OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Identifying and removing MacDefender trojans

Published May 7th, 2011 at 2:08 PM EST , modified March 5th, 2013 at 2:21 PM EST

[Edited Thursday, May 26, 9:20 PM]

A lot of people are being affected by MacDefender, or one of the variants of MacDefender (MacSecurity, MacProtector and MacGuard, at this time, possibly more in the future).  As a result, I’m getting a lot of questions from people about how to tell if they’re infected, how to get rid of the trojan and what else they need to worry about.  Hopefully, I will answer all those questions and more here.  For those unfamiliar with these trojans, see my previous MacDefender news posts.

First, people need to be aware of how this software gets on their computers.  Often, the infection appears to come from Google Images, but more generally, it can come from any site on which a hacker has managed to get their custom JavaScript to run.  When you visit a page that you believe is perfectly fine, a malicious JavaScript runs that redirects you to a malicious site.  These malicious sites are changing day-by-day, so there’s no real way of creating a filter that will block them.

When you reach the malicious site, you will see a fake anti-virus message saying that your machine is infected with viruses.  What you see may match what is described in my post MacDefender in action, or it may match what is described in New MacDefender variant: MacSecurity, or it’s possible the scammers will come up with yet another look.  In any case, a result of visiting the site, often without the need to click on anything, is that a file will be downloaded to your hard drive.  This file may be named BestMacAntivirus2011.mpkg.zip or anti-malware.zip, or it may have a new name tomorrow.  Keeping your Downloads folder clean will be the easiest way to identify a new, suspicious item.

Depending on what browser you’re using and what the settings are, this file might be automatically unzipped.  The contents of the .zip file is an installer package with the same name as the trojan variant (MacDefender, MacSecurity or MacProtector), and with the extension .mpkg, except in the case of MacGuard, whose installer is named “avSetup.pkg”.  This file is an installer package that may open automatically in Apple’s installer.  Since that makes it look very official, many people are confusing it with a software update.

Whether you manually run the installer or it opens on its own, nothing can happen from this point unless you click Continue.  At this point, if you just quit the installer and throw away the .mpkg file, you’re perfectly safe.  No need to worry any further.

If you proceed with the installation, providing your administrative password when asked, then the application will be installed in your Applications folder, opened automatically and added to your login items so it will open again every time you log in.  The application looks like the screenshot at the top of this post.  (All the variants of this trojan currently have the same icon, just different names.)

When the trojan runs, you will see a window that looks like the following, and will receive warnings that you have a virus.  You will also be prompted to register the program, which will ultimately involve giving the scammers your credit card number.  Under no circumstances should you register this program! However, if you already did, you will need to immediately grab the phone and cancel your credit card.  Follow the rest of these instructions only once you have dealt with that issue, and do not wait to deal with the credit card!

The first thing you need to do at this point is close the Scan window to get it out of your way.  It will float above all other windows, so the next few steps will be more difficult without getting rid of that window first.  Needless to say, you should not worry about what the window is telling you…  they’re just trying to scare you into giving them your credit card number.

Next, open Activity Monitor (found in /Applications/Utilities).

Find MacDefender (or MacSecurity, or MacProtector, or MacGuard, or whatever it’s called tomorrow) in the list, select it and click the Quit Process button.  (Note that the item shown below it in the screenshot above, “mdworker,” is a normal part of your system and not related to MacDefender!)  When you click Quit, you will see:

Although you can choose to click Force Quit, that is not necessary.  Just click Quit.

Now that you have quit the application, it’s time to remove it from your system.  First, open System Preferences (found under the Apple menu at the top left corner of the screen, among other places) and click the Accounts icon.  You’ll see this:

Make sure that you have clicked the Login Items tab, and then select the trojan in the list and click the ‘-‘ button to remove it.

Next, open your Applications folder and find the trojan.  Simply drag it to the trash.  If you are using a standard account, you will have to provide your administrative password in order to actually remove it.  Empty the trash.  (No need to securely empty.)

At this point you have fully removed the trojan.  Believe it or not, the current incarnations of MacDefender are really that easy to remove.  Unlike some nastier trojans, they do not install all kinds of nasty little processes on your machine that only an expert would ever know about, like key loggers and backdoors.  This means that, as long as you don’t actually give them your credit card number, this malware is actually somewhat safe to play with.  Not that I advise doing so… but if you do find yourself infected and didn’t register, you really don’t have anything to worry about after following these instructions.

Hope this helps, and good luck staying clean!

Tags: , , , , , ,

112 Comments

  • Chris says:

    I got an automatic download of antimalware.zip.download from Google Image Search.

    Norton Anti-virus doesn’t isolate or identify it as a virus.

    When I try to trash it, it replicates.

    When I try to open it, another copy is downloaded!

    I don’t see anything unusual/related in Activity Monitor.

    Any ideas?

    – Chrtis

    • Thomas says:

      Norton is well-known as a troublemaker on a Mac, and useless in this case as that definitely sounds like a MacDefender variant. I can’t explain what you’re seeing, though. Try closing your web browser before trying to delete the anti-malware.zip file. Also, you should consider removing Norton and using either ClamXav or Sophos Anti-Virus for Mac Home Edition, both of which can recognize all current MacDefender variants and will not cause the kinds of problems Norton is known for.

  • Chris says:

    Thomas, Thanks for the tips. In my panic over a virus infection I was hitting command-D rather than command-delete! Talk about D-umb! – Chris

  • Jamie says:

    Thank you so very much Thomas. Life saver!!

  • Archana says:

    Thanks for the comments. This happened to me. I did not install it however. Good to know the details.

  • Sie says:

    Thank you Thomas. this helped. I was getting concerned since my 11year old use my mac when she need to do her homework.

  • Devi says:

    Wow, thank you so much! This was seriously freaking me out.

  • Helen says:

    THANK YOU – I can now breathe

  • Martin says:

    Thanks for these clear instructions. This was very helpful.

  • Kereynolds says:

    Thank you for these easy to follow instructions for removing this unwanted visitor!!

  • John says:

    Ditto on Helen’s comment – breathing is good…:0)

  • Dennis says:

    Excellent advice and clear instructions. Thanks.

  • Carl says:

    Thanks for the clear instructions! I was able to remove the tojan following your step by step instructions. This is the first time in 5 years that something like this appears on our imac.

  • cindy says:

    WOW! Awesome instructions on how to get rid of this thing! I actually did it!
    Thanks so much!!

  • Minnesota says:

    Thank you. Very, very helpful….w/out the usual sarcasm aimed at novice users like me… by the online Apple tech geeks. One only gets more savvy through experience, not sarcasm.

  • Michele says:

    Thank you so much! I enabled this trojan and these directions were perfect. Abdundant blessings!

  • Sayyeda says:

    Thankyou sooo much! i almost freaked out and wrote an urgent email to my lecturer to help me out with this! LOL and i just came across this website. The screen shots were a great help. God bless you.

  • Thomas says:

    Thanks to everyone for the positive feedback! I’m glad I’ve been able to help all of you eradicate this pest!

  • per adolfsen says:

    Hi This is Per from Denmark, sitting in China.
    I just was so stupid to go all the way through because i panicked getting this virus. Gave them creditcardnumber. The card I blocked immediately. (My wife is working in a bank -so good for that)
    Two questions:

    1. Can i remove the blocking of cards after getting rid of this virus? (Sure You will say no)

    2. I am very bad in computers. Cannot find the activity monitor/application utilities . Everything on my computer is in Danish. I am totally lost and desparate.

    Would be glad if you can help me out on this.

    Thanks

    Per Adolfsen

    • Thomas says:

      Per,

      1. No, once these scammers have your card number, the damage is done. Whether you remove the malware or not, it has done its job. So you’d be wise to just cancel the card and get a new one issued. I did this once with a Discover card when a weird $1 charge for World of Warcraft (which I don’t play) showed up. They were very nice, and just sent out new cards – same account, just different cards with a different number.

      2. I’m not sure what it would be called in Danish – perhaps another reader could help me out here – but it will be inside the Utilities folder, which in turn is inside the Applications folder. If you really can’t find it, just do everything else according to the directions. The only difference is you won’t be able to empty the trash. So log out, then log back in. That should take care of quitting all your apps, and since you removed it from Login Items, it won’t start back up again. Then you can empty the trash.

      Good luck!

  • Erica says:

    Thank you! I am a complete dummy when it comes to computers & you explained this perfectly! It really worked! I am going to “bookmark” your page! Thank you!

