# Virus/Mac



## Mark1984 (May 27, 2010)

I think I have a virus on my mac. Whenever I try to visit Facebook, and it only happens on facebook, it brings me to a different site. The other day it was Mediaplex, today it was a site titled Me Myself and I. I thought that I got rid of it the other day but it has come back. It happens in Google Chrome, FireFox, and Safari. Its really starting to piss me off and I have no clue what to do to get rid of it once and for all. Please help!


----------



## peterh40 (Apr 15, 2007)

Try this tool from http://www.versiontracker.com/dyn/moreinfo/macosx/33696 to remove DNS-Changer trojan.


----------



## Bernardo (Jan 9, 2006)

Lol, I was going to post the same thing the first time I saw this thread


----------



## Headrush (Feb 9, 2005)

SmoothLake said:


> I thought Mac is virus-free... and now I think I was wrong..


Well considering this is a trojan horse and not a virus you still may be right.


----------



## Headrush (Feb 9, 2005)

SmoothLake said:


> Thanks, You are right.
> I actually cannot tell trojan horse from virus... still a lot to be learned...


In simple terms a virus can copy and replicate itself to other locations on its own.

A trojan horse is something that tricks the user into running some app and does something else. No platform will ever be able to stop all trojan horse attacks since the user explicitly gives the app permission to do its damage. (Short of of completely signed and protected apps)


----------



## tomdkat (May 6, 2006)

I've got a question about the DNSChanger trojan on Mac OS X. I understand what it does in that it changes DNS server settings. Cool.

What I don't understand is what the removal process consists of, thus requiring a tool to "remove" the trojan. I'm thinking the easiest way to fix the DNS issue is to simply change the DNS server settings back to a known, legit DNS address or back to the DHCP setting so it's configured automatically.

I'm finding TONS of sites that tell me the DNSChanger trojan changes DNS settings and I even saw a swell video on YouTube which showed the rather involved installation process to get the trojan installed, in the first place.

Does the trojan run as a daemon or something and monitor the changed DNS settings such that if something else makes a subsequent DNS settings change, the bogus settings can be restored? Or does it block changing of the DNS settings after they have been set to the bogus DNS server address(es)? Or does it simply change the DNS settings and then fall away into nothingness? Or does the trojan run each time a video gets viewed or something? The video I saw (and most of the sites I've seen) indicate the trojan is usually linked to a video codec of some kind. If someone isn't watchin videos of that codec type, the trojan won't run. 

Do the DNSChanger Trojan removal tools actually remove anything or do they just reset the DNS settings?

I'm clearly missing something in this equation. Does anyone know what the trojan does that requires "removal" of anything?

Thanks!

Peace...


----------



## Headrush (Feb 9, 2005)

*tomdkat*, from the information I've heard this trojan installs a scheduled task so that it periodically changes the DNS settings. The trojan is linked to video by the fact the app itself is often disguised as a being a video codec required to view some material. (most often hosted on porn and pirate software sites.)

Edit: The removal tool appears like it also looks for some type of Safari plugin.


----------



## tomdkat (May 6, 2006)

Thanks for the info. The scheduled task part is something I had not read about before and that makes perfect sense. That's the "hook" I was looking for. 

Where did you find that info?

Thanks!

Peace...


----------



## Headrush (Feb 9, 2005)

tomdkat said:


> Thanks for the info. The scheduled task part is something I had not read about before and that makes perfect sense. That's the "hook" I was looking for.
> 
> Where did you find that info?
> 
> ...


It's was one of the security software makers web site, can't check history since I wasn't on my machine.

I did find a different web site talking about essentially the same thing. This is from an older variant, but the information is still valid: http://www.macworld.com/article/60823/2007/10/trojanhorse.html


----------



## tomdkat (May 6, 2006)

Great! Thanks for the link! :up:

Peace...


----------



## Bernardo (Jan 9, 2006)

In the meantime, it appeared our poster disappeared


----------



## Mark1984 (May 27, 2010)

Still seem to have it....running out of ideas  I tried almost everything do get rid of this thing, but what ever I do it seems to come back after a couple of days.


