MacNewsBlog

A reader has requested some information on how to remove the 'Codec' Trojan if you already have it installed. The easiest way is to install Intego's VirusBarrier, and be sure your virus definitions are up to date. You can however do it yourself using the terminal.

This info is from MacWorld and fully tested:
1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message “crontab: no crontab for root.”
3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
4. Reboot your Mac.

After you reboot, you can confirm you’re free of the trojan horse (in OS X 10.5) by opening the Advanced pane of the Network System Preferences panel and looking at the DNS tab—you shouldn’t see any gray entries. In Tiger, to really prove that you’re free of the infestation, use the scutil command detailed above, as that’s the only way to see all the DNS Servers your machine knows about.

As a footnote, Mac OS X security works just fine. This Trojan actually asks you to install it using your own username and password. This doesn't mean that Mac OS X security doesn't work, it proves that it does. Be careful of what you install and be sure your software comes from trusted sources, not porn sites :-)