Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to find and remove the OSX.RSPlug.A malware' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to find and remove the OSX.RSPlug.A malware
Authored by: variante9 on Oct 31, '07 12:54:00PM

poor info. in the moment it looks like the firewall panic.

Note: if you are using a router the DNS servers are dimmed out, too.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: robg on Oct 31, '07 12:58:47PM

We adjusted the article to clarify the gray DNS entries, as well as add a simpler method of detecting the malware.

As for root crontabs, I have yet to find a program that installs any on its own. Yes, experienced macosxhints readers may have them installed, but they will have put them there themselves.

For other "typical" OS X users, though, the root crontab is going to be empty. For the audience, I feel it's the best advice -- there really shouldn't be any root crontabs running on a system that the user didn't place there themselves.

If someone can provide a real-world example of a third-party app that installs its own root crontab, I would like to know about it -- and no, geeky Unix utilities and the like don't count. :)

-rob.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: macavenger on Oct 31, '07 01:19:20PM

Yeah, agreed. And ruling out geeky unix type things, I can't say I know of anything that does use the crontab. I just thought it might be worth pointing out that you are actually deleting everything :)

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: garythemacguy on Nov 01, '07 05:40:28AM

Intel iMac, Mac OS X 10.4.10 - McAfee VirusScan v8.5 (formerly known as Virex).

I have the "VirusScan Schedule Editor" component set to do a DAT eUpdate every working day (I work for a university). Your "sudo crontab -l" produces the following output:

# Virex Schedule Editor Task 09282007101331946
32 10 * * 1,2,3,4,5 /usr/local/vscanx/VShieldScheduleLauncher -i 09282007101331946 >/dev/null 2>&1

Although I'm actually in IT support, I hadn't specifically known that it used cron to achieve its results.



[ Reply to This | # ]
How to find and remove the OSX.RSPlug.A malware
Authored by: knujon on Nov 01, '07 10:29:13AM

Symantec Antivirus 10 (Corporate Edition) installs this root crontab:

#SqzS VERSION = 1.0.0
#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED
#PLEASE DO NOT EDIT.
# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=2
0 17 * * 5 "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 1 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf -liveupdatequiet YES -liveupdateautoquit YES"
#SqzS END SYMANTEC CRON ENTRIES



[ Reply to This | # ]