  • Lauren says:

    Never got a window or notice phishing for anything — opened my downloads folder for something else and noticed the MacDefender file. Quick search found your concise advice. Thanks, Thomas! Great job 🙂

  • Norma Cano says:

    Thank you, I was unable to find utilities under applications but I skipped that part and the force quit part and did the rest. It actually helped! It was completely gone when I restarted my laptop. Thank you so much!!!! I am so greatful. This saved me from having to pay someone to fix it. 🙂

  • Tumaini says:

    THank you for being smart with all this stuff. I feel like I need to have a degree in computers before owning one! It’s sooo annoying.
    We just got this mac defender thingy (downloaded but not installed) and I got rid of it immediately. Thank goodness my PC has given me plenty of training in malware/spyware detection.

    QUESTION:
    As I was in Applications/Utilities I noticed that the there are two “users” – ours (our computer name) and one that says “ROOT”.
    Is this a problem? Should I quit these programs, too??

    Thank you again
    Tumaini
    Los Angeles
    iMac (Safari)

    • Thomas says:

      If you saw that some processes in Activity Monitor are owned by root, that is normal. Nothing to worry about. Your system has many behind-the-scenes users that you are not normally aware of.

  • May says:

    Thank you for your instructions!

  • Apple iPad 2 in depth Review Video says:

    Great review! This is exactly the type of article that needs to be shared around the internet. Shame on the search engines for not ranking this blog post higher!

  • Dave says:

    I’ll second all the above. Clear instructions and worked great. Thanks so much!

  • tori says:

    Thank you thank you thank you. I was panicked because this was the first malware I had ever encountered on my Mac so at first I thought it was real. I even was fooled into running the “scan” for a while, then realized it was a fake. I followed your instructions and I cannot tell you how relieved I was to see that I hadn’t infected my computer. I did have to Force Quit to get rid of it though; just Quit did not work. All is well now.

  • gina says:

    Thank you soo much!!! All my life depends on proper functioning of my mac – and I did not know what to do when MacProtector suddenly appeared tonight (may 12, 2011)- first time ever in the last 3 years.
    So clear instructions and feeling of security back again after following them. God bless you!!!

  • Tumaini says:

    Thank you sooooo much!!!
    I’ve told a lot of people about your blog.

    The MacProtector tried to get onto my computer again today. I followed the steps and everything seemed to work fine.
    I did notice;however, that like a couple of days ago, it happened after I visited Craigslist – specifically after opening an email from someone who responded to my reply.
    The email today was asking me to verify my number by clicking a CL Phone Safe, which I did not click. I deleted the email immediately and that’s when the macprotecter tried to get me.

    Question:
    Who creates these viruses and why aren’t they able to be caught?

    • Thomas says:

      Hackers are very good at hiding themselves, and these days most malware writers operate from countries where they won’t really be looked for, like Russia

  • Richard says:

    Thank you thank you thank you, Thomas. The way this so quickly and innocently got onto my computer was shocking. I’m thankful there are people like you out there that are smart enough and kind enough to help us. This certainly had me freaked out!!

    Someone needs to create a way to backtrack and backfire some really nasty trojans right back on the creeps that send out trojans! If we can send them credit card numbers there certainly must be some way to send them nasty surprises.

  • Pierre says:

    I cannot drag and drop MacProtector to trash. What can i do to delete it ?
    I followed your instructions and everything worked until the last step.

    Thanks for your help!

    • Thomas says:

      What happens when you try dropping it in the trash? Are you using an account with administrative privileges when you do this? If not, you will need to. (Guess I probably should have mentioned that, but most people these days just use an admin account by default, even though that’s slightly less secure.)

  • […] Identifying and removing MacDefender trojans Removing Mac Defender […]

  • artfarm says:

    When I try to drag MacProtector to trash from Applications I get the message, “this item cannot be moved to trash because it is open.” Now what?

    • Thomas says:

      You did not properly follow the earlier step of quitting the app using Activity Monitor. Go back and do that step, then you should be able to delete it. If you can’t find Activity Monitor or have other problems with quitting it, see some of the other comments.

