OSX.RSPlug.A Removal Guide

Do you know what OSX.RSPlug.A is?

OSX.RSPlug.A is a new variant of the Zlob Trojan which is now affecting Mac OS computers. OSX.RSPlug.A has its own Zlob DNS Changer built into the parasite. This allows the parasite OSX.RSPlug.A to change your computer's DNS settings allowing outsiders to hijack your system. OSX.RSPlug.A may redirect you to web sites and manipulate your search results to show the hacker controlled sites. The DNS settings on your system tell a computer where to connect and to which IP address to connect too. With OSX.RSPlug.A potentially changing the DNS settings it can point your system to a hacker and give them full access to take your computer over.

The Mac OS X version of OSX.RSPlug.A uses the same tactics as the original RSPlug.A parasite did to windows computers over a couple years ago. It may be downloaded with a QuickTime codec in the case of the Mac system. The one step of protection that the Mac has over Windows based computers is when installing a codec it asks for your admin password. If the password is not entered then the codec does not get installed and your chances of become infected with OSX.RSPlug.A are slim.

Macworld has details on how to remove OSX.RSPlug.A from your Mac OS X system.

Manual Removal of OSX.RSPlug.A

  1. Check in the Library folder for the file named plugins.settings. The location path is: /Library/Internet Plug-Ins/plugins.settings
  2. Remove the file.
  3. Removing this file will not eliminate the Trojan totally. You will need to contine to completely remove OSX.RSPlug.A.
  4. In the Finder, locate /Library > Internet Plug-Ins and then delete the file called plugins.settings.
  5. Empty the trash.
  6. In the Terminal, type in sudo contab -r and then provide your admin password. This will delete the root job that checks on the DNS settings.
  7. Open the Network System Preferences panel. Go to the DNS Sever box and copy the entries.
  8. Paste or re-type the same values in the box.
  9. Click Apply.
  10. Reboot your computer.

Tags: .
  • eric

    these directions are pretty good but incomplete. i used MacScan for steps 1 - 4. followed steps 5 -11 above but still had a problem. here are steps 11 - 13

    11. after rebooting, go back into Network System Preferences - DNS Server Box
    you'll see that the problematic dimmed IP addresses no longer exist, but the
    same problematic IP addresses entered in Step 7 (which are the same as the removed dimmed IP addresses) still exist.

    12. remove the IP addresses added in step 7

    13. reboot - problem should be solved