[voicebox]

Hi there,
First of all, i hope this is in the correct forum - and my apologies if not!

I have just scanned my system (10.5.2) with both ClamXav and then VirusBarrier X4 and the above 'Trojan Horse infection' was thrown up as "postugrade is infected by 'OSX.RSPlug.A.postflight'".
Also thrown up was "'postinstall' is infected by 'OSX.RSPlug.A.postflight'".

Would anyone know what OSX.RSPlug.A.postflight is and how can I get rid of it?
Plus, would anyone know what 'postinstall' and postupgrade' is?
As usual - all help is gratefully received!
best
voicebox

[turtle777]

Congratulations

You are among the few elite Mac users that managed to get infected by a trojan.

Or, in other words, you got PWNED !

Here's some info and how to remove it:
2007 October | Geek stuff

-t

[TETENAL]

When a pornsite asks you to install something, don't do that in the future. Only install software you acquired directly from trusted sources. postupgrade and postinstall are scripts within an installer package that are run during installation. It seems you have this installer package that installs the trojan still lying around. Trash it. Also check whether you installed the trojan. I found more info about this in this article:

Macworld | First Look: Trojan Horse warning: What you need to know

[peeb]

Ironic that on porn sites you have to be careful of trojans.

[FireWire]

Originally Posted by peeb 

Ironic that on porn sites you have to be careful of trojans.

[64stang06]

Go porn!

[voicebox]

Originally Posted by turtle777 

Congratulations

You are among the few elite Mac users that managed to get infected by a trojan.

Or, in other words, you got PWNED !

Here's some info and how to remove it:
2007 October | Geek stuff

-t

Thank you boys and girls(?) for all for your replies, and to you turtle777 and TETENAL - but I have to tell you all that I have never visited a porn site in my life.... although I may know of a small person or persons who has/have.....!!

A good rule: "Never ever turn your back on nephews & nieces in your family when you allow them to use your laptop during Sunday Lunch" ....!!
Yet another rule: "Never EVER let nephews and nieces use your laptop during Sunday Lunch"....
I am afraid I broke both rules!!
Thanks guys - I'll try the fix ...!!

[TETENAL]

---> Guest Account!

[geekjon]

Hey, voicebox. There is a good possibility that the trojan didn't get installed since it would require an administrator name and password, but it would still be a good idea read the link turtle777 posted and check your DNS settings and root crontab.

[peeb]

The DNS settings grey thing seems to be bogus. There are other reasons for grayed DNS entries.

[Horsepoo!!!]

That trojan requires an admin password I believe. This is something your nephew/niece wouldn't be able to install...but you would be able to install it.

[Hal Itosis]

Here's a slightly more in-depth study (more recent as well):

• Analysis of OSX Trojan DNS Changer - Jan. 2008

As it mentions at the end:

Later versions of this trojan scripts are obfuscated, making it a little difficult
for security analyst and researchers to read the code.

 
Though not conclusive, if you run cat /etc/resolv.conf in Terminal, and see nameserver addresses starting with 85.255.x.x
-- those are known undesirable domains of late... among way <<too many>> others, unfortunately.

Along with tons of Cnet and PCWorld type coverage, here is some more obscure linkage:

• Polyamory and crime on the Internet - Dec. 2007
• Anatomy of computer crime - Mar. 2008

[voicebox]

Originally Posted by Horsepoo!!! 

That trojan requires an admin password I believe. This is something your nephew/niece wouldn't be able to install...but you would be able to install it.

Thank you Horsepoo!!! for your input!
You may be interested to know - along with all you other guys - that my nephew has confessed!! Like many of his ilk he said he only did it as a joke ......
Well he would wouldn't he?!!
He also said that when the 'package' was being downloaded, VirusBarrier alerted him to the fact that there was a virus and that the admin password window flashed up three times - he panicked but he managed to get rid of that by hitting the 'Repair' button in VirusBarrier a few times...
The .dmg file appeared on the desktop so he trashed it and emptied the trash!(how thoughtful) In fact, it appears that the package 'Could not be Installed.' Good old Intego and VirusBarrier X4!
TETENAL and turtle777- thank you for the links, the Terminal fix contained therin worked, so everything is now OK. And to Hal Itosis, thank you for your input - the links make interesting reading!
Meanwhile .... For Sale - 1 Nephew with a slightly flawed sense of humour - going cheap ...
Any takers?
best
voicebox

[angelmb]