  • William says:

    I want to take the time to really thank you. I have never had a problem like this since purchasing my macbook in 2007. I was indeed looking at some google images when “MacProtector” problem just popped up. I had a sinking feeling like when I used to have a pc. Your steps absolutely worked. I also got the CLAMXav and cleared up a couple of other minor problems. Thanks Again !

  • PanamaJon says:

    Thanks for your excellent advice. You are a life saver to this dad of innocent kids.

  • Margarite says:

    Thanks, William. You’ve calmed my fears. I really appreciate all your help. MacProtector did get itself into my Applications folder though I didn’t run the installer and therefore certainly didn’t hit Continue or give my credit card number. I was able to Trash it from the Applications folder. I didn’t find it in the Activity Monitor or in the Login items.
    Couple of questions:
    1. Should I change my password? On the Apple Support Communities site (https://discussions.apple.com/thread/3042885?start=15&tstart=0) one person said to do this.
    2. If so, do I need to do this after a “Safe” boot? Again, on the Apple Support site, they said to use a “Safe” boot. However, when I held down the Shift key after the chime, my computer wouldn’t boot.

    Can you elucidate on these queries? Thanks again!

    • Thomas says:

      Margarite, it’s not a bad idea to change passwords periodically. However, I’ve found no evidence this thing collects passwords. I’m not sure that it would be able to get at passwords in your keychain, at least not without the system asking your permission, and I’ve never seen that with any variant of this trojan. That’s not to say it couldn’t happen in the future, of course. So right now, I don’t think you need to worry about passwords, but changing them certainly can’t hurt.

      As to safe boot, that would only be needed if you absolutely could not figure out how to quit the app so you could trash it. Safe boot would do the trick if all else failed.

  • Ian says:

    I just want to thank you very much for your excellent work in helping people like me to remove this vile malware from my computer. I too was looking at some google images when the thing popped up. I followed your instructions and removed it easily – I’d been quite distraught, especially as porn webpages kept popping up on my screen. So again, thank you so very much!

  • Tommy says:

    OH MY GOSH! THANK YOU SOOO MUCH! I kept getting random windows popping up every 10 minutes about gay p*rn and stuff! It was disgusting! But you helped me get rid of it! I thought we would have to pay for an antivirus thing or have someone fix it! But you did it with no charge! All of my files are clean and safe! THANK YOU!

  • Margarite says:

    Hey, Thomas, thanks so much for getting back. I’ll remember your advice about changing passwords. And thanks again for all the help you’ve offered on this site. I’m going to explore it some more and will keep you bookmarked!

  • Bob says:

    Thanks!

  • Lindsay says:

    Thank you for this detailed post! MacProtector.mpkg auto-downloaded onto my machine last week, but I threw it out before it tried to install. Similar things have happened since then, but I manage to get the window closed before anything happens, even though it tries to stall me with an “Are you sure you want to close this window?” dialogue box.

    The weird thing is that it seems to be happening exclusively in Hotmail. Is it possible that this Trojan has become embedded in some of the banner ads on Hotmail?

    • Thomas says:

      I’ve heard quite a few reports from Hotmail users. How it’s happening, I don’t know, as I don’t use Hotmail. Does Hotmail, by any chance, display any data from one of the major search engines in its interface? If so, the search engine optimization (SEO) poisoning that has been affecting search engines is probably creeping through there. If not, the authors have probably found a way to get malicious JavaScript into some ads displayed on Hotmail.

  • Mark Greenly says:

    Hello,
    Just had this ‘Apple Security Center’ message pop up whilst in google images, it looked pretty genuine, so I clicked on the ‘Remove All’ button and it downloaded a zip file. However my Integro X5 Virus Barrier would not let it open up the installer. Looked in my downloads folder and found the zip file but no installer. I have ‘Secure Empty Trashed’ the lot and have looked in Applications, Activity Monitor, Login Items, Library>Preferences and Application Support and found no signs of anything like MACDefender, Apple security Center’ etc. I have unchecked ‘Open Safe Files’. I have run a couple of virus scans which tell me there are no viruses on my Mac. So, although the zipfile downloaded to my Mac it went no further and I didn’t get any windows asking me to ‘Install the Mac Security Installer’ or anything else and I can find no obvious signs of anything untoward going on, so have I had a lucky escape and do you think my Mac is ‘safe’?

