Identifying and removing MacDefender trojans
Published May 7th, 2011 at 2:08 PM EST , modified March 5th, 2013 at 2:21 PM EST
[Edited Thursday, May 26, 9:20 PM]
A lot of people are being affected by MacDefender, or one of the variants of MacDefender (MacSecurity, MacProtector and MacGuard, at this time, possibly more in the future). As a result, I’m getting a lot of questions from people about how to tell if they’re infected, how to get rid of the trojan and what else they need to worry about. Hopefully, I will answer all those questions and more here. For those unfamiliar with these trojans, see my previous MacDefender news posts.
When you reach the malicious site, you will see a fake anti-virus message saying that your machine is infected with viruses. What you see may match what is described in my post MacDefender in action, or it may match what is described in New MacDefender variant: MacSecurity, or it’s possible the scammers will come up with yet another look. In any case, a result of visiting the site, often without the need to click on anything, is that a file will be downloaded to your hard drive. This file may be named BestMacAntivirus2011.mpkg.zip or anti-malware.zip, or it may have a new name tomorrow. Keeping your Downloads folder clean will be the easiest way to identify a new, suspicious item.
Depending on what browser you’re using and what the settings are, this file might be automatically unzipped. The contents of the .zip file is an installer package with the same name as the trojan variant (MacDefender, MacSecurity or MacProtector), and with the extension .mpkg, except in the case of MacGuard, whose installer is named “avSetup.pkg”. This file is an installer package that may open automatically in Apple’s installer. Since that makes it look very official, many people are confusing it with a software update.
Whether you manually run the installer or it opens on its own, nothing can happen from this point unless you click Continue. At this point, if you just quit the installer and throw away the .mpkg file, you’re perfectly safe. No need to worry any further.
If you proceed with the installation, providing your administrative password when asked, then the application will be installed in your Applications folder, opened automatically and added to your login items so it will open again every time you log in. The application looks like the screenshot at the top of this post. (All the variants of this trojan currently have the same icon, just different names.)
When the trojan runs, you will see a window that looks like the following, and will receive warnings that you have a virus. You will also be prompted to register the program, which will ultimately involve giving the scammers your credit card number. Under no circumstances should you register this program! However, if you already did, you will need to immediately grab the phone and cancel your credit card. Follow the rest of these instructions only once you have dealt with that issue, and do not wait to deal with the credit card!
The first thing you need to do at this point is close the Scan window to get it out of your way. It will float above all other windows, so the next few steps will be more difficult without getting rid of that window first. Needless to say, you should not worry about what the window is telling you… they’re just trying to scare you into giving them your credit card number.
Next, open Activity Monitor (found in /Applications/Utilities).
Find MacDefender (or MacSecurity, or MacProtector, or MacGuard, or whatever it’s called tomorrow) in the list, select it and click the Quit Process button. (Note that the item shown below it in the screenshot above, “mdworker,” is a normal part of your system and not related to MacDefender!) When you click Quit, you will see:
Although you can choose to click Force Quit, that is not necessary. Just click Quit.
Now that you have quit the application, it’s time to remove it from your system. First, open System Preferences (found under the Apple menu at the top left corner of the screen, among other places) and click the Accounts icon. You’ll see this:
Make sure that you have clicked the Login Items tab, and then select the trojan in the list and click the ‘-‘ button to remove it.
Next, open your Applications folder and find the trojan. Simply drag it to the trash. If you are using a standard account, you will have to provide your administrative password in order to actually remove it. Empty the trash. (No need to securely empty.)
At this point you have fully removed the trojan. Believe it or not, the current incarnations of MacDefender are really that easy to remove. Unlike some nastier trojans, they do not install all kinds of nasty little processes on your machine that only an expert would ever know about, like key loggers and backdoors. This means that, as long as you don’t actually give them your credit card number, this malware is actually somewhat safe to play with. Not that I advise doing so… but if you do find yourself infected and didn’t register, you really don’t have anything to worry about after following these instructions.
Hope this helps, and good luck staying clean!