This Season
Tailgating
Tech Know
New Year, New You
Tax Time
 

How to Remove the OSX.RSPlug.A Trojan Horse from your Mac

How to Remove the OSX.RSPlug.A Trojan Horse from your Macthumbnail
Remove the OSX.RSPlug.A Trojan Horse from your Mac

Flag this photo

So far the only malicious software known to infect Macintosh Computers is called the OSX.RSPlug.A, a rather insidious Trojan Horse. It's not exactly a virus since it doesn't replicate itself, but it can cause some damage. The only way to get this malware on your computer is to download and install it, and enter in your administrator password.

This malware has been distributed by a video of a certain less-than-sane celebrity. As people have downloaded this video, they've received a message saying they don't have the proper codec to view it, and they're offered the "proper" codec as a download. When the "codec" is installed, it asks for your administrator password which gives it the permissions to run wild on your system.

The Trojan changes DNS information that re-routes all your web traffic to pornography and phishing sites. If you happen to know how to fix this and do, the Trojan Horse will change the DNS information back so your web surfing will still be compromised.

Here's how to identify if you have the Trojan, and what to do to remove it both with Virus Barrier and manually (if you're brave).

Related Searches:
    Difficulty:
    Moderately Challenging

    Instructions

    Things You'll Need

    • Apple Computer running Mac OS X (10.4 +)
    • Virus Barrier or other Anti-Virus Software (highly recommended)
    Suggest Edits
      • 1

        Update and run your anti-virus software. This is the preferred method to remove the Trojan Horse and repair the damage caused by the malware. If you choose not to use AV software, continue, but be very cautious.

      • 2

        Go to your root "Library" Folder. Click on your Hard Drive icon in the Finder and select the "Library Folder".

      • 3

        Navigate to the "Internet Plug-Ins" Folder.

      • 4

        See if there's a "plugins.settings" file in this folder. If that file is not in this folder, you're not infected.

      • 5

        Delete "plugin.settings". Either drag it to the Trash on your Dock or hit the Command Key and Delete at the same time.

      • 6

        Empty your trash. Right-click or Control-click the Trash icon on the Dock and select "Empty Trash".

      • 7

        Open "Terminal" (Applications > Utilities).

      • 8

        Type in "sudo crontab -l" (the letter L, and minus the quotes), hit Return, and enter your administrator password when asked. If it returns with anything other than "crontab: no crontab for root", you are most likely infected.

      • 9

        Type in "sudo crontab -r" (minus the quotes) and enter your administrator password. This will remove the scheduled "cron" job that modifies your Mac's DNS information.

      • 10

        Re-type "sudo crontab -1" (minus the quotes) to make sure that the delete process worked. If it did, you should see "crontab: no crontab for root".

      • 11

        Type "exit" (minus the quotes) in Terminal.

      • 12

        Restart your computer. Your Mac should now be clean!

    Tips & Warnings

    • Do not download anything from untrusted sources. This is the best protection against viruses and other malware for any computer, including Macs.

    • Be careful with the Terminal. If you're not familiar with it, make sure you pay attention to what you're typing and double-check before you hit the Return key.

    • Symantec and McAfee's Anti-virus programs as well as other legitimate software may schedule cron jobs. Following the Manual Removal steps will remove these legitimate cron jobs too. If you have an anti-virus program installed, use it first before attempting a manual removal.

    Suggest item

    Related Searches

    Resources

    • Photo Credit J. Gabriel, http://www.sxc.hu/profile/starfish75

    Read Next:

    Comments

    • wwcan Jul 06, 2009
      Thanks Alexia. I also removed it via Terminal. Your instructions are great.
    • TallT Sep 17, 2008
      I ran into the same situation as dennispeeters, regarding the Quicktime Plugin appearance after the terminal command. But what confuses me and hasn't permitted me to cure my Mac is that I get the question: remove crontab for root? (with a question mark) And I don't know how to respond to that! I tried typing "yes", and tried typing "sudo crontab -1 and -r but no good results and never have I seen the message that shows that the problem has been resolved; i.e., "crontab: no crontab for root". Thanks, Terry
    • TallT Sep 17, 2008
      I ran into the same situation as dennispeeters, regarding the Quicktime Plugin appearance after the terminal command. But what confuses me and hasn't permitted me to cure my Mac is that I get the question: remove crontab for root? (with a question mark) And I don't know how to respond to that! I tried typing "yes", and tried typing "sudo crontab -1 and -r but no good results and never have I seen the message that shows that the problem has been resolved; i.e., "crontab: no crontab for root". Thanks, Terry
    • emilythestrange Jul 09, 2008
      Thanks very much for this tip. I removed the trojan manually via the terminal and am no longer getting redirected from the google search results page, which was extremely annoying... Cheers!
    • emilythestrange Jul 09, 2008
      Thanks very much for this tip. I removed the trojan manually via the terminal and am no longer getting redirected from the google search results page, which was extremely annoying... Cheers!

    You May Also Like

    Follow eHow

    Related Ads

    Tech Know: Improve Your Digital Life With Tech Tipsthumbnail
    Slideshows
    More Photos
    15 Quick Ways to Save $1,000 on Utility Bills
     
    More Photos
    The World's Top 7 Billionaires
     
    More Photos
    New Year, New Career: Jobs in Growth Industries