----------



## tomdkat (May 6, 2006)

peterh40 said:


> Try this tool from http://www.versiontracker.com/dyn/moreinfo/macosx/33696 to remove DNS-Changer trojan.


Mark1984, what happened when you ran the DNS-Changer removal tool?

Peace...


----------



## Mark1984 (May 27, 2010)

It did a scan and said DNSchanger trojan not found, or something along those lines.


----------



## tomdkat (May 6, 2006)

Ok. Can you post the DNS servers your system is configured to use? You can get instructions on getting that info here.

Also, can you try creating a new Firefox profile (choose the options for Mac OS X) and see if Firefox continues to get redirected when you visit Facebook (or whatever site it was)?

Peace...


----------



## Mark1984 (May 27, 2010)

192.168.1.1
167.206.251.129
167.206.251.130


----------



## Mark1984 (May 27, 2010)

I think the two that are almost the same might be the Trojan ones. The reason being is because when this happens I get redirected to two different sites. Right now I took both of them out and kept the 192.168.1.1 one. I hope this was the right thing to do and works. Any input will be great, thanks again for all the help everyone!


----------



## Headrush (Feb 9, 2005)

Mark1984 said:


> I think the two that are almost the same might be the Trojan ones. The reason being is because when this happens I get redirected to two different sites. Right now I took both of them out and kept the 192.168.1.1 one. I hope this was the right thing to do and works. Any input will be great, thanks again for all the help everyone!


Often your DNS IP numbers can be very similar like that. (So that CAN be normal.)

If you are using 192.168.1.1 this is normally means you have a router and that DNS requests are sent to it first. If this is true you do not need the other two IPs. (Although it is perfectly fine to add your own.)

If after removing those two IPs and you still see issues, you might want to check the DNS IP numbers used by your modem and see that they haven't been changed and are using the DNS IPs given by your ISP.


----------



## tomdkat (May 6, 2006)

Headrush said:


> If you are using 192.168.1.1 this is normally means you have a router and that DNS requests are sent to it first. If this is true you do not need the other two IPs. (Although it is perfectly fine to add your own.)
> 
> If after removing those two IPs and you still see issues, you might want to check the DNS IP numbers used by your modem and see that they haven't been changed and are using the DNS IPs given by your ISP.


I agree. I would suggest logging in to the router itself and see which DNS servers it has been assigned to use and confirm those with your ISP. Since your Mac is configured to use the router as the primary DNS, you could also configure your *router* to use OpenDNS servers instead of the ones assigned by your ISP.

I have a Netgear router and I have it configured to use OpenDNS servers and they work well. I've found the OpenDNS servers to be faster than the DNS servers provided by Comcast, my ISP.

EDIT: Your Mac might not be infected with anything at all but your router might have been compromised or the DNS serverss provided by your ISP might have been poisoned. Who is your ISP?

Peace...


----------



## Mark1984 (May 27, 2010)

Optimum. How would I find out that my router has been compromised? Now when going to facebook it takes me to myspace....


----------



## tomdkat (May 6, 2006)

Have you been able to login to your router yet? The manual should contain the instructions on logging in to the router, itself.

Peace...


----------



## Mark1984 (May 27, 2010)

Im going to try and do that now. What should i be doing/be looking for when I do?


----------



## tomdkat (May 6, 2006)

I would start looking at the "router status" page and see what the settings are. If you could post the Domain Name Server address, that would be a start.

Peace...


----------



## Mark1984 (May 27, 2010)

I haven;t been able to log into the router at all. I don't think it even came with a manual. I have Virus Barrier X6 on my mac...and it hasn't been able to find a virus or anything and because I can't log into my router I'm not sure what to do.


----------



## tomdkat (May 6, 2006)

Ok. What model Netgear router do you have? There should be a sticker on the bottom with the model number.

Basically, you would point your browser at the IP address: http://192.168.1.1, based on the info you posted above.

Then, you should get prompted to login to the router. The id will be based on the model router you have. It *might* be admin but we can confirm that with the manual. The password could be a number of different options.

Now, if your router HAS been compromised, chances are the admin password has been changed. This will require resetting the router which is easy to do.

