Mac Defender

This is nothing to do with Apple. The trojan is seeded into apparently legitimate files and the results of Google searches manipulated to get the rogue site(s) near top billing. Google Images seems to be the main source at the moment, but there will be others. Clicking on the image (or pdf or whatever) runs a javaScript which throws up the dialogue and redirects the browser to **** sites.

Using Firefox with NoScript extension is one way to avoid even seeing it.

I repeat; this is a web-based social engineering exploit, NOT an OS fault.

FYI, the name of this has changed to MacProtector and as an inexperienced Mac user, I got sucked in too. It ran a scan and started saying I had multiple viruses. Then windows started popping up with all kinds of *********** (which has never been accessed by my computer). The directions for getting rid of it were very clear on this site and seem to have done the trick. Thanks so much for your advice.

1)Trash Caches from User Library

2)Trash Cookies from User Library

3)Trash Caches from Hard Drive Library (system library)

4)Remove login items from system preferences / accounts

5)Trash Start Up Items /System/Library/Startup Items

6)Empty the trash

7)Restart

8)Empty trash again if any files are left over

9)Trash Mac Defender from applications & downloads folder

10)Open Spotlight search / type Disk Utility / open the application & then select the Hard Drive - "Macintosh HD"

perform a Repair Disk Permissions

arun.k wrote:

1)Trash Caches from User Library

2)Trash Cookies from User Library

3)Trash Caches from Hard Drive Library (system library)

4)Remove login items from system preferences / accounts

5)Trash Start Up Items /System/Library/Startup Items

6)Empty the trash

7)Restart

8)Empty trash again if any files are left over

9)Trash Mac Defender from applications & downloads folder

10)Open Spotlight search / type Disk Utility / open the application & then select the Hard Drive - "Macintosh HD"

perform a Repair Disk Permissions

You left out #11: Spin around three times, chant "There's no place like home," & click your heels together.

Seriously, most of what you suggest has nothing to do with getting rid of this malware. Some of it won't even work without steps you have omitted, or will just slow down your Mac temporarily, or is as superfluous as my number 11.

The key things to do have been mentioned many times in recent ASC posts (check the "More Like This" list if you need help finding them). It is not a laundry list of everything anyone can think of. The only really necessary steps are to trash the application & remove the one related login item from System Preferences > your account. Preference files & other traces related to the app can do nothing more malicious that take up a tiny amount of hard drive space unless the app itself is present to execute code.

Much of that is useless. This is what you need to know.

First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, so you can remove it.

1. Drag the MacSecurity program -- or whatever it's called, MAC Defender, MacProtector (installed in the Applications folder by default) to the Trash. Empty the Trash.

2. Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).

3. Go to your Home folder Library>Preferences and Application Support (may not be one there) and search for any files with one of the above names and trash them. Empty the trash.

4. If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.

If you paid for it, they have your credit card #. Call your credit card and dispute the charges. Also, cancel the card ASAP.

As a precaution, change your password.

Is there anything you can do if It's not showing up in the activity monitor? I can't seem to find a way that let's me force quit it.

If you didn't install it, that might explain why it's not showing up in AM, or it may be using a different name. Try Safe Boot. Instructions above.

Great guys.

Based on downloading photo's from Google maps street view got the same problem. Thanks to you all able to clean up quickly. Many thanks.

umm i dont have the activity thing. i might have deleted it. what do i do?

In order to get it to show up in Activity Monitor you have to make sure "all processes" is selected.

I would also like to point out to those new users that got bit by this, that apparently the fake scan that originally comes up on your Mac is using Windows graphics ( ie the windows displayed are in the Windows style, not Mac style ). Whenever you see Windows style graphics ( clue: the "X" to close the window appears in the Upper right of the window ) immediately close the browser and start over. Nothing will run a Windows program on your Mac unless you are using Bootcamp or a Virtual Machine ( which I doubt inexperienced users would try ). ANY time you see Windows Style graphics within a browser on a Mac it is a scam ... run away.

If you can't find Activity Monitor, check in the Utilites Folder inside the Applications Folder. If it is not there, you may want to consider re-installing OS X ... that is an almost crucial app and if you deleted that there may be other things that need replacing also.

ok what do i need to install os x

Jokerclone wrote:

ok what do i need to install os x

You need either your original grey system discs that came with your Mac or a retail copy of the installer of the OS version you use (like Leopard or Snow Leopard). Also, for the second alternative, the release date & version of the OS on the DVD must not be older than what your Mac came with.

Apple Tech Support sent me this information a few hours ago and it worked very well.

NB: Make sure you clean out your 'trash' afterwards. I used "CleanMyMac" to do this safely.

"The Antivirus firm Intego today noted the discovery of new malware known as "MACDefender" or “MACProtector” targeting Mac OS X users via Safari. According to the report, the malware appears to be being deployed via JavaScript as a compressed ZIP file reached through Google searches.

When a user clicks on a link after performing a search on a search engine such as Google, this takes them to a web site whose page contains JavaScript that automatically downloads a file. In this case, the file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (Open "safe" files after downloading in Safari, for example), will open.

More information is available in Apple's support communities (1, 2), where users report that the malware is popping up directly in Google image searches.

Users running administrator accounts and with the Safari option to open "safe" files automatically checked appear to be most at risk, with some claiming that no notification of installation was seen or password required. Only when a screen popped up asking for a credit card number to sign up for virus protection did they realize that malware had been installed on their systems.

For those infected with the MACDefender or MACProtector malware, the following steps are recommended:

1. Open Application > Utilities > Activity Monitor and quit any processes linked to MACDefender or Mc Protector

2. Delete MACDefender from the Applications folder.

3. Check System Preferences > Accounts > Login Items for suspicious entries

“

4. Run a Spotlight search for "MACDefender" or “MACProtector to check for any associated files that might still be lingering.

Full details on the malware and the simplest steps needed for its complete removal are still being investigated.

Users are of course reminded that day-to-day system usage with standard accounts rather than administrator ones, as well as unchecking the Safari option for automatically opening "safe" files, are two of the simplest ways users can enhance their online security, adding extra layers of confirmation and passwords in the way of anything being installed on their systems."

Even easier ... just found this at Mac Update

http://www.macupdate.com/app/mac/38520/macdefenderkiller