Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Yet another newbie in town chasing a possible trojan

lisamel

lisamel

macrumors regular
Mar 1, 2008
150
0
Oslo, Norway
I got an email from my school IT person who said I most likely had a trojan because my computer were trying to reach the DNS address: 85.255.112.227 and 85.255.113.126, which are in Ukraine.

And now after I ran iAntivirus, and it found something and removed it, everything works fine and the mac isnt "looking" for those addresses anymore.

And btw I couldnt delete the DNS addresses, I tried.
 
P

ppc750fx

macrumors 65816
Aug 20, 2008
1,308
4
lisamel said:
I got an email from my school IT person who said I most likely had a trojan because my computer were trying to reach the DNS address: 85.255.112.227 and 85.255.113.126, which are in Ukraine.
Click to expand...

Do you mean your machine was issuing DNS queries to those two servers?

Because at least one of those IPs has been used by some Windows trojans in the past...
 
Jethryn Freyman

Jethryn Freyman

macrumors 68020
Aug 9, 2007
2,329
2
Australia
lisamel said:
I got an email from my school IT person who said I most likely had a trojan because my computer were trying to reach the DNS address: 85.255.112.227 and 85.255.113.126, which are in Ukraine.

And now after I ran iAntivirus, and it found something and removed it, everything works fine and the mac isnt "looking" for those addresses anymore.

And btw I couldnt delete the DNS addresses, I tried.
Click to expand...

What exactly did iAV say you had?

If you can't remember, open up iAV and look under the history tab.
 
lisamel

lisamel

macrumors regular
Mar 1, 2008
150
0
Oslo, Norway
The IT guy from school emailed me saying my macbook were trying to reach those two addresses. He said it most likely were a trojan and tried to help me rid of it with a DNSchanger tool. It didnt work because it said my machine was clean. But when I went to Systems Prefs/Network/DNS those two addresses were there and I couldnt just delete them.

So I was going to just reinstall the OS, but thought I'd give this iAV a shot. It lasted two hours and 20 mins. And this is what it found:
(Attachment)

Now that they are gone, everything finally works again!
 

Attachments

  • Picture 1.png
    Picture 1.png
    11 KB · Views: 102
Jethryn Freyman

Jethryn Freyman

macrumors 68020
Aug 9, 2007
2,329
2
Australia
That's the OSX.RSPlug.A trojan. It's been around since late 2007, most commonly disguised as a fake Quicktime codec, and is known to change DNS servers.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom