Trojan help: Multiple fixes attemped, no luck

Discussion in 'macOS' started by iMAX386, Oct 29, 2010.

  1. iMAX386 macrumors newbie

    Joined:
    May 23, 2010
    #1
    For the past month I've had something affecting my MBP running 10.6.4 on all my browsers.

    I use Firefox 3.6, but the problem happens with Safari too. Problem is two-fold: I'll click a link and it redirects. I also get pop-ups going to different sites, some that seem legit and some that are sketchy. Sometimes the pop-ups never load, but instead get stuck on "waiting for google-analytics." Some of the redirects just stall on the WYCIWYG google intermediate page and any time you press the back button it just reloads the redirect site.

    If it's any help, some of the sites it's been going to include:
    Don't remember installing any rogue software, or clicking yes to any plugins/codecs, but it's apparently something I've invited to my system.

    I think it's a problem that's affecting the router because it's also started affecting my old PC that I still have, and my iPhone, which all use my home wifi. On my phone I've noticed on Safari that popups randomly open up going to the same time of addresses that my Mac browsers have been going to. I admit though that I've connected my iPhone to the PC recently and hooked it back to the mac so these 3 devices have had contact outside the wifi. If it's a router affected issue, I'm clueless to the fix.

    Tried to find my own fixes and after many google searches I've still got the problem. Switched to Mac back in May so I'm still new to the semantics of Mac, but feel I'm tech savvy enough to be able to fix this.

    I've used the following, and each has found no problems:
    - ClamXav
    - MacScan
    - DNSChangerRemoval Tool
    - iAntivirus

    I've also done the following:
    - Cleaned all the private info and cache on FF and Safari.
    - Examined the DNS tab on Network in System Preferences, only shows 192.168.1.1
    - Done the sudo crontab fix through Terminal for (following these instructions: http://www.ehow.com/how_2128387_remove-osxrspluga-trojan-horse-mac.html)

    I have a Windows XP VM running through Fusion 3.1 that I installed around the same time as this problem popped up. The Fusion packaged McAfee program has found nothing upon scanning.

    I've tried the following on my Windows VM with nothing incriminating found:
    - Spybot S&D
    - HijackThis
    - Malwarebytes

    I'm desperate for help. I've included as much info as I can think of. Thank you to any who respond!
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    Try changing your DNS servers to the following OpenDNS servers:
    208.67.222.222
    208.67.220.220
     
  3. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #3
    Did you check the DNS settings on your router? It sounds like a DNS Insertion attack, and usually that's done at the router level. If you can, I'd even say to do a hard reset of the router (look in the instruction manual, usually there's a small paperclip hole that you need to press and hold), and then configure it again fresh, with a very secure password.

    jW
     
  4. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #4
    You most likely are already aware of this but in case you are not, routers require two passwords:

    1) a network password to access the wireless network (WPA password)

    2) an admin password to protect the firmware from modification (much like password in Mac OS X)

    Often infections as you describe are the result of not changing the default admin password for the router.

    After you do a hard reset as suggested above, make sure to change the admin password to a secure password if this is the reason for your issue.
     
  5. aarond12 macrumors 65816

    aarond12

    Joined:
    May 20, 2002
    Location:
    Dallas, TX USA
    #5
    You can validate if this is a router-based attack by connecting with another computer/iPhone/PS3 browser/etc., and see if you get the same results.

    By the way, OP: Good job on trying things BEFORE asking for help! :D

    -Aaron-
     
  6. iMAX386 thread starter macrumors newbie

    Joined:
    May 23, 2010
    #6
    I just want to give you guys a big thank you.

    It's been about 24 hours since I did the hard router reset and I've yet to have a pop-up or redirect. I'm still expecting one to show up, but who knows. Changed the router admin password.

    Quick clarification: Once these router/DNS attacks are cleared, they're completely gone? Remnants don't linger in the router/computer software that re-attack the router, do they?

    This was my first experience with a router-based hijacker.
     
  7. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #7
    No. Nothing was ever done to your computer, btw. Someone accessed your router from their own computer and changed the DNS settings. Once you reset that router, and assuming they can't get past your new password on the router setup to mess with you again, then you should be set.

    jW
     
  8. askWinters macrumors newbie

    Joined:
    Nov 4, 2010
    #8
  9. iMAX386 thread starter macrumors newbie

    Joined:
    May 23, 2010
    #9
    Did both. Have been problem free ever since.
     

Share This Page