Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

fishimedic

macrumors newbie
Original poster
Feb 24, 2009
14
0
oh yeah, and a delurk.

Hi,

Long time viewer of these forums, well about a year now, I'm a recent switcher followed my friends and family into the mac world. I've been actively reading posts over the past two weeks now. I believe that I may have a trojan or DNS problem on my MB. Most likely picked it up when the mac was new, most likely from an 'adult' site (please spare me the morality speeches, it's a multi-billion dollar world wide industry, but no one goes there?)

anyway, here's why, my internet surfing on my mb using firefox or safari has come to a crawl. I have to repeatedly reclick links to get them to load. I'm seeing all sort of problems on the status bar at the bottom, ie most ad services (googleads.com, ad.doubleclick.net) seem to freeze everything up.

Sorry this is long, just trying to set the scene, I d/l LS and see a truck load of traffic trying to phone home, now my brother who is a mac guy for years tell me that while macs are known for 'chatter' this is way to excessive.

most of the stuff is coming from /usr/sbin/named I do not know the first thing about unixy stuff. I just opened my first terminal last week. It scares the hell out of me (using a sudo line, and then find out I can crash the whole shooting match with one typo?)

[0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 00:16:12 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 00:29:40 js-macbook named[81]: clients-per-query decreased to 22
Feb 25 00:32:08 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 00:49:40 js-macbook named[81]: clients-per-query decreased to 21
Feb 25 00:50:58 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 00:52:21 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 00:56:32 js-macbook login[2611]: DEAD_PROCESS: 2611 ttys000
Feb 25 00:56:48 js-macbook login[2756]: USER_PROCESS: 2756 ttys000
Feb 25 00:57:05 js-macbook named[2767]: starting BIND 9.4.2-P2 -l
Feb 25 00:57:05 js-macbook named[2767]: none:0: open: /private/etc/lwresd.conf: file not found
Feb 25 00:57:05 js-macbook named[2767]: none:0: open: /private/etc/rndc.key: file not found
Feb 25 00:57:05 js-macbook named[2767]: couldn't add command channel 127.0.0.1#953: file not found
Feb 25 00:57:05 js-macbook named[2767]: none:0: open: /private/etc/rndc.key: file not found
Feb 25 00:57:05 js-macbook named[2767]: couldn't add command channel ::1#953: file not found
Feb 25 00:57:05 js-macbook named[2767]: failed to add lwres socket: 127.0.0.1#921: permission denied
Feb 25 00:57:05 js-macbook named[2767]: couldn't open pid file '/private/var/run/lwresd.pid': Permission denied
Feb 25 00:57:05 js-macbook named[2767]: exiting (due to early fatal error)
Feb 25 00:57:18 js-macbook login[2756]: DEAD_PROCESS: 2756 ttys000
Feb 25 01:09:21 js-macbook named[81]: client 192.168.2.1#65164: RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa
Feb 25 01:09:40 js-macbook named[81]: clients-per-query decreased to 20
Feb 25 01:10:49 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:12:51 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:12:52 js-macbook named[81]: socket: too many open file descriptors
Feb 25 01:13:22: --- last message repeated 3 times ---
Feb 25 01:13:31 js-macbook login[2785]: USER_PROCESS: 2785 ttys000
Feb 25 01:13:48 js-macbook named[81]: client 192.168.2.1#62211: RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa
Feb 25 01:13:48 js-macbook named[81]: client 192.168.2.1#61308: RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa
Feb 25 01:13:48 js-macbook named[81]: client 192.168.2.1#54165: RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa
Feb 25 01:17:51 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:23:04 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:24:45 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:29:40 js-macbook named[81]: clients-per-query decreased to 19
Feb 25 01:28:53 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:36:48 js-macbook named[81]: socket: too many open file descriptors
Feb 25 01:37:18: --- last message repeated 3 times ---
Feb 25 01:37:42 js-macbook [0x0-0x9b09b].org.mozilla.firefox[1704]: Debugger() was called!
Feb 25 01:49:40 js-macbook named[81]: clients-per-query decreased to 18
Feb 25 02:01:08 js-macbook named[81]: socket: too many open file descriptors
Feb 25 02:01:38: --- last message repeated 12 times ---
Feb 25 02:01:39 js-macbook kernel[0]: Limiting icmp unreach response from 485 to 250 packets per second
Feb 25 02:09:21 js-macbook named[81]: client 192.168.2.1#65164: RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa
Feb 25 02:09:40 js-macbook named[81]: clients-per-query decreased to 17
Feb 25 02:14:16 js-macbook kernel[0]: IPv6 packet filtering initialized, default to accept, logging disabled
Feb 25 02:29:40 js-macbook named[81]: clients-per-query decreased to 16
Feb 25 02:30:41 js-macbook named[81]: socket: too many open file descriptors
Feb 25 02:31:11: --- last message repeated 3 times ---
Feb 25 02:33:24 js-macbook named[81]: client 192.168.2.1#58726: RFC 1918 response from Internet for 255.1.168.192.in-addr.arpa
Feb 25 02:33:24 js-macbook named[81]: client 192.168.2.1#61703: RFC 1918 response from Internet for 255.1.168.192.in-addr.arpa
Feb 25 02:33:34 js-macbook named[81]: client 192.168.2.1#53867: RFC 1918 response from Internet for 255.2.168.192.in-addr.arpa
Feb 25 02:33:34 js-macbook named[81]: client 192.168.2.1#63900: RFC 1918 response from Internet for 255.2.168.192.in-addr.arpa