  • LA Carlson says:

    Thank you so very much for the information on getting rid of this problem. The most annoying issue is the pop ups of porn sites. When I called Best Buy Geek Squad they suggested either bring the computer in for $200 or do a system restore. They did recommend a new anti-virus called Trend Micro Smart Surf for online use. This is $40 and as I novice with computers who uses them primarily for wrting I don’t know if it would be worth it or not. I bought a Mac because I was told the virus problem is non-problem.

  • Thomas says:

    Mark: If you never ran the installer, you’re fine. Even if you had run the installer, you’d still be fine as long as you didn’t actually go to the end, hit the Install button and enter your password.

    LA: Don’t waste your money on that software. Take a look at my Mac Virus Guide, and if you still want AV software, get either ClamXav or Sophos Anti-Virus for Mac Home Edition.

  • Mark says:

    Thomas, Thanks. Mark.

  • Patty says:

    Thank you so much for the detailed explanation. Thank goodness I didn’t register it. I agree with the posting that the most annoying thing was the porn sites. Ironically, I have been very careful to avoid those so it came as a shock! Thanks again!

  • Uju says:

    Thanks so much. I got it this morning and panicked so much but this really helped. I’ll forever be grateful. I’ll try not to be fooled next time and be careful what google images I open:)

  • Parag says:

    Thank you thomas, this was very helpful, do you think its worth buying McAfee anti-virus as previously mac was supposed to be virus free but now we are seeing viruses against mac too. What do you think?

    • Thomas says:

      I have no experience with McAfee, but see no reason to purchase anything. See my earlier comment regarding two excellent free AV programs.

  • shandy says:

    this happened to me today and i was so completely freaked out. The thing popped up and looked legitimate so i installed it and it was running for a while, it even got my password.. I never entered my cc number. I started to get suspicious about it so I called and apple and they said it was a virus, so I found your site and followed the steps and I think I got rid of it. Since I did enter my password, am I still at risk, should I change my passwords. Thank you so much for your help!!!

    • Thomas says:

      It can’t hurt to change your passwords, though I do not believe it is necessary once the software is removed. Note that providing your password to the installer does not actually provide the password to the malware.

  • Ann says:

    Thank you so much! The MacProtector got on my computer yesterday when I was using Google Chrome and searching Ratemyprofessors.com (not google images). I guess I won’t be checking to see what my students are saying about me anymore! The instructions were great, and I am hoping not to see the annoying porn and viagra sites anymore now. Thanks again!!

  • harris Rothfeld says:

    What is the quit process button?

  • harris Rothfeld says:

    Haha nevermind i found it. I probably couldnt find it cause i was almost having a nervous breakdown. BUt your advice saved me!!!!!! Thank you so much!!!

  • Melissa Kahn says:

    Thank you so much. This worked perfectly. Great instructions and I am so relieved. I appreciate this info!

  • Ida says:

    Thank you soooo sooo much, I was so upset I was about to throw my laptop out the window. Your step by step directions were extremely helpful. Again thank you and Gold Bless You.

  • Guy says:

    Thomas, you are truly a blessing! Thank you soooo much for this article. Helpful does not begin to describe your instructions on how to remove this evil malware. With that said, the people that do this thing are complete cowards and wicked. I was sitting here with my wife and 7 year old daughter when all this started happening and the porn popped up. Luckily my wife covered the computer in time. With your instructions I was able to remove everything. Thank you!
    In our case the malware came through Hotmail. What is interesting is that it started happening after I clicked on an e-mail in the “Sent” folder. The exact thing happened on my Windows work computer last week (clicking on an e-mail in the “Sent” folder). Do you think we should stop using Hotmail (which would be a headache)?

  • Josh says:

    I fell for this last night and freaked out. My wife saved the day by following these instructions. My worries are that they have my phone number and home address that the software asks for. Can this come back and bite me or do they just sell this info? I canceled my creidt card at that moment but the charges went through. I am talking with my cc company and the charges will most likely be reversed. I have changed my computer passwords already. My concern again is that they have my # and address. I will also be deleting my Hotmail account in the next few days once I get all the info I need from it.

