8 Replies Latest reply: May 7, 2011 9:23 PM by bexrobinson
LMST Level 1 (0 points)

I got the new Mac Security virus yesterday.  Apparently it is the "new and improved" Mac Defender.  I have followed all of the steps for removing Mac Defender as listed in other posts.  Is there anything more that I should do?  Does anyone know more about this virus?

  • WZZZ Level 6 (12,855 points)

    It's not a virus -- there are none for Macs -- it's a Trojan, which depends on "social engineering," i.e. your complicity to install it. Apparently this new version gets removed the same way the original one does.


    The new version did not change the main functionality of the code, but rather cleaned up the existing code and added small updates including the capability to send information about the infected system back to the authors of the malware, along with an updated user interface to reflect the name change.


    1. Open Activity Monitor from the Utilities folder. Make sure the drop-down menu is set to "all processes."
    2. Use the search field in Activity Monitor to search for MacSecurity.
    3. Click on the MacSecurity process. Click the "Quit Process" button. Click "Force Quit."
    4. Drag the MacSecurity program (installed in the Applications folder by default) to the Trash. Empty the Trash.
    5. Remove MacSecurity from the Login Items for your Account in the OS X System Preferences (if it exists).


  • LMST Level 1 (0 points)

    Thanks.  I did not find MacSecurity anywhere in Activity Monitor, but I did find it in Login Items, and I deleted it.  I removed it also from Downloads.  I did not find it in Startup Items, Launch Agents, or Launch Daemons.  Should I be safe now?

  • WZZZ Level 6 (12,855 points)

    Dunno. From all reports about the earlier one, MAC Defender, it is necessary to kill the process in AM first before you are able to delete any of its components. Otherwise, when you try to delete it gave an "in use" message. Did you use the Filter, upper right corner of AM, set to All Processes?


    You would want to trash the Application, the Login Item, also its Preference file (I believe, in your Home folder Library>Preferences, but check in HD Library>Preferences, also.) If you ran the istaller -- which perhaps you didn't and explains why you were able to delete it in Login Items, but I would have thought otherwise -- there would also be a receipt in /var/db/receipts. For that, use the Finder menu Go>Go to Folder and enter /var/db/. To trash it using Move to Trash, you will be prompted for your password. Check to see if there's anything in your Home folder>Library>Application Support.


    You didn't mention deleting the Application, so I have the feeling you didn't get the full installation. Still, doesn't explain why you found it in Login Items.


    Get EasyFind and search using both names. Should show you everything.



  • LMST Level 1 (0 points)

    Thanks again.  What do I look for in "db?"  I find no MacSecurity, but perhaps it is under a different name?


    This is so weird, because I am pretty sure that I did install it - I had several copies of the installer on my Downloads.


    I also backed up my computer with Time Machine to my external hard drive after the "infection."  I was afraid that my computer would crash, so I wanted to back up.  However, now I am worried that the infection is on my external hard drive.  Any suggestions for that too?

  • WZZZ Level 6 (12,855 points)

    Why not read about it here and compare what you did to what it takes to get the full "infection." If you didn't install it with your password, then it won't appear in Receipts. Did you give your password?



  • LMST Level 1 (0 points)

    Yes, I gave my password.


    I have downloaded the free 30-day demo MacScan from SecureMac.  I have run two scans so far; deleted cookies; and I found the MacSecurity in Login Items after both scans.

  • bexrobinson Level 1 (0 points)

    Worked perfectly. Thank you!