these are the last bits of my system.log I do not know how to read this stuff my I'm trying to learn, I also as you have noticed, do not know how to take screen shots yet on a mac. Any and all help would be appreciated, I've tried LS, ClamXAV, and the securemac product, none have done anything.

I know it's not a virus, it has to be a dns or trojan issue or something. I'm not ruling out anything stupid that I did, I realize that if it is a trojan, I let it in. Back in my PC days, I surfed with nothing other than AVG, not saying it's a great program, just saying that I surfing smart.

most of the problems seem to come from named(81)

BTW is there a good reference for mac specific system logs for newbies like myself to go to learn how to trouble shoot these things?

Thanks

FYI, I need to talk to the admins.....my log on name is suppposed to fishinmedic, small little typo there, hence why I'm nervous about playing in a terminal
 

angelwatt

Moderator emeritus
Aug 16, 2005
7,852
9
USA
Nothing I've searched out seems to indicate that this is malicious in nature. Using some snippets from the log I turned up this Google book mentioning "named" and setting up BIND. I also came across this Debian (Linux) thread that talks about similar things, but still no mentions of anything malicious.

Though I didn't discover anything about maliciousness that doesn't mean you don't have something. There has been a recent trojan making the rounds. it was being installed with pirated versions of iWork 09 as well as some Adobe products. Even if you haven't installed either of those take a look at this link and read the details on how to determine if this particular trojan has been installed or not.

Mac Rumor's guide to taking screenshots on Mac.

You can get in touch with mods by clicking the red and white triangular icon down below your username.
 

fishimedic

macrumors newbie
Original poster
Feb 24, 2009
14
0
How can I tell if netstat activity is normal? Also, would using OpenDNS solved this problem? Should I post my netstat log here, if so, how to I post it w/o posting my IP etc?

thanks
 

fishimedic

macrumors newbie
Original poster
Feb 24, 2009
14
0
Just a quick follow up

Sorry about the poor grammar earlier, I was typing in frustration.

It seems that it was a DNS problem, I started using OpenDNS and ALL symptoms have gone away. I do not know if it is OpenDNS alone fixing my problem, or a combination of the multiple solutions that I learned here. I'm not sure how it all started in the first place. I don't use pirated software, but there is the aforementioned 'adult' web site. As I mentioned, I'm a switcher that got by using AVG alone for years and never had a problem like the one I just recently experienced. So I can't say that I 'let' a trojan in, but I'm not sure how it got so screwed up. Is DNS hijacking common on macs?

While I'm glad that OpenDNS has solved my symptoms, how do I go about making sure that there isn't something lying underneath?

Also, is there a site (or any reference information) about how to interpret logs? I mean an idiot proof one?