First, what kind of Internet service do you have? Do you have Cable modem service or DSL?

Once you post the make/model of router you have (I believe you indicated you had a Netgear router in a previous post), we can get into specifics.

Also, is this a wireless router? If so, do you have any machines that access it wirelessly?

Peace...


----------



## Mark1984 (May 27, 2010)

Ok, I have a Linksys by Cisco. Model No. WRT160N. I have a cable modem that my router goes into. I have my xbox, ps3 plugged into the router. My Mac and my regular Laptop both connect to it wirelessly. I have been doing some googling on this and:

http://forums.malwarebytes.org/index.php?showtopic=45185

Seems like this person has the same problem as me. The person who helped him says that it is a problem with the router model itself and can be fixed by an update from Linksys. Could that just be the problem? I've had the router for over 6+ months now so I'm not sure if that is the problem. Seems weird that it would just now start redirecting me.

So I'm leaning towards that I do have a compromised router.


----------



## Mark1984 (May 27, 2010)

Ok, I pointed my browser to that address, it asked me for a username and password. I put in the info I set up as my network and it logged me in.


----------



## tomdkat (May 6, 2006)

Great! Thanks for the update! You can certainly try updating the firmware in the router. The support page for your router is here. You can download the firmware update and manuals there.

Once logged in to the router, in the "Basic Setup" section, you should see an area where you can specify DNS servers. Since your Internet Connection type will be "DHCP", you will be using the DNS servers provided by your ISP or whatever servers the router decides to use.

First, make sure those DNS server entries are all zeros. If they are not, post what numbers are specified. If they are, you can either try the firmware update first OR try using OpenDNS DNS servers, as I mentioned above and is mentioned in the thread on the Malwarebytes forum you linked to.

To use the OpenDNS DNS servers, use these addresses:

DNS 1: 208.67.220.220
DNS 2: 208.67.222.222

I got those address from the OpenDNS website. You can decide if you want to create an OpenDNS account or not. 

Once those addresses have been entered, click "Save Settings" at the bottom of the "Basic Settings" page and the router will restart on its own. EVERY computer connected to the router will LOSE its Internet connection while the router restarts itself, so it's best to do this when no one else is surfing.

If you want to upgrade the firmware, there are instructions for doing so on the Linksys support page I posted the link to above.

If you have any questions, post them before you start. If you're comfortable, give it a whirl!  This is IMPORTANT: before you start, get familiar with how to reset the router in the event something gets screwed up. There will be a reset button you can press (with a pen or a paper clip or push pin) to reset the router. The manual will (or should) discuss resetting the router. If you end up having to reset the router, your wireless security settings will be LOST and you will need to reconfigure them (including the SSID or the name of your wireless network).

Good luck!

Peace...


----------



## Mark1984 (May 27, 2010)

My main concern is: Is it safe to say that this problem is NOT being caused due to a virus or something along those lines?


----------



## Mark1984 (May 27, 2010)

Ok, the DNS servers were all 0s. I entered the two you gave me, also made an account on OpenDNS website, and saved the settings. I didn't lose internet at all when I did it or at least I didn't notice it.


----------



## tomdkat (May 6, 2006)

Mark1984 said:


> My main concern is: Is it safe to say that this problem is NOT being caused due to a virus or something along those lines?


I think it's safe to consider your system free of infection. Your system didn't show any signs of being infection, given the DNS settings you posted above and the fact you've scanned it with two different tools, one of which was designed to remove the threat that could have caused the behavior you encountered.



Mark1984 said:


> Ok, the DNS servers were all 0s. I entered the two you gave me, also made an account on OpenDNS website, and saved the settings. I didn't lose internet at all when I did it or at least I didn't notice it.


When the router restarts, it would be a fairly quick operation so the "outage" wouldn't be for a prolonged period of time.

Now it's time to ask the $0.64 question: are you able to access Myspace (or whatever site was giving you problems) ok now?

Peace...


----------



## Mark1984 (May 27, 2010)

As of right now yes. The problem happened every couple of days. For example: One day I would get redirected. After erasing my cookies and browsing history it would go away. Then 4-5 days later boom redirected again. So only time will tell, but after reading up on everything I have a good feeling that everything is fixed. 

