New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus • Advice and insight from world-class Apple enthusiasts • Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

Suspicious "Mac Protector" application


Post Reply New Thread Subscribe

 
Thread Tools
thurstmw

 
thurstmw's Avatar
 
Member Since: Sep 29, 2010
Location: BoCo
Posts: 295
thurstmw has a little shameless behaviour in the past
Mac Specs: 13inch 2.3 i5 MBP 64gb SSD 320gb HD 8gb 1333

thurstmw is offline
Quote:
Originally Posted by BrianLachoreVPI View Post
So - my wife just brings over her work MacBook - a slow POS that doesn't have Activity monitor or Terminal
Just wondering how is this possible? A macbook without terminal or activity monitor?


Yes that is a grizzlycorn
QUOTE Thanks
BrianLachoreVPI

 
BrianLachoreVPI's Avatar
 
Member Since: Feb 24, 2011
Location: Maryland
Posts: 3,742
BrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant future
Mac Specs: March 2011 15" MBP 2.3GHz i7 Quad Core 8GB Ram | Mid 2011 27" iMac 3.4 GHz i7 16 GB RAM 2 TB HDD

BrianLachoreVPI is offline
Quote:
Originally Posted by thurstmw View Post
Just wondering how is this possible? A macbook without terminal or activity monitor?
I couldn't tell you. Perhaps the school IT folks thought it shouldn't be there? I don't know.
QUOTE Thanks
Rubi

 
Member Since: May 20, 2011
Posts: 1
Rubi is on a distinguished road

Rubi is offline
Thanks for your post!!

I recently switched from PC to Mac hoping for virus free internet connection but unfortunately I have had a terrible experience with a whole lot of graphic porn bombarding my computer and interestingly at the same time I had Mac Protector pop up and tell me that I need to register so I can clean up the 5 viruses it said I have on my computer.

I tried to register because I assumed it was legit but it wouldn't accept my credit card details. I then realised that it was probably a scam.

I have no idea how to remove this program off my computer, or how to stop the porn from flashing onto my screen every 5 mins or so.

If anyone could offer some help I'd greatly appreciate it!!
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
It is possible to delete even mission critical apps such as terminal and activity monitor if you enable root user and log in as such, but very stupid to do so. I guess the IT people must have thought that they were protecting the user from damaging their installation by playing with tools they didn't understand.

All of the problems mentioned here could have been avoided; prevention is better than cure. Even with the "open safe files after downloading" check box ticked, MacProtector (which contains a nasty trojan payload in Archive.pax.gz) cannot install itself; the file opened is a zip which opens into a package installer. You then have to double click on this and authenticate with your password. As far as i am aware this is the only way a virus can ever find its way on to a Mac and despite the bleating of the Windows community that the only reason we aren't suffering as they do is because there aren't as many of us, I suspect it always will be...

A rogue image hosting site sent me no less than three copies of MacProtector by hiding the download link in a box closure button but it's not on my computer because I didn't install it. Instead I ran Clam XAV to isolate the Trojan and then shredded every copy of it with PGP shredder. Simple precautions.

My advice to non-tech savvy Mac users is this

1) Do not panic! At the moment there are no viruses for Macs that install themselves; you have to do it.

2) Any person or site that tells you you must have their software because your Mac is at risk without it is just trying to sell you something. Don't trust them.

3) Don't get into the appalling habit of authenticating with your password at the drop of a hat. Authentication should be the second stage in a chain of intent which starts with you wanting to install an application which you have selected and of which know the provenance. Think before you click.

4) Install Clam XAV ClamXav and run folder sentry on startup. Set it to watch your downloads folder.

5) Install the Web of Trust plug in on your browser Safe Browsing Tool | WOT (Web of Trust). This will flag suspicious sites with a red icon and known safe sites with a green icon. Be sure to play your part by registering an account and rating dodgy sites yourself if you encounter them.
QUOTE Thanks
Slydude

 
Slydude's Avatar
 
Member Since: Nov 15, 2009
Location: North Louisiana, USA
Posts: 6,546
Slydