Currently Being ModeratedMay 9, 2011 9:30 AM (in response to john288)
ou may a trojan called Mac Defender / Protector / Security
Check you downloads folder and apps folder to see if it is there If you not find it
-If go to safari, preferences, general, deselect - open all safe downloads ( may not be exact wording)
If you find it go to DO NOT SIGN UP or GIVE CREDIT CARD INFO....
Go to acitivity monitor in ultilies - quit the program.
trash it from downloads, app folder, remove for Login Item in accouns (sys. pref)
Boot into safe mode - hold the option key down and when you restart the mac
look at these locations to see if remains.... if found try removing them again
Uncheck the safari pref as above
I advise getting security software or wait for Apple to come up with a security fix
Currently Being ModeratedMay 9, 2011 7:48 PM (in response to ronaldz)
John288's post is advice to other posters on getting rid of the app.
He is not looking for further help, I think.
Currently Being ModeratedMay 10, 2011 9:03 PM (in response to john288)
3. System Preferences > Accounts > Login Items for MACDefender (or other names) items.
The name of the preference file for MacDefender was "com.alppe.spav.plist".
4. Check the downloads for any related items to MACDefender (or other names).
The download file for was called either "BestMacAntivirus2011.mpkg.zip" or "anti-malware.zip". The installer packages are "MacDefender.mpkg", "MacSecurity.mpkg" or "MacProtector.mpkg".
These files, along with the Applications itself, are the only ones that have been identified to date associated with this Trojan.
Currently Being ModeratedMay 11, 2011 6:09 AM (in response to john288)
my girlfriend has this malware and we cannot do anything about it has criiple the mac and we cannot open finder or the applications folder. help!
Currently Being ModeratedMay 15, 2011 12:07 PM (in response to john288)
Thanks, john288! I've rid myself of MacDefender, the **** popups have gone away, and ClamXav is now scanning my system. Whew! No more downloading anything for me unless I've checked the discussions first.
Currently Being ModeratedMay 15, 2011 1:14 PM (in response to john288)
There are different variants of names for this malware but the steps of removal should be the same unless it has advanced.
Oh, my god someone who "skates to the where the buck is going to be" !
Good job there John! Your absolutely correct.
To be a bit more through in one's eradication efforts, one should assume that ANY malware or installer that's malicious that one gave their Admin password too has done everything imaginable to their machine.
The reason for that is that malware does advance! Others alter it to make it more lethal knowing the half applied measures are going to be applied.
Note: If you didn't give this (or any malware) your admin password then you should be safe with just the simple delete methods.
The only sure fire method is to return the machine to as close to factory conditions as possible and then update.
1: Backing up of files manually (not Time Machine as it's infected as well) Turn off any router, disconnect from networks.
2: Hold c and boot off the OS X installer disk that came with your computer (or the latest OS disk your using)
3: Select Disk Utility > Your boot drive > Erase > Security Option Zero > Format HFS+ Journaled and let it rip for hour or so. (all data will be destroyed!)
4: Quit > Install OS X fresh and Software Update via your modem connection with a Ehternet cable (not the router if possible as it can be infected and the DNS changed)
5: install programs from fresh sources, manually reset your router (flash the firmware if possible) set all new passwords and SSID's. If your ISP will change the IP address you should do that do.
6: Once this is done, use a brand new external drive (formatted HFS+ Journaled) and use the free Carbon Copy Cloner to clone this pristine OS X version to the external drive. CCC makes the external drive hold option bootable, test it out and Disk Utility repair permissions on both. Once your happy, disconnect this external drive and only hook it up to a Mac to clone again. If you get infected, c boot off the installer disk and Disk Utility Zero the hard drive again before hooking up the clone or the clone will get infected. Again, don't hook up a clone to a infected Mac, boot from the insteller disk and Erase the drive first.
7: Install a anti-malware program of some sort (not Norton) that you can scan files with and scan all outside media that was in contact with the infected machine, return files you have deemed safe.