I want to thank you for helping me so much with this problem. If it wasn't for you, I would be completely stressed out because of this lol. 

If the problem comes back I will post here again(I'll even post to say that it did work, if nothing happens for about 1-2 weeks).


----------



## tomdkat (May 6, 2006)

Thanks for the update and please keep us posted on how things go. 

Don't forget to thank Headrush who also contributed to this thread. 

Peace...


----------



## Mark1984 (May 27, 2010)

Yes, also thank you to Headrush and the other people who have posted in this thread with helpful info


----------



## Mark1984 (May 27, 2010)

Ok. It happened again. Both in Safari and Firefox it takes me to Turn.com when I try to go to Facebook. Google Chrome for some reason doesn't do it. I'm not sure what is going on but I'm running out of options. Should I try and do the update for the router? Could it be a fault in the router that is doing this? Can we now say my router/Mac has been compromised?


----------



## Mark1984 (May 27, 2010)

Here are the DNS servers I'm using: 
208.67.220.220
208.67.222.222
167.206.251.129

Edit: Did the update...let me say what a huge pain in the $$$ that was. Now my only DNS servers from what I can see are the two top ones. I'm praying this fixed the problem. If it didn't I might consider getting a new router that isn't a Linksys.


----------



## tomdkat (May 6, 2006)

Keep us posted...

Peace...


----------



## Mark1984 (May 27, 2010)

Didn't work. Brought me to Turn.com. I'm at a loss of what to do.


----------



## tomdkat (May 6, 2006)

Do you have any other computers on your network? If so, are they all Macs or are they a mixture of Macs and machines running Windows?

Which browser are you using? I know you've tried Google Chrome, Firefox, and Safari, but which of those have you been using for your testing?

Are you always going to Facebook.com when you get redirected to another site?

Can you open a terminal window (look in "Utilities" in the "Applications" folder for the icon) and issue this command:

ping www.facebook.com

and post the results?

Since your router is setup to use DHCP to get its configuration information from your modem, you could try another router and see if the problem persists.

Peace...


----------



## Mark1984 (May 27, 2010)

I also have a Dell Laptop that is used by my mom and dad.

I mainly use Chrome and Safari. It happens in all three. Yes it is only for Facebook.

I opened Terminal and did the ping www.facebook.com and it came up with a huge list of lines, do you want me to post them? In one post? or more than one. I think its close to 30+ lines.


----------



## tomdkat (May 6, 2006)

Does the Dell laptop exhibit the same behavior when viewing Facebook? You don't need to post all of the ping out, just a few lines (like 5-6) would be fine.

Peace...


----------



## Mark1984 (May 27, 2010)

I don't really use it but I remember I did use it once to get on facebook a while ago when my mac was getting re-directed. 



64 bytes from 69.63.189.11: icmp_seq=0 ttl=244 time=16.806 ms
64 bytes from 69.63.189.11: icmp_seq=1 ttl=244 time=16.898 ms
64 bytes from 69.63.189.11: icmp_seq=2 ttl=244 time=17.736 ms
64 bytes from 69.63.189.11: icmp_seq=3 ttl=244 time=16.725 ms
64 bytes from 69.63.189.11: icmp_seq=4 ttl=244 time=16.161 ms
64 bytes from 69.63.189.11: icmp_seq=5 ttl=244 time=18.308 ms
64 bytes from 69.63.189.11: icmp_seq=6 ttl=244 time=19.904 ms
64 bytes from 69.63.189.11: icmp_seq=7 ttl=244 time=15.942 ms
64 bytes from 69.63.189.11: icmp_seq=8 ttl=244 time=17.623 ms
64 bytes from 69.63.189.11: icmp_seq=9 ttl=244 time=17.821 ms
64 bytes from 69.63.189.11: icmp_seq=10 ttl=244 time=15.666 ms
64 bytes from 69.63.189.11: icmp_seq=11 ttl=244 time=16.196 ms
64 bytes from 69.63.189.11: icmp_seq=12 ttl=244 time=16.938 ms
64 bytes from 69.63.189.11: icmp_seq=13 ttl=244 time=17.784 ms
64 bytes from 69.63.189.11: icmp_seq=14 ttl=244 time=15.955 ms
64 bytes from 69.63.189.11: icmp_seq=15 ttl=244 time=16.539 ms
64 bytes from 69.63.189.11: icmp_seq=16 ttl=244 time=17.489 ms
64 bytes from 69.63.189.11: icmp_seq=17 ttl=244 time=17.489 ms
64 bytes from 69.63.189.11: icmp_seq=18 ttl=244 time=17.271 ms
64 bytes from 69.63.189.11: icmp_seq=19 ttl=244 time=19.136 ms
64 bytes from 69.63.189.11: icmp_seq=20 ttl=244 time=17.338 ms
64 bytes from 69.63.189.11: icmp_seq=21 ttl=244 time=16.338 ms


