Malware / Trojan or something on Mac

Hi,

I have made an earlier post but have been researching and investigating since and have come up with the following.

If I were to go to system pref then network then airport or ethernet then advanced then DNS, I will see within DNS servers, the following addresess
85.255.115.67
85.255.112.122

I am with Telstra NSW (my cable provider) and they are the incorrect server addressess.

When you google these addressess numbers they come up as being involved in malware.

within advanced the site addressess are greyed out and while the + sign is not greyed out the minus (-) sign is greyed out.

I initially called apple care and was advised that these addressess are coming from the internet router. so i called Telstra and after disconnecting airport & ethernet and reconnecting the incorrect site addressess disappeared however reappeared after about 20 seconds. Having been advised by apple that the addresses were coming from the router I then disconnected the airport and connected an ethernet cable from my mac laptop to the router. NO probs the correct telstra addresses were assigned in DNS/network advanced. Same with airport. Hence the addresses are not coming from the router and there is something on my problem computer.

I then got back onto apple who were unable to remove the problem addresses. they got me to add other addressess on two occasions however after adding them and clicking off them about 20 seconds later they simply disappeared. Shocking the apple care guy (and me). The apple care chap suggested i run macscan which i did and it found nothing. He hinted that if it found nothing then i might have to do a reload which i dont want to do.

I am aware that either myself or someone else using my computer has downloaded something and clicked on something installing whatever it is.

I have downloaded dns changer and a scan found nothing.

I have downloaded trend smart surfing and was unable to update (i keep getting a message you are not connected to the internet). I eventually got online chat with trend and they indicated i had a poison dns router or something. I was advised to reset the router which i turned if off and on and the problem continues.

I have downloaded ClamXv and it has found nothing.

to my understanding what i have is not a virus but some sort of dns changing malware.

CAN ANYONE SUGGEST WHAT TO DO

Thanks in advance for any advice.

cheers

What kind of router do you have? Post the make and model.

If you had some kind of malware that changed your DNS settings, it would not matter if you were wireless or on ethernet. DNS is used in both scenarios.

What I suggest you do is access your router's firmware setup menu. Normally you do that from your web browser. Look in your router manual to learn how.

After entering the router setup menu, look for the DNS section and addresses. See what it says there and post back.

By the way, you can't reset a router by turning it off and then on again. Your router probably has a small reset hole either in the back or bottom that can be accessed by using a straightened paper clip. Hold the clip in the hole and push. Keep it depressed for about 10 seconds. That will reset the router back to factory default.

Let us know.

Regards.

Motorola Surfboard SB5101

Here is the link for it on pdf. it mentions to reset the unit by pressing the reset button on the rear panel. there is no reset button the rear panel or any pin holes for paperclicks to reset. I will turn it off for 40 minutes.

I didnt receive a router manuel (or any documentation the chap just came in, plugged it on and left). in the link pdf above it doesnt give instructions for configuring dns or tcp/IP it just keep detailing, "Follow the instructions in your Macintosh or UNIX user manual " which i dont have.

Telstra who is broadband supplier have a mac assistance but they are useless - (Indians or something) and cant get you off the phone quick enough. Having said that when my laptop is plugged into the router there are no problems with bodgy addresses. if it was the router that was the problem wouldnt the laptop be similarly affected?

i have bootcamp / vista .

Thanks for the input.

Maxy

Ahh the joys of Bigpong eh!

If you are not locked into a contract look at Internode. Specifically Mac friendly ISP. Go to Whirlpool at the link, and under support at the foot of the page download the user guide and good luck.

Keep us posted?

http://bc.whirlpool.net.au/bc/hardware/?action=h_view&model_id=179

Hi Harry,

Telstra - it took 49 minutes to have a 5 min call in which nothing resulted. Life is so cheap.

actually, the link i posted is the same document as you kindly pointed me in the direction of. when you download the user/guide manuel it tells you to look in the mac unix guide.

I unfortinately have a contract with telstra - the mac specific isp is interesting though, i will do some research re that.

cheers

The first address quoted is the URL of a group/company entitled ukrtelegroup in Odessa, in the Ukraine. Wonder if Bigpong have any connection with them?

