the page: -

Type in "sudo crontab -l" (the letter L, and minus the quotes), hit Return, and enter your administrator password when asked. If it returns with anything other than "crontab: no crontab for root", you are most likely infected.

And my mac does return with "crontab: no crontab for root"

This makes it seem as if I am not suffering from the problem but the redirects on google, ONLY WHEN USING OUR NETWORK, still continue?

The second page I have found on this subject/problem is this: -
Macworld | First Look: Trojan Horse warning: What you need to know

This page again talks of the same solution, by deleting plugin.settings file (which is not present on my macbook) and then checking by doing the same terminal check which my macbook passed.

However this page does advise you to check in System Preferences/Network/Advanced and then viewing the DNS tab. Here, the pages says you should have no grey DNS servers listed. I have three?!

Is there a way to check where each one of them is being received by?

Why would I have three?

How do I remove any of them as they all have greyed out minus buttons?

Many thanks to anyone that can help with this.

louishen said:

Are you talking about DNS redirects links going to the wrong sites

If so check your routers DNS servers, the problem may be there

Click to expand...

How would I go about doing this? What would I be looking for when viewing the router settings?

Many thanks.

Contact your ISP and ask them for the addresses of the DNS servers they use

If you routers DNS settings are in any way different, then it may be that the router has been hijacked and no amount of cleaning up any Mac or PC is going to cure the problem

The OSX.RSPlug.A Trojan got a lot of press, but users had to take active steps to install it, and grant it admin privileges (in the false belief they could then see a saucy video), so in reality it didn't ever infect many machines

Can you take a screen shot of the network panel on the DNS Tab and post it? If you do not know how to do a screen shot in osx, let us know. I have 2 grayed out entries but they are the default DNS that comes from my ISP and is in the router. The 2 entries that I can edit are OPEN DNS that I added.

I have no issues at all with any DNS redirects here. If I can see what the IP of the grayed out servers are I could do a trace and see what they are.

Hi dtravis7,

Since your post I have traced the DNS Servers and the results are this...

DNS servers 1 & 2 trace info comes back as this: -

Network name : UKRTELEGROUP
Infos : UkrTeleGroup Ltd.
Country : Ukraine (UA)

DNS Server No.3 comes back as this: -

Network name : UK-CABLEINET-20000211
Infos : Cable Internet Ltd
Infos : PROVIDER Local Registry
Country : United Kingdom (GB)

Now as I am in the U.K currently it seems odd to have two of the three DNS servers pointing to Ukraine?!

Can you check your router and view the DNS there? See if the Ukraine servers show up in the routers DNS info.

Hi dtravis7,

Thanks for your continued help -

I have checked in the router settings and ONLY the Ukraine DNS servers show in my router?!

Any further suggestions?

I take it you are not in the Ukraine

I would strongly suspect those Ukciane DNS servers to be the root of the problem

Try and delete them at thr router and replace them with the ones your ISP uses or the open DNS servers

https://www.opendns.com/smb/start/router/