Thanks
 

lisamel

macrumors regular
Mar 1, 2008
150
0
Oslo, Norway
Hi!
Download iAntiVirus, it is free. And then do a normal scan, not the fast one. If your mac is infected, I'm pretty sure it will find it and then you can remove it :)

Lisa
 

ppc750fx

macrumors 65816
Aug 20, 2008
1,308
4
Hi!
Download iAntiVirus, it is free. And then do a normal scan, not the fast one. If your mac is infected, I'm pretty sure it will find it and then you can remove it :)

Lisa

Please don't muddy the waters by recommending junk software.
 

gnasher729

Suspended
Nov 25, 2005
17,980
5,565
Hi!
Download iAntiVirus, it is free. And then do a normal scan, not the fast one. If your mac is infected, I'm pretty sure it will find it and then you can remove it :)

Excellent idea, recommending that a user should download and install some software of unknown origin that could do anything to your computer, when the whole thread is about trojans. :eek: Since there are no viruses for the Macintosh, why would someone issue free so-called anti-virus software unless they want you to download and install a trojan?

To the original poster: Let me just say if I or any other of the professional programmers who post here would ever throw away their morals and create a trojan, you could be one hundred percent assured that it wouldn't turn up in any logs that Firefox produces. A trojan is absolutely normal software. It does things that you don't like it to do, like emailing your credit card information to some hacker site, but it is just normal software. Like the Mail application, which you can use to send your credit card numbers to me if you feel like doing that, that won't turn up in Firefox logs either. It has nothing to do with Firefox.

In other words, when you looked at the Firefox logs, you jumped to the completely wrong conclusions.
 

arkitect

macrumors 604
Sep 5, 2005
7,047
12,029
Bath, United Kingdom

ppc750fx

macrumors 65816
Aug 20, 2008
1,308
4
He was only trying to help, maybe it would've solved the OP's problem?

What's muddy about iantivirus/Clam XAV anyway?

ClamX only will find Windows viruses.

iAntivirus doesn't actually find any viruses... because there aren't any. Also, it's a fairly new closed source program that only will find a couple of fairly old Trojans. Advocating it as though it's an effective security measure might give people a false sense of security.
 

lisamel

macrumors regular
Mar 1, 2008
150
0
Oslo, Norway
Well I've had no problems with iAntiVirus. It actually helped me when I had some DNS issues. I download a lot of stuff, so I dont know how it got on my computer, but probably downloaded some software I shouldnt have..

Anyway, my university emailed me saying my macbook was trying to reach to DNS addresses and they claimed it had to be trojans. I found a tool to find and delete trojans, but it didnt find anything. I downloaded iAntiVirus, and did the quick scan, nothing came up.. I've had problems with internet on my macbook for some time, so I decided to try the full scan. After 2 1/2 hours it found 3 infected files. They got deleted and now everything works perfectly :)

That is the reason I suggested that he should download the software, because it sounds like similar to the problems I had!

Hopefully it will help you, if you dare try ;)
 

fishimedic

macrumors newbie
Original poster
Feb 24, 2009
14
0
Hello again all

I just thought that I would check in today to see if I was able to help anyone else out with my new found expertise. haha I did d/l and install both iAntiV and Clam Xav. I did this because both advertised trojan help and removal. I never once thought it was an actual viurs. I also tried SecureMac and LS. I imagine that I will have problems removing some of these.

MB is still running fine. I wasn't looking at the Firefox log, I was looking at the system.log, which I haven't done yet today. Whatever named(81) is, it is under control now.

To the person who wrote about "if someone here wrote a code" or something like that, I totally believe you. In healthcare gunshots are easy to take care of, it's the little microbes that destroy populations, Cholera, measles, etc. And these things are coming back due to lack of immunization.

Once again, I have learned alot from hanging around this site and hopefully someday I'll be able to contribute vs. asking n00b questions.
 

ppc750fx

macrumors 65816
Aug 20, 2008
1,308
4
After 2 1/2 hours it found 3 infected files. They got deleted and now everything works perfectly :)

Hopefully it will help you, if you dare try ;)

My bet is that you didn't have a trojan. I say that because many of the things that it reports as being threats aren't really threats.

You know what... I've seen too many threads mentioning this iAntiVirus junk, so let's ake a look at the threat list.

iAntiVirus detects 96 threats. Pretty good, right? We'll see about that...

