i can not see it running at the moment. how do i know its really gone?
If you found the trojan and deleted it, it's gone.
...we have intego virus barrier x6 so why didnt it get picked up?
Because that product is worse than useless. I recommend you uninstall it. If you want anti-virus software, use ClamXav -- nothing else.
Linc, not sure if Mailinator allows attachments, but I've just sent along a class dump of the MacProtector variant of the malware.
It might be of interest to anyone who wants to try and disassemble the trojan (which, being written in Obj-C, is kind enough to mark all of it's procedure entry points when disassembled).
but we have intego virus barrier x6 so why didnt it get picked up?
Intego or you may not have updated its malware defintions. You can't really trust AV programs to protect you. They give people a false sense of security.
It appears it may be "phoning home," contacting its author with some data -- no idea what -- from infected machines. I would change important passwords immediately and never use the same password for different occasions.
how do i know its really gone?
I don't know which directions you followed to remove this (I'll give you mine, below), but you probably got everything; it's not that complicated to remove. You could do a full drive scan with ClamXav. They appear to be staying on top of this. But this thing keeps using different names, so don't know if that leaves holes in ClamX.
If you gave your credit card #, contact them and dispute the charges and cancel the card ASAP.
First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.
1. Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center (installed in the Applications folder by default) to the Trash. Empty the Trash.
2. Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).
3. Go to your Home folder Library>Preferences and Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.
4. If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.
Linc Davis wrote:
If you want anti-virus software, use ClamXav -- nothing else.
If you want to use anti-virus software, you might consider Sophos Anti-Virus for Mac Home Edition as an alternative to ClamXav. It is also free, does not slow down your Mac appreciably, & comes from a respected company that provides commercial quality anti-virus software to businesses worldwide.
Sophos is very aggressive about detecting new malware threats as soon as possible after they appear "in the wild." It maintains its own proprietary threat detection network, located in several data centers around the world, while ClamXav depends mostly on user reports. This gives it a small edge in how quickly it can publish malware definitions: often less than 24 hours pass before the AV client software is updated to detect a new threat.
Just to be clear, it doesn't appear that I got a link such as a pop-up or anything like that. I was on my Hotmail account and suddenly it turned into the link per my previous attached screenshot (attached again below)
I had no idea what it was or whether it was legit but proceeded to click "remove all". It then saved some file onto my computer. I then Googled "Apple Security Center" and got this forum which probably saved me a lot of grief. I never installed the downloaded file. I'm hoping that was enough to save me. Nevertheless, I downloaded ClamXav and did a scan just in case.
Anyone who wants to block the IP to this malware site can do it very easy GUI friendly way:
1: Download NoobProof
2: Start the program, give it your admin password (to NoobProof not the trojan )
3: Dismiss the Wizard and a window will pop up with Blacklist button on the left side, click it.
4: On both the left and right sides, click the "+" and add: 126.96.36.199
5: Click Ok and then in the next window click "Start Firewall"
6: If it's already started, stop it and then start it again.
Test: Paste 188.8.131.52 into the browser URL and press enter, should get a "Cannot display the page"
I'd thought this server would have been taken offline by now.
It appears it may be "phoning home," contacting its author with some data -- no idea what
I've posted the packets that were transmitted in some experimentation with MacProtector here:
* Disclaimer: links to my pages may give me compensation.