Previous 1 2 3 4 Next 162 Replies Latest reply: Jun 1, 2015 5:52 PM by Kurt Lang Go to original post Branched to a new discussion.
  • Linc Davis Level 10 (192,238 points)

    i can not see it running at the moment. how do i know its really gone?


    If you found the trojan and deleted it, it's gone.


    ...we have intego virus barrier x6 so why didnt it get picked up?


    Because that product is worse than useless. I recommend you uninstall it. If you want anti-virus software, use ClamXav -- nothing else.

  • mim_aus Level 1 (0 points)

    lol ok thanks, wil c if i can find that clamxav in aus. wow worse than useless - bumr

  • mim_aus Level 1 (0 points)

    surprisingly i got that from the apple store - so a lil dissapointed!

  • William Kucharski Level 6 (14,985 points)

    If you really got it from an Apple Store, tell us which one so we can notify them.

  • g_wolfman Level 4 (1,120 points)

    Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.


    It might be of interest to anyone who wants to try and disassemble the trojan (which, being written in Obj-C, is kind enough to mark all of it's procedure entry points when disassembled).



  • Linc Davis Level 10 (192,238 points)

    Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.


    It doesn't, but I wouldn't be able to do anything with that information anyway. Someone else, maybe.

  • g_wolfman Level 4 (1,120 points)

    I went back and checked - the file was a .txt, so it was just in-lined (nice feature in this case).  Anyone interested can copy-paste it.  Hopefully it will be useful to someone.



  • njmeny Level 1 (0 points)

    Same deal, here's a current shot



    Picture 4.png

  • WZZZ Level 6 (12,845 points)
    but we have intego virus barrier x6 so why didnt it get picked up?

    Intego or you may not have updated its malware defintions. You can't really trust AV programs to protect you. They give people a false sense of security.


    It appears it may be "phoning home," contacting its author with some data -- no idea what -- from infected machines. I would change important passwords immediately and never use the same password for different occasions.


    how do i know its really gone?


    I don't know which directions you followed to remove this (I'll give you mine, below), but you probably got everything; it's not that complicated to remove. You could do a full drive scan with ClamXav. They appear to be staying on top of this. But this thing keeps using different names, so don't know if that leaves holes in ClamX.



    If you gave your credit card #, contact them and dispute the charges and cancel the card ASAP.



    First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.


        1.    Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center (installed in the Applications folder by default) to the Trash. Empty the Trash.

        2.    Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).

        3.    Go to your Home folder Library>Preferences and Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.

        4.    If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.

  • R C-R Level 6 (17,400 points)

    Linc Davis wrote:

    If you want anti-virus software, use ClamXav -- nothing else.

    If you want to use anti-virus software, you might consider Sophos Anti-Virus for Mac Home Edition as an alternative to ClamXav. It is also free, does not slow down your Mac appreciably, & comes from a respected company that provides commercial quality anti-virus software to businesses worldwide.


    Sophos is very aggressive about detecting new malware threats as soon as possible after they appear "in the wild." It maintains its own proprietary threat detection network, located in several data centers around the world, while ClamXav depends mostly on user reports. This gives it a small edge in how quickly it can publish malware definitions: often less than 24 hours pass before the AV client software is updated to detect a new threat.

  • t1to1 Level 1 (0 points)

    I just sent you an e-mail with a link I got today for the attached alert.  Thank goodness for this forum or I very well could've installed something.

    Screen shot 2011-05-10 at 2.50.42 PM.png

  • t1to1 Level 1 (0 points)

    Just to be clear, it doesn't appear that I got a link such as a pop-up or anything like that.  I was on my Hotmail account and suddenly it turned into the link per my previous attached screenshot (attached again below) Screen shot 2011-05-10 at 2.50.42 PM.png


    I had no idea what it was or whether it was legit but proceeded to click "remove all".  It then saved some file onto my computer.  I then Googled "Apple Security Center" and got this forum which probably saved me a lot of grief.  I never installed the downloaded file.  I'm hoping that was enough to save me.  Nevertheless, I downloaded ClamXav and did a scan just in case.

  • WZZZ Level 6 (12,845 points)

    My advice is to stop using hotmail. It's infested with spam and scammers. You are not the first to get hit with this in this manner from hotmail

  • ds store Level 7 (30,325 points)

    Anyone who wants to block the IP to this malware site can do it very easy GUI friendly way:


    1: Download NoobProof



    2: Start the program, give it your admin password (to NoobProof not the trojan )


    3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.


    4: On both the left and right sides, click the "+" and add:


    5: Click Ok and then in the next window click "Start Firewall"


    6: If it's already started, stop it and then start it again.



    Test: Paste into the browser URL and press enter, should get a "Cannot display the page"



    I'd thought this server would have been taken offline by now.

  • thomas_r. Level 7 (30,700 points)

    It appears it may be "phoning home," contacting its author with some data -- no idea what


    I've posted the packets that were transmitted in some experimentation with MacProtector here:


    Further analysis of MacProtector


    * Disclaimer: links to my pages may give me compensation.

Previous 1 2 3 4 Next