4 Replies Latest reply: May 13, 2011 9:50 PM by MadMacs0 Branched to a new discussion.
ashleighfromphiladelphia Level 1 Level 1 (0 points)

I think that there is a virus on my mac. There is a red shield in the top bar of the desktop with a exclamation point in it. It clames to be virus software and wants my credit card number. It says system infected and then dirty websites pop up. I found the file in the application folder but it wont let me delete it or put it in the trash because it says it is in use. When I try to force quite, it doesn't show up in the box to be able to quite. Does anyone have a suggestion?


iMac, Mac OS X (10.5.8)
  • WZZZ Level 6 Level 6 (12,595 points)

    http://www.securelist.com/en/blog/6211/Rogueware_campaign_targeting_Mac_users

     

    It's not a virus; it's Trojan, which works by trying to scare users into giving their password to install it. It can't do anything if you don't give it your password.

     

    To remove:

     

    First, restart in Safe Boot by holding the Shift key down at the chime. Or, alternatively, open Activity Monitor in Utilities, set to Active Processes, find the program and force quit it. This will keep it from running, but only temporarily, so you can remove it.

     

        1.    Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center, Apple Web Security -- it's not hard to imagine the new names it will be using in the coming days -- (installed in the Applications folder by default) to the Trash. Empty the Trash.

        2.    Remove item of same name from the Login Items for your Account in the OS X System Preferences (if it exists).

        3.    Go to your Home folder Library>Preferences and, if you find it, delete com.alppe.spav.plist. Look also in Application Support (may not be anything there, but check just in case) and search for any files with one of the above names and trash them. Empty the trash.

        4.    If you use Safari, go to Preferences>General and UNCHECK "Open "safe" files after downloading. Keep that unchecked.

     

    If you paid for it, they have your credit card #. Call your credit card and dispute the charges. Also, cancel the card ASAP.

     

    As a precaution, change your password.

  • MadMacs0 Level 5 Level 5 (4,320 points)

    WZZZ wrote:

     

    Drag the MacSecurity program -- or whatever it's called; it keeps using different names -- MAC Defender, MacProtector, MacKeeper 911, Apple Security Center, Apple Web Security -- it's not hard to imagine the new names it will be using in the coming days -- (installed in the Applications folder by default) to the Trash. Empty the Trash.

    There is legitimate commercial software named MacKeeper which is self described as "like 911 for your Mac", although it does use some questionable advertising tactics.  Are you aware of a new version of the application with this name?  I did see reference today to a fourth version, but I can't seem to find any details, let alone get a copy.  I am aware that Apple Security Center and Apple Web Security are among the labels being used for the pop-up site which then downloads the Trojan installer zip.

  • WZZZ Level 6 Level 6 (12,595 points)

    There have been so many posts on this now, I can't remember where I saw this thing appearing with that name. But, I'm fairly certain it was the scam one the poster was talking about. I suppose if you search with site:discussions.apple.com, it'll turn up.

  • MadMacs0 Level 5 Level 5 (4,320 points)

    Thanks.  Gave me pretty close to the same results as the form search did.  About three instances dating back to Apr 30 and would seem to be the popup window click on me button.

     

    Just trying to see if there is any truth to a fourth version.