----------



## tomdkat (May 6, 2006)

Ok, that IP address looks legit:



> [email protected]:~$ dig -x 69.63.189.11
> 
> ; <<>> DiG 9.7.0-P1 <<>> -x 69.63.189.11
> ;; global options: +cmd
> ...


In Google Chrome, go to the options and click the "Under the Hood" tab. Then, click the "Change Proxy Settings" button and make sure "Direct Internet Connection" is selected. Also, can you check the DNS settings on your Mac and report back if it lists just 192.168.1.1 or if three are listed?

Peace...


----------



## Mark1984 (May 27, 2010)

My DNS section on my Mac only list the 192 one. 

On Google Chrome in the "Under the hood" tab I don't even see change proxies.


----------



## tomdkat (May 6, 2006)

Did you scroll through the entire window?

EDIT: Ok, Chrome on Mac OS X doesn't support proxy servers directly and you'll need to check some place else. Go to System Preferences -> Network -> Advanced -> Proxies and see if a proxy is configured there. Be sure to check the "Automatic Proxy Configuration" as well.

Peace...


----------



## Mark1984 (May 27, 2010)

Yeah, only clickables I have are: Content settings, Clear browsing data. Browse, change font settings and manage certificates


----------



## tomdkat (May 6, 2006)

tomdkat said:


> EDIT: Ok, Chrome on Mac OS X doesn't support proxy servers directly and you'll need to check some place else. Go to System Preferences -> Network -> Advanced -> Proxies and see if a proxy is configured there. Be sure to check the "Automatic Proxy Configuration" as well.


Also, one thing to try is to have your Mac use OpenDNS servers *directly* instead of going through the router.

In the Network settings on your Mac, specify the OpenDNS servers you configured in your router:

208.67.222.222
208.67.220.220

This will cause your Mac to bypass the router, completely, for DNS lookups.

Report back your findings.

Peace...


----------



## Mark1984 (May 27, 2010)

Ok, none of the proxies are checked. Which ones should I check off besides the auto one?

Also when using just the OpenDNS will that still allow me to use my router to get internet? Probably a really dumb question.


----------



## tomdkat (May 6, 2006)

Mark1984 said:


> Ok, none of the proxies are checked. Which ones should I check off besides the auto one?


None. You DO NOT want a proxy server configured. I just wanted to make sure there wasn't one lurking. 



> Also when using just the OpenDNS will that still allow me to use my router to get internet? Probably a really dumb question.


Yep, it will. Your Mac will still get its network configuration settings from the router and the router will continue to route traffic to/from your Mac. It's just with this DNS change, your Mac will ask OpenDNS *directly* for address resolution, instead of your router.

Right now, when you go to www.facebook.com, the browser on your Mac asks the router "What is the IP address of www.facebook.com?" The router will fetch the IP address and return it to the browser and then the browser can access the site. The question is why are you getting the address of a different site.

If you change your system to use OpenDNS directly, when you go to www.facebook.com, your browser should ask OpenDNS *directly* for the IP address and the router won't be involved in the address resolution at all.

Try setting OpenDNS as the DNS on your Mac and report back what happens. Also, start using the Dell to see if you get the similar behavior or not. You indicated the redirection is inconsistent so it would be good to know if the Dell EVER gets redirected during our testing.

Peace...


----------