Application.OSX.* - 16 "threats"
  • 11/16 are legitimate applications, used for system administration in schools and internet cafes. They _could_ be used maliciously, but they can and are used for a number of legitimate purposes (such as security auditing.)
  • 3/16 are dedicated keyloggers. (A couple admin tools also can keylog, but these three are primarily keyloggers.)
  • 1/16 are proofs of concept.
  • 1/16 is a log management tool for a logging program. It doesn't log anything -- it just manages text files. Yes, I'm serious.

Backdoor.* - 10 "threats"
  • 1/10 is a Classic virus. It is 100%, completely inert on OS X.
  • 9/10 require user intervention to run. As in the user must run the backdoor itself.

DDoS.OSX.CometShower - 1 "threat"
This requires the user to install it. If activated, it can be used to perform a DDoS attack on a target, but that's about it.

Eicar_Test_Files - 1 "threat"
Not a threat. It's a test file used to verify that antivirus programs work correctly. I think it's a little deceptive to list this as a "threat"...

Email-Flooder.OSX.* - 3 "threats"
All three of these are mass mailing tools. They are not infectious, do not run without user intervention, and can't do much other than... uh... send e-mail.

Exploit.EvilGrade.a - 1 "threat"
The description that iAntiVirus provides is kinda deceptive. It's more a proof-of-concept than an "exploit tool."

Exploit.Exploit.OSX.CVE* - 2 "threats"
Both of these are PoCs.

Exploit.OSX.ARDAgent - 1 "threat"
My best guess is that it detects this PoC.

Exploit.OSX.CVE-* - 8 "threats"
Funny, but none of these seem to be discrete threats... instead, iAntiVirus claims to detect code that exploits these vulnerabilities. As far as I can tell, none of these have actually be exploited by malicious code "in the wild." That, and the most recent of the exploits is from 2007 -- and they've all been patched.

Exploit.OSX.Small - 1 "threat"
PoC.

Hacktool.MacOS.UGMPortScanner - 1 "threat"
It's a port scanner. That's it. Oh, and it's for Mac OS 9 and below... and thus isn't even an OS X binary.

Hacktool.OSX.* - 10 "threats", 1 potential threat
  • 1/11 reveals the IP of someone logged on to AIM. That's it. Oh, and the method it uses is obsolete. (Hacktool.OSX.AimSniff)
  • 2/11 are "brute force" tools (i.e. penetration testing tools.) (Hacktool.OSX.BrutalGift & Hacktool.OSX.Cyanide)
  • 1/11 is a tool for extracting audio from pcap dumps. (Hacktool.OSX.iChatSniff)
  • 1/11 is a goddamn joke. It can "scan websites for web links" and do other crazy stuff... like open a telnet connection. No, I'm not making this up. (Hacktool.OSX.Heirophant)
  • 1/11 is a password cracker (Hacktool.OSX.macKrack)
  • 2/11 are penetration testing tools (Hacktool.OSX.MacSmurf & Hacktool.OSX.ManOfTheMiddle). It's worth noting that MacSmurf is mostly useless now that sane admins protect against smurf attacks (thanks, in no small part, to auditors using tools such as this one...)
  • 1/11 is a SYN flood tool. (Hacktool.OSX.SYNer)
  • 1/11 *might* be a threat. (Hacktool.OSX.UnderHand). I have been unable to find any reports of this being in the wild.
  • 1/11 is a generic script-kiddie flooding tool. (Hacktool.OSX.ZapAttack)

Port-Flooder.OSX.Tsunami - 1 "threat"
Another kiddie flooding tool.

RogueAntiSpyware.OSX.Imunizator - 1 "threat"
Well gee PC Tools... don't you think it's kinda sleazy to list the same threat twice? This is the same as RogueAntiSpyware.OSX.MacSweeper.

RogueAntiSpyware.OSX.MacSweeper - 1 "threat"
I'll let PC Tools themselves describe this sucker: "It poses no threat and it does not have the capability to propagate or spread itself."

Rootkit.MacOS.Weapox - 1 threat
This is a rootkit. Yes, it works. I've neither seen it nor heard of it in the wild, but it could be used as a real threat.

Trojan-PSW.OSX.Corpref.A - 1 threat
Trojan. It's been found in the wild, but it requires you to enter your admin password.

Trojan.MacOS.* - 4 "threats"
Four more viruses for classic. You know I'm starting to see a pattern here...