    Thanks
    Not so computer savy

  • Josh says:

    Thanks

    Next time I will pay more attention. Learn from your mistakes I guess

  • lycheeli says:

    Thanks a lot for all this information and help. I was at school working on my laptop, and you can’t imagine my horror when it started to go on adult websites (I’m a teacher, so I thought for one moment that if anybody had seen this webpages I might just get fired straight away!!).
    I was actually on Gooogle images when it happened, looking for a picture of a train station!!

  • Srinivas B says:

    Thank you for such an instructive post. I got this popped up on me today while reading a news article on Yahoo – the top 10 famous vegetarians. Bummer to see such a low quality ads/links from Yahoo. I know not to run any installer that I didn’t download myself and looking for info and found your article. Pretty useful information indeed.

  • Rooj says:

    Hey, My sister text me while i was on holiday for my my admin password, she finally found it and i thought nothing of it, when i booted up my Mac a few days Ago i saw that ‘Mac protector” was running a auto search, it found nothing and today i looked it up on- line as to what this is and has a minor stroke.
    i’ve deleted the program by putting it in the trash and the downloads too. it never found any viruses,
    i’m not sure it’s fully off, i’ve read most of the comments and don’t want you repeat your self but will i need to wipe my hard drive and re install everything?! please tell me no.
    My sister is away and i can’t even ask her now, just not sure if it’s gone.
    Thank you ever so much

  • Scott says:

    Wow I feel like an idiot for going through with the install and registration. Just freaked out after having my old PC completely wiped out from a virus and went through it. Question I have is if you did register and pay for it, does the trojan have the capability to follow your web traffic (i.e. log-in information) even after you un-install it? I cancelled my credit card and followed the uninstall instructions, but just curious if I should change all of my passwords for the sites I’ve visited since installing it? Thanks for the help, this was very useful.

  • Fred Allen says:

    Thomas, our sons accidentially installed this on my wife’s Mac last evening. We followed the instructions to remove it, but it opened again unexpectedly a few moments ago. We have “spotlighted” and identified several of the allias used. But the problem is that we found it on the backup LACIE time-machine drive. We have done everything to remove it all from all locations but the LACIE will not allow us to change file names.

    Any suggestions on how to remove it from the backup drive?

    • Thomas says:

      To remove it from your Time Machine backup, open a Finder window to your Applications folder. Then either open Time Machine or choose Enter Time Machine from the Time Machine menu. In the “Star Wars” display, locate MacProtector (or whatever the copy you got is called). Select it, then click the gear button at the top of the window. From the menu that appears, choose Delete All Backups of “MacProtector”. Also check your Downloads folder to be sure the installer is removed from the backups.

  • Adrian says:

    Thomas its only right that one takes the time to say “Thank You” for your information and replies to everyone. I myself just had this happen to me today, first time ever since owning a Macbook (2006). First thing to pop into my mind was; “Macs aren’t supposed to get viruses!!” I did install the macprotector and entered my password but just didn’t feel right about having to purchase a program that I’ve never heard of being recommended for Macs. I decided to do a little searching before entering my credit info and I came across this info. Program removed and breathing normal again…Your A LIFESAVER!! Thanks for all your time and wish you all the best!!!!

  • Its good to know this (not like I hadn’t already). I’ve hated this trojan sense the first day of its arrival. Thank you for making this clear to everyone! =)

  • Sandra says:

    help! i followed your instructions and when i got to the part about deleting it. well it wouldn’t go in the trash. i tried command delete but that didn’t work either. I don’t know what to do. please help me.

    • Thomas says:

      See one of my earlier responses to someone else about this same issue. If that doesn’t help, let me know what happens when you try to delete it.

  • Micah Morrison says:

    Thanks so much! The creepy thing titled “Mac Defender” appeared on my MacBook earlier tonight. Your clear instructions helped me get rid of it. While I was attempting to get rid of it, it occasionally sent me gay porn! Kudos to you for your clarity and public service. Re the immediate post above, getting it into the trash, the same thing happened to me. I turned off the computer, turned it back on, and quickly dropped the little devil into the trash bin and emptied the bin. That worked. Thanks again, Thomas! I will save the post and pass it on to friends.

  • lala says:

    Frickin’ awesome! thanks so much!

  • Leah Padilla says:

    Thanks so much for this info. I almost thought about giving up on my macbook pro. Good thing that I searched for some answer here. It really helped remove MacDefender. It actually scanned my computer when I opened it. And said that I have virus embed on my computer. Will it be able to get my account info out of that scan? I did not put any credit card info but when it pop up it scanned my computer right away.
    And it was actually popping up with some embarrassing website which made me thought twice about bringing it in the Apple Store,( yeah like pornography!!!) Thank you for saving me from a totally embarrassing situation.

  • Marcia says:

    It looked so authentic, I didn’t think twice. I will not open anything in the future without checking it out. Thank you for the easy instructions on deleting Mac Defender!

  • emily rose says:

    Thank you so much, this was so easy to do.:))

  • Jenla says:

    Thank you for taking the time to help folks you don’t know fix a problem you didn’t cause. You’re an inspiration. I’ll do something extra cool for someone else today. Thanks so much.

  • gjoneil says:

    My wife’s MacBook got this sneaky virus yesterday. I took a different path to get rid of it. Both of our Mac’s are using Carbon Copy Cloner (a great share ware program you can download off the net) and I weekly (or more often) clone our hard drives to a desktop hard drive (IOmega) that has a fire wire connection. I booted up her computer with the saved cloned & bootable partition (holding OPtion button at start up gives you the option to boot from another bootable partition) I then restored the saved copy to the computer’s internal drive. Had I checked here first I could have avoided the move, but I thought I would put this up as a recommendation for other users to consider. It is a great option to save your bacon should you loose your hard drive as well.

  • Doug says:

    Thank you!
    Geeze. I hate these crooks.

  • John says:

    today it was MACGAURD. Trying to sort the honeymoon out and I got this infection. A little research and some frayed nerves I found your site and I can’t thank you enough. What a life saver. Thank you.

  • Aleksandra says:

    Thank you Thomas,
    I innstalled the mac protector on my husbands Mac few nights ago, not giving the computers password. Just clicking the continue button or something like that. Then I started to suspect that I did wrong. The next day the porn sites started to pop up. My husband switched off the internet. And until he found your page using the other computer we were very worried, expecting all kinds of damages. Fortunately I didnt register the programme giving avay my cc number directly onto their site. But since the programme downloaded on our computer a few days prior to actual appearing on the screen, I have e question. Is it possible that it somehow got hold of my cc numbers as I was doing some shopping via internet. I would be greatful for your answer.

    Aleksandra

    • Thomas says:

      Aleksandra, the version that I have studied does not appear to collect that kind of data. However, it is certainly possible for malware to collect form data from your browser, and it’s entirely possible there’s a variant of MacProtector I haven’t seen. (Certainly there appears to be a new variant called MacGuard now.) I would definitely keep an eye on your credit card statements. Check the activity online every day, preferably, and cancel the card immediately if anything suspicious appears.

  • Aleksandra says:

    Hello Again,

    You are very kind. Thank you very much for your prompt answer. The accounts are fine so far 🙂 But I will be checking up on them.
    The download folder screening is a very good advice. We will be also paying attention to it.
    And I would like to say great thanks. You are doing a saving job on our nerves, not only on our computers :). I hope it will be counted up there :).
    Polish Aleksandra from Norway

  • Malhar says:

    thanks a lot. Following your instructions helped a lot!

  • Andre Fernandes says:

    Thank you so much Thomas!!
    It realy helps me!!

  • Ash says:

    Thanks so much for giving clear steps on removing the Mac Protector! I freaked out when I saw virus hit my computer and the Mac Protector popped up, I thought it would be wise to purchase it and protect my MAC Book Pro… little did I know, I should have researched before purchasing it. I deleted the Mac Protector from my laptop and canceled my credit card. Now I am wondering if it is recommended to buy Anti-Virus for Mac? If so, what type of anti-virus is best to purchase? I am not expert on computer and I want to be sure my MAC is protected since it is highly required for my career.

    Hope to hear from you soon

    Thank you!

  • Andy says:

    Thank you for these clear instructions. This was very helpful.!!!!

  • Joyce Keay says:

    Thank you very much for the removal instructions. According to the date on the file in the Applications folder this was installed while my computer was at an Apple resellers for service!

  • sylvia says:

    I have both mac guard and mackeeper on computer now. i stupidly downloaded them

    i followed your instructions for mac keeper and the delete button in the final instruction is grayed out so i can’t click it.

    what do I do?

  • Violet says:

    Thank you soo soo much for these simple step by step removal instructions. Everywhere else wants you to download more software to get rid of it. Which considering that is what got us all into this mess seems counterintuitive. Thanks again!

  • Ronja Vejdegren says:

    Thank You so much! You’ve just saved my sleep! I was pretty freaked out …. !!!! Phew ….

  • kukko12 says:

    my computer also has mackeeper pop up too and i accidentally clicked on it and my computer was full of red warnings right away, exactly the same screen shot you posted above. it asked me to register but i knew right away it was a scam. i didn’t know what to do and i panicked, so I ran to future shop and got it completely remove. will my computer slow down as a result of the attack? will it damage my computer?

  • JC says:

    Wow. What a great service you have done! I had “Apple Security Center” pop up last week after I clicked on a perfectly innocuous link to a restaurant site “recommended” from my home page, SF Gate (the newspaper site). I was stunned for a minute, then I looked at the page and I could see the logo was not Apple and I knew Apple didn’t even have that kind of service. But, I have to admit I was tempted to click “correct or remove” or whatever. I just backed out of the page and restarted my mac.

    I am annoyed that my Norton Antivirus didn’t give a peep about this. What is it about Norton? I heard from a Mac Geek that it is more harmful than good, but didn’t get the details.

    It has been said for a long time that mac users are living in a false paradise of security because macs only make up a tiny percent of total comp users; that the O/S is just as open a target as PCs.

    Anyway, thank you again for this really valuable and understandable advice!

  • mariame says:

    thank you so much for the info. aside from avsetup.pkg, is 3DVIA_pla in my download something to trash too? what otehr names do i need to remove?

    • Thomas says:

      Anything called anti-malware.zip or BestMacAntivirus.zip, or something similar, or anything with the name of one of the variants, would need to be deleted. I don’t know what the file you refer to is, but note that if there’s a file in your downloads folder and you don’t know what it is or where it came from, you should delete it. I generally recommend keeping the downloads folder empty so it’s easier to identify something weird that might show up there.

  • Maria Ferrari says:

    Thank you Thank you Thank you ! I just purchased my imac! this happened in 2:00 am..took me till 7 to finaLLY FIGURE OUT what to do! your instructions were amazing and to easy! almost scary! Thank you Thank you!
    Maria

  • Carolyn says:

    Wow – thank you for the concise instructions. Now I can go to sleep!

  • Billy says:

    Thank you very much, you are a Godsend

  • Adam says:

    Thank you so very much, clear and easy to follow instructions…
    May Karma give you back what you’ve given us….
    Bless you
    xxx

  • Dick says:

    Are either OSX/FakeAV-Dl-A or OSX/FakeAV-DWN something about which I should be worried? What little I can find about them seems to indicate they’re part of the MacDefender family.

    Using Safari 3 days ago, the Apple Security Center deal popped up on my iMac so as it looked like a ruse, I quit Safari. Scans by Sophos & ClamXav didn’t found anything. However, w/o the ASC popping up on my MBP running 10.6.7, Sophos has apparently detected OSX/FakeAV-Dl-A on 5/31 & OSX/FakeAV-DWN on 6/1 & shown them in Sophos’s Quarantine Manager.

    I followed your instructions to get rid of the MacDefender series of problems, but couldn’t find either of these in the Activity Monitor & Application folders

    Following Sophos’s instructions, I’m not able to “Clean up threat” on that window by clicking on Action Available heading as the Clean Up doesn’t light up. Clicking on the threat sends me to a Sophos page where there’s supposed to be an Action tab which can’t be found.

    Strangely, ClamXav isn’t able to detect either of these.

  • sam says:

    thanks so much for the clear advice – the one i just removed was called macshield.

  • Nolan says:

    Thank you so much for your help!
    I do have a question tho.
    So all the processes in the activity monitor that have the user as “root” are normal?
    Im just wondering because there are some process names that I try to quit, and they dont disappear.
    Some include “mDNSResponder” and “mds”
    Does this mean anything?

    • Thomas says:

      Nolan, those are normal processes that you should expect to see, and should not quit. Some processes are automatically re-launched if they do get “killed,” and those are two of them.

This post is more than 90 days old and has been locked. No further comments are allowed.