Welcome to the MacNN Forums.

finnegan · Jul 3, 2008, 03:22 PM

I am a Mac OS X user, and I appear to have become the victim of a Trojan or something similar. It only attacks me when I search on Google. When I try to access sites on Google, it redirects me to other sites, such as auut or smartbizsearch. The commands jump and redirect also sometimes appear and the site http:64.28.185.61 as part of the redirection process. Other forums explain how you can remove this from a PC, but how do you remove it from a Mac?

Peter · Jul 3, 2008, 03:55 PM

Go System Preferences > Network > Advanced > DNS
What servers are listed?

Chuckit · Jul 3, 2008, 04:55 PM

Is this any page you click on from Google (e.g., does it happen if you Google for MacNN)? It sounds like you're accessing pages that have been snapped up by squatters.

finnegan · Jul 3, 2008, 06:14 PM

No DNS servers are listed, only TCP IP 192.168.1.64 and Ethernet 00-17-f2-cf-39-40. When I searched on MacNN on Google, it showed the proper site as the first site on the search, but when I clicked on the web address, it diverted me firstly to Copy-Book.com News, Events, Articles, Search, Archives and more (which I have had a number of times before), than via a number of other sites as mentioned in my original message to Info.co.uk - Displays results from 12 search engines. It did not, however, do this the second and third time I clicked on the MacNN site.

Cold Warrior · Jul 3, 2008, 06:20 PM

have you recently downloaded and used anything claiming to be a video codec?

mduell · Jul 3, 2008, 08:52 PM

In terminal type:
nslookup
google.com
server 4.2.2.4
google.com

What's the output?

damianstafford · Jul 4, 2008, 04:15 PM

I have exactly the same problem as that reported by finnegan. On both my Macs I have the problem. On one of them I have two clearly bogus DNS servers listed when I do as Peter suggested, but on the other I have the address of my router listed, which I assume is correct. Here is the output of the Terminal commands suggested by mduell.

$ nslookup
> google.com
Server: 85.255.115.82
Address: 85.255.115.82#53

Non-authoritative answer:
Name: google.com
Address: 72.14.207.99
Name: google.com
Address: 64.233.187.99
Name: google.com
Address: 64.233.167.99
> server 4.2.2.4
Default server: 4.2.2.4
Address: 4.2.2.4#53
> google.com
Server: 4.2.2.4
Address: 4.2.2.4#53

Non-authoritative answer:
Name: google.com
Address: 64.233.187.99
Name: google.com
Address: 64.233.167.99
Name: google.com
Address: 72.14.207.99
>

Any help with this strange problem gratefully received ...

Damian

damianstafford · Jul 4, 2008, 07:05 PM

Also should've added that on the mac with the two bogus DNS server names, they are greyed out and I am unable to remove them from the list

64stang06 · Jul 4, 2008, 07:34 PM

Porn sites? (as in, did this happen after visiting said sites?)

Cold Warrior · Jul 4, 2008, 07:57 PM

Originally Posted by Cold Warrior

have you recently downloaded and used anything claiming to be a video codec?

Originally Posted by 64stang06

Porn sites? (as in, did this happen after visiting said sites?)

I was asking the same thing in a roundabout way, but no one seems to be keen on 'fessing up.

64stang06 · Jul 4, 2008, 10:07 PM

Originally Posted by Cold Warrior

I was asking the same thing in a roundabout way, but no one seems to be keen on 'fessing up.

Oh I saw that, I figured I would bite the bullet and see if anyone would be straight up

ibookuser2 · Jul 4, 2008, 11:05 PM

Do you have a wireless router? Did you leave it with the default administrator password?

Some malware will try to log in to your router and add the DNS servers there.

finnegan · Jul 5, 2008, 06:10 AM

I don't have a wireless router and I don't know what site I visited that caused the problem (would I admit to the heinous crime of using naughty sites?). There are instructions on how to remove this from a PC at Spyware and Adware Removal - auut.com - could these be adapted? When I look up Google (which would be what is being attacked in my case) in network utility, it gives me this reading:

Lookup has started ...

; <<>> DiG 9.3.4 <<>> Google
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9341
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;Google. IN A

;; ANSWER SECTION:
Google. 338 IN A 64.28.190.83

;; Query time: 183 msec
;; SERVER: 85.255.116.93#53(85.255.116.93)
;; WHEN: Sat Jul 5 11:05:48 2008
;; MSG SIZE rcvd: 50

When I look up server.4.2.2.4 it gives

Lookup has started ...

; <<>> DiG 9.3.4 <<>> server.2.4.4.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7575
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.2.4.4.2. IN A

;; ANSWER SECTION:
server.2.4.4.2. 360 IN A 64.28.188.35

;; Query time: 184 msec
;; SERVER: 85.255.116.93#53(85.255.116.93)
;; WHEN: Sat Jul 5 11:07:36 2008
;; MSG SIZE rcvd: 48

Don't ask what that means though, as I'm no techie!

Simon · Jul 5, 2008, 06:17 AM

Try this

DNSChanger Removal Tool 1.1 - MacUpdate

damianstafford · Jul 5, 2008, 08:11 AM

Simon - thank you that has resolved the problem. Much appreciated!

ghporter · Jul 5, 2008, 11:23 AM

There's a terminal command that should do much the same thing as the utility Simon linked to. It's done this way:

Code:
dscacheutil -flushcache

That's all it takes to completely flush your DNS cache. Now, would this fix your problem if the culprit is some site you visit again? No. But that's true of just about any solution. The real issue here is how your DNS information got messed up in the first place. Safe surfing is important for everyone, and a number of posters here have suggested, at varying levels of politeness, a variety of ways to go wrong online. Be careful of where you visit, don't trust anything that purports to give you ANYTHING for nothing, and be suspicious of links to important places like banking and such sites.

finnegan · Jul 5, 2008, 06:12 PM

The problem appears to have been sorted. Thank you Simon and ghporter for your useful advice.

Fluffkin74 · Jul 6, 2008, 07:31 PM

I know you're sorted now but just for the record...I have been trying to sort this problem for a while now [ I run internet expolrer, safari & firefox on my mac and the problem was across the board on all of these] and was confused as it was almost as if Google had been cloned (it look a little different - no sponsored links on the right or top - but otherwise looked the same) - but again, like you, when i clicked through from a search link it then went through to either a strange IP address or a random search engine BUT mostly to copy-book.com urls

I have just fixed this problem by running VirusBarrier X5 from Intego http://www.intego.com/demo/
It found a file called quicktime with a strange file ending and when I deleted this file (and the few others it picked up) and restarted the computer the problem was fixed. [doing a bit of research I think it was some sort of Trojan Horse] Phew! Its now gone!

My main point is that I had also tried other virus scanners and they did not help so i really think this one is worth a go. I am now going to buy it as I am so delighted and relieved!!! This whole thing has made me realise how complacent I've been about security so far and I now think a bit of money thrown at a bit of software to keep me protected and save me from this type of hassle again has got to be worth it!

Cheers

billgatescat · Jul 19, 2008, 09:41 AM

I too was having trouble with Google, and you've provided me with the answer. This was driving me mad for a while, doing the same thing with other browsers too. Thanks again for the solution to this most annoying problem.