Trojan.OSX.DNSChanger* - 2 "threats"
Both require admin passwords to operate. Actually, they're the same trojan, just one's rebranded. Again, it's pretty obvious that PC Tools is trying to pad their numbers by listing them separately.

Trojan.OSX.Lamzev.a - 1 threat(?)
Couldn't find much about this online other than it exists. I'll assume that PC Tools is telling the truth.

Trojan.OSX.RSPlug.C - 1 "threat"
Requires admin password. Does the same thing as the Trojan.OSX.DNSChanger* variants, but is technically a different threat.

Trojan.Trojan.OSX.RSPlug.* - 2 "threats"
Same as Trojan.OSX.RSPlug.C, but with a slightly different payload. It's a pretty big stretch to list this threat three times...

Virus.MacOS.* - 21 "threats"
This is absurd. These are *ALL* viruses for Mac OS 9 and below (aka Classic). It's actually impossible for them to run on the Intel machines, and they require virtualization on PowerPC Macs.

Virus.OSX.Leap - 1 threat
Technically self-reproducing, but requires users to manually launch the binary to infect their machine. PowerPC only. Still, I'll count it as a threat.

Worm.MacOS.Autostart - 1 "threat"
Sigh. Another virus that won't work on anything other than Classic.

Worm.OSX.Inqtana - 1 "threat"
Proof of concept. And the exploit it uses was patched years ago.

Worm.OSX.Renepo / "Opener" - 1 threat
Well... it does do malicious stuff, and it has been seen in the wild, so I guess we'll count this.

---

So let's review with some fun stats.

Of the 96 "threats" that iAntiVirus protects against:

- 28 are for Classic only.
- 5 are proofs-of-concept.
- 4 are the same as an already-listed threat. (IMHO it's pretty damn deceptive to list these as discrete threats.)
- 8 appear just to be references to exploits with no mention of what malicious software (if any) is detected. (What the hell?)
- 3 are "flooding" tools that could be used by script kiddies. They can't infect anything, they can't do anything on their own, and they can't do any serious damage to anyone. Two of them won't even work against any *nix box that's been secured by a half-sane admin.
- 3 are password cracking or brute forcing tools. Again: they can't infect, and they require a human operator.
- 3 are keyloggers that require manual installation.
- 9 are backdoors that must be explicitly started and/or installed (and that are defeated by the use of a firewall.)
- 15 are penetration testing tools that _could_ be misused, but that pose no threat to the machine they reside on.
- 3 are just WTFs. One manages logs, another uses an old trick to (drumroll) display an IP address, and the third does nothing that can't already be done with telnet, curl and grep.

So what does that leave?

- 2 appear to be threats, but I couldn't find enough information to be sure what iAntiVirus is actually looking for.
- 1 is a real, live rootkit.
- 1 is a PowerPC-only worm (no, it's not a virus despite PC Tools' classification) that requires the user to execute it.
- 2 are trojans that change DNS settings (and that require user intervention and privilege escalation to take effect). These two threats are listed as five separate entries.
- 1 threat is described by PC Tools themselves thusly: "It poses no threat and it does not have the capability to propagate or spread itself.". That didn't stop them from ranking it with a mid-level threat rating *and* listing it under two separate names though...
- 1 is a worm that's been seen in the wild.

Some more stats:

Number of self-propagating threats that iAntiVirus protects against: 0. There are none.
Number of threats that iAntiVirus has listed multiple times under different names: 3
Number of known trojans in the wild that iAntiVirus doesn't claim to offer protection against: 2

---

So in summary, I stand by my claim that iAntiVirus is junk. It's marketed in an exceptionally deceptive manner, will detect and remove a bunch of stuff that isn't a threat, and preys on people who don't do due diligence before handing over their time, CPU power, and (if you buy a one year license for the "paid version") money.

Now can we *please* stop recommending this POS?
 

Jethryn Freyman

macrumors 68020
Aug 9, 2007
2,329
2
Australia
He was only trying to help, maybe it would've solved the OP's problem?

What's muddy about iantivirus/Clam XAV anyway?

ClamXAV doesn't detect Mac threats.
iAntiVirus doesn't detect threats that have already been installed, only their installer packages.

