type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings

...as well as any other, potentially legitimate, root cron jobs. Granted, most programs use other methods for scheduling (LaunchDaemons or the like), and the default OS X install has no root crontab, but this is still a potential issue that one should be aware of. For most people though, this command should be safe.

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD

[ Reply to This | # ]

poor info. in the moment it looks like the firewall panic.

Note: if you are using a router the DNS servers are dimmed out, too.

[ Reply to This | # ]

We adjusted the article to clarify the gray DNS entries, as well as add a simpler method of detecting the malware.

As for root crontabs, I have yet to find a program that installs any on its own. Yes, experienced macosxhints readers may have them installed, but they will have put them there themselves.

For other "typical" OS X users, though, the root crontab is going to be empty. For the audience, I feel it's the best advice -- there really shouldn't be any root crontabs running on a system that the user didn't place there themselves.

If someone can provide a real-world example of a third-party app that installs its own root crontab, I would like to know about it -- and no, geeky Unix utilities and the like don't count. :)

-rob.

[ Reply to This | # ]

Yeah, agreed. And ruling out geeky unix type things, I can't say I know of anything that does use the crontab. I just thought it might be worth pointing out that you are actually deleting everything :)

---
Aluminum iMac 20" 2.4 GHz/3GB/300GB HD

[ Reply to This | # ]

Intel iMac, Mac OS X 10.4.10 - McAfee VirusScan v8.5 (formerly known as Virex).

I have the "VirusScan Schedule Editor" component set to do a DAT eUpdate every working day (I work for a university). Your "sudo crontab -l" produces the following output:

# Virex Schedule Editor Task 09282007101331946
32 10 * * 1,2,3,4,5 /usr/local/vscanx/VShieldScheduleLauncher -i 09282007101331946 >/dev/null 2>&1

Although I'm actually in IT support, I hadn't specifically known that it used cron to achieve its results.

[ Reply to This | # ]

Symantec Antivirus 10 (Corporate Edition) installs this root crontab:

#SqzS VERSION = 1.0.0
#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED
#PLEASE DO NOT EDIT.
# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=2
0 17 * * 5 "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 1 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf -liveupdatequiet YES -liveupdateautoquit YES"
#SqzS END SYMANTEC CRON ENTRIES

[ Reply to This | # ]