For starters go into your browser preferences and delete all caches, and if you have Onyx try that. Also a little utility called Applejack may help. Download that, print and read the instructions, install, and start in single user mode by holding down Command (Apple logo key and the letter S until you get into single user mode. When white print stops, suggests entered applejack AUTO which will clean boot caches etc.

Then try unplugging the router and leaving overnight, and try another set up. Has Telstra actually supplied you with what the DNS URL should be? There should be two which you can enter under System Preferences manually, the first being primary and of course the second, secondary, and a greyed out address which is the machine address.

For us the number should read 192.231.xxx.x/xx.

Keep us posted on your progress?

Harry,
dns numbers are detailed in Google, "Bigpond DNS", NSW
have already deleted caches, reset cashes and deleted the cache folder in the library, then restarted which creates a fresh cashe in library.
downloaded and clicked on everything in onyx - no help
applejack next.
have unplugged unit for one hour - no difference but will try overnight unplugged tonight.
the router does not have a number in the dns box just the two dodgy ukraine files.
cannot deleted as the minus sign is greyed out as are the two dodgy ukraine files.
cannot add dns site numbers, or can for 20 seconds then the computer deletes them.

i dont want to deleted everything and start over. i figure this mess up will be solved in the coming months and added to one of the several dns solvers and when this occurs...yippee.

cheers

I think it's time to buy a router and get rid of the one which you were given by your ISP. If I can't adjust a router for DNS, I won't use it. However, you would need to check with your ISP first. Some do not want or will authorize a different router for use.

Regards.

DNS-Changer malware

There is a known bit of malware called DNS-Changer than can affect the Mac:

Mac Attack: Porn video lures dropping DNS-changer Trojan | ZDNet

You need to use a tool to remove it:

DNSChanger Removal Tool 2.0 software download - Mac OS X - VersionTracker

Hi PJ

Having looked at this for quite a few days i pretty much think that is what my imac has. Have tried dns changer 2 and zip the problem is still there.
Have seen your posted mac attack article BUT didnt notice the tab at the bottom as to how to remove the trojan...will get onto that now and let everyone know.

i have had max for 10 years and used the next without any additional in all that time and now this. i suppose it had to happen with the explosion of mac computers worldwide.

cheers & Thanks

YOU HAVE DONE IT pjhutch.....relief has set in

got rid of the greyed out sites as follows - bit different to the article though.

I went to Mac HD then Library then Internet Plug-Ins and sure enought there was a file named, "plugins.settings". I emptied that to the trash, closed all the apps down and emptied the trash as described.

then in the finder Q in the top right of the screen, typed in "Terminal", then into that typed " sudo crontab -r " and whilst password came up i could not type my password in. then i figured maybe correctly or incorrectly i dont know that because i was logged into a user and not the admin I could not access it. so restarted and thought that i would just take a peek in my user before i went into terminal in admin. A joyous moment it was to see those dodgy ukrainian addresses missing. Yeeee haaaa.

Now to ring Apple and let them know...

Cheers & Thanks everyone for all your assistance
Maxy

(as i have typed this i keep checking my dns but it is clean)

Good work Maxy however I think you should offer to work for Bigpong with a nice, clear, unaccented Aussie voice eh mate? How come you did not hold the admin account? Do not think you could change any settings unless admin authorised?

I figure the only possible reason that Telstra would allocate customer relations to the inappropriately named "service centres" is to reduce calls. I mean I call apple before those drongo's EVERY single time.

I mean the very thought of having to call them brings back fond memories of the dentist, teeth pulled & drilled - that type of thing. The best touch is at the start of every conversation when the language barrier causes them to ask your name 2 times and your phone number 3-4 times. (Sigh)

At the time I was working through the article I happened to be logged into my user name (I have Admin as a separate user on my machine). Just off to my sons rugby game but will try to log in under admin today to see what happens and let you know.

I have had boot camp/vista for ages. The start of all my woes occurred when i got fusion and then woofta I was hit with that malware.

Shock really after about ten years of net surfing without a care in the world. Maybe I got careless.

Another thing I noticed is that during the time i had the bug on my machine I could download Trend Micro smart surfacing (trial) but there was no way i could update. After I got rid of the bug it now updates and it has found a bugs in downloads which I deleted.

Cheers