Hacktool.OSX.* - 10 "threats", 1 potential threat

* 1/11 reveals the IP of someone logged on to AIM. That's it. Oh, and the method it uses is obsolete. (Hacktool.OSX.AimSniff)
* 2/11 are "brute force" tools (i.e. penetration testing tools.) (Hacktool.OSX.BrutalGift & Hacktool.OSX.Cyanide)
* 1/11 is a tool for extracting audio from pcap dumps. (Hacktool.OSX.iChatSniff)
* 1/11 is a goddamn joke. It can "scan websites for web links" and do other crazy stuff... like open a telnet connection. No, I'm not making this up. (Hacktool.OSX.Heirophant)
* 1/11 is a password cracker (Hacktool.OSX.macKrack)
* 2/11 are penetration testing tools (Hacktool.OSX.MacSmurf & Hacktool.OSX.ManOfTheMiddle). It's worth noting that MacSmurf is mostly useless now that sane admins protect against smurf attacks (thanks, in no small part, to auditors using tools such as this one...)
* 1/11 is a SYN flood tool. (Hacktool.OSX.SYNer)
* 1/11 *might* be a threat. (Hacktool.OSX.UnderHand). I have been unable to find any reports of this being in the wild.
* 1/11 is a generic script-kiddie flooding tool. (Hacktool.OSX.ZapAttack)
Absolutely correct. Half the "threats" on their list are legitimate pieces of software. I emailed PC Tools (they make iAV) a while back about that, and a few other problems. Their respone is below.

Jethryn, thank you for contacting PC Tools

Thank you for your patience, in regards to your queries, at this
point we are not aware of any problem with iAntivirus removing entire
mail box's.

Please be aware that due to nature of some application such as
"macKrack", "SYNer", and "Brutal Gift" contains the same
characteristics as infections as a result these programs are tagged
as an infection, if you wish to prevent iAntivirus from detecting or
removing these programs pleasee add them into the exception list.

Regarding to the "logKext" signatures and it appears that we are only
detecting the package, we will modify our signature to detect all
components of this infections.

We already provide signatures for iServices we detect the known
variants as Backdoor.OSX.iService.a, and Backdoor.OSX.iService.b.

As for the OSX.Rsplug variants are quite an old infection and we are
unable to locate samples of this infection to create a signature for.
 

lostngone

macrumors 65816
Aug 11, 2003
1,431
3,804
Anchorage
I would disagree they do have "some" Mac OS X threats in the ClamAV database.

ClamXAV doesn't detect Mac threats.
iAntiVirus doesn't detect threats that have already been installed, only their installer packages.


Absolutely correct. Half the "threats" on their list are legitimate pieces of software. I emailed PC Tools (they make iAV) a while back about that, and a few other problems. Their respone is below.
 

lostngone

macrumors 65816
Aug 11, 2003
1,431
3,804
Anchorage
Well I've had no problems with iAntiVirus. It actually helped me when I had some DNS issues. I download a lot of stuff, so I dont know how it got on my computer, but probably downloaded some software I shouldnt have..

Anyway, my university emailed me saying my macbook was trying to reach to DNS addresses and they claimed it had to be trojans. I found a tool to find and delete trojans, but it didnt find anything. I downloaded iAntiVirus, and did the quick scan, nothing came up.. I've had problems with internet on my macbook for some time, so I decided to try the full scan. After 2 1/2 hours it found 3 infected files. They got deleted and now everything works perfectly :)

That is the reason I suggested that he should download the software, because it sounds like similar to the problems I had!



Hopefully it will help you, if you dare try ;)

iAntiVirus is 100% useless for anyone with a non-intel based Mac.
 

lisamel

macrumors regular
Mar 1, 2008
150
0
Oslo, Norway
Well I had problems with DNS addresses, so that really does make sense to me. If that is the only thing it looks for, it was the only thing that needed to be fixed on mine :)
 

ppc750fx

macrumors 65816
Aug 20, 2008
1,308
4
Well I had problems with DNS addresses, so that really does make sense to me. If that is the only thing it looks for, it was the only thing that needed to be fixed on mine :)

It seems much more likely to me that your local DNS servers were failing. You probably could have just changed your Mac's DNS servers to the resolvers in the 4.2.2.1-4.2.2.6 range to get the same results.

I've only seen an RSPlug variant once in the wild, and that was because I was specifically trying to find a copy for examination.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.