8: If you have TimeMachine, simply reformat the drive with Zero Erase procedures and then start over with new TM again.
My above steps are considerable amount of work, you are rebuilding your drive of everything you use, sorry, that's the pain for giving malware your Admin password.
If it's too hard for you, perhaps you should have a professional look at doing it for you.
Malware is rare on a Mac, it doesn't occur often. Better be safe than sorry for the next 5-7 years until you buy a new Mac.
Remember all the personal data, banking sites, passwords and files you have on your computer, decide if it's worth risking or not.
Currently Being ModeratedMay 15, 2011 2:21 PM (in response to ds store)
Why not put your post in a new discussion the way John288 did with his instructions on removing MacDefender et al.? That way people will be able to find directions on how to completely get rid of any malware where they've disclosed their admin password.
I know I look like a brand spankin' new user but for some reason my post count got zeroed out since I was here last. I only make the comment because I've seen it made on other forums where new subject info was posted onto a related thread.
Currently Being ModeratedMay 15, 2011 2:36 PM (in response to ds store)
You know, sometimes, the cure is much worse than the -- in this case -- completely hypothetical disease. You do realize, I hope, you may be giving people a really big headache, especially if there are registration keys involved and limits on the number of installs, or if people screw up doing a complete reinstall without a backup and lose data, by following your advice.
And since all this possible grief you may be causing is probably for nothing, why don't you consider giving this advice if and when it becomes clear it's necessary?
This is not the first Trojan to complete by getting an admin password.
Currently Being ModeratedMay 15, 2011 3:15 PM (in response to WZZZ)
I do have to say that so far John288's instructions have fixed the unthinking install that was 'bugging' my iMac. But today I also did stuff like locking all preferences screens to make it less likely that I'll unthinkingly change settings and install Firefox add-ons to protect me from myself by requiring more steps before doing what I did this morning. I also installed a donation-ware virus & trojan scanning program and strengthened the computer's security settings (including activating my firewall, which was apparently off by default).
Anyhow, I've run without such things with no problem for a long time; this was the first time I was silly enough not to think twice before typing my password. I'd follow ds store's advice in a heartbeat if things blew up.
Currently Being ModeratedMay 15, 2011 4:38 PM (in response to litterbuggy)
Why not put your post in a new discussion the way John288 did with his instructions on removing MacDefender et al.?
Perhaps because he tried to do that here Mac Malware/poisoned images where almost nobody agreed with his advise or the theories it was based on, so he's decided to spread his gospel in a different manner. I'm trying to keep an open mind on it, but it's getting more difficult.
Currently Being ModeratedMay 15, 2011 4:50 PM (in response to MadMacs0)
Oh. I'd been reading related threads but I guess I didn't notice that in my search results.
Currently Being ModeratedMay 15, 2011 6:45 PM (in response to john288)
I tried these but the malware is still there, it will not allow me to delete because it says it is open?
Currently Being ModeratedMay 15, 2011 6:56 PM (in response to litterbuggy)
...why don't you consider giving this advice if and when it becomes clear it's necessary?
Because ISP's will cut infected machines off the Internet. (actually the entire IP address)
Currently Being ModeratedMay 15, 2011 7:05 PM (in response to aautumn)
Hold the Apple and the space bar to get Spotlight in the upper right hand corner and type "Activity Monitor" and launch it by pressing enter.
Now select All processes
Use the search field in Activity Monitor to search for MacDefender (or whatever it's calling itself now)
Click on the process and Force Quit it.
Quit Activity monitor.
Drag the MacDefender program (installed in the Applications folder by default) to the Trash. Empty the Trash
Remove MacDefender from the Login Items for your Account in the OS X System Preferences (if it exists).
Copy my instructions in my first post on this thread in case you need to rebuild your computer if this thing got worse that it's appearing.
I really advise a complete OS X reinstall if you can get around to doing it, just to be sure. This malware has changed 2 times in a week already.