Hi, I am running Leopard 10.5.4, and everything has been running fine until recently. Within the last week or so, certain websites have been hijacked, with the most frequent one being google (I use firefox, but it happens in safari as well). I've downloaded and run every virus scan and malware scan that I can find, but none of them find anything. It seems like a trojan clicker like you would find on a PC with websites redirecting to random search sites, but like I said, I can't find anything wrong when I scan. Please help, this is getting so frustrating!

Thanks in advance,
Dan

What you are seeing could be the result of your having inadvertently installed the DNSChanger or similar trojan or it may be a legitimate sites that have been hijacked. To check for a DNSChanger infection, open terminal then copy and paste

cat /etc/resolv.conf

onto the command line and hit return. This will return a list if IP addresses and if any of them begin with "85." you are infected. You can download the free url=http://www.dnschanger.com/]DNSChanger Removal Tool[/url] to disinfect your Mac. It doesn't hurt to run it even if you are not infected, it just won't do anything in that case.

A trojan requires your complicity to infect your computer. You must run the installer and provide your administrative password. Trojans often take the guise of "special software to view a site" and DNSChanger is know to have been embedded in the installer for illegal software downloads from file sharing sites.

Thanks for getting back to me. Unfortunately, that is not the problem. I entered the code in terminal and also downloaded the program, and neither turned up anything.

Any other suggestions? It seems to be redirecting me to two main websites: http://simplesearchresults.com and http://www.topdaofinder.com

...and both of which are annoying the hell out of me at this point. I'm willing to try anything, but I need help!

-Dan

Do you have any plugins installed? If yes, try to disable them. Is Google toolbar installed? If yes, I would get rid of it too. From a general standpoint, I would update your OS to 10.5.7, Safari to 4.0 and Firefox to 3.5. You can also try to trash the respective plist files for Firefox and Safari.

I tried disabling all the plugins, but still nothing. This is the most aggravating thing I've ever dealt with...there has to be an infected file or something, I just can't think of anything else. Any other suggestions?

Can you give us concrete examples (for example, "When I try to go to this site, I end up on that site instead")? If you see this happen with Google searches, can you give an example of a specific Google search you make and a specific link in the Google results which redirects you?

I have a suspicion I know what's going on here, but I need more information to confirm or refute it.

sure...for example, I searched on google for "symantec"

the first two hits worked fine, but the third one down (http://security.symantec.com) redirected to this:

http://simplesearchresults.com/search.ph...crKSUlJLzYsMgMA

which then redirects again to one of any number or random search/shopping websites. as I may have already mentioned, it is also affecting my gmail, and I've recently found out that Youtube is also affected (both have apparently bad security certificates and both run by google...hmmm).

unfortunately, I was previously able to bypass many of the redirects by simply searching using yahoo instead of google, but within the last few days it seems yahoo has also been affected.

the other main site that it redirects to, as I've mentioned, looks like this:

http://www.topdaofinder.com/check/?sid=9...cbb11&did=4

I looked briefly for a link that will redirect to that, but I haven't found one for a while. the simplesearch one comes up more.

That is definitely consistent with infection by the OSX/Zlob, aka DNSchanger, Trojan.

The fact that the DNSchanger disinfection program you've run doesn't turn up anything is worrying. The Zlob gang has recently been stepping up their Mac malware efforts, and I've just recently noticed them creating Mac-only attack domains.

When you open the Terminal and run

cat /etc/resolv.conf

what does it say? Can you give us the name server addresses it's coming up with? (Don't worry, this won't compromise your security. Name server addresses are addresses of computers run by your ISP, not the address of your computer.)

Here's what I got:

Last login: Sat Jul 11 03:39:17 on console
dan-jacksons-mac-pro:~ danjackson$ cat /etc/resolv.conf
nameserver 87.118.92.205
nameserver 87.118.93.205
nameserver 192.168.2.1
dan-jacksons-mac-pro:~ danjackson$


A computer is infected if theres an address that starts with 85 right?

Also, the laptop's fan is now running almost permanently and quite loudly, as if the laptop were overheating. I can't help but assume that the two issues are connected...I'm slowly losing my patience and my mind

Unless you live in the Netherlands (or your ISP is based in the Netherlands) there's a very high likely hood that you have been infected.

The IP addresses that you show for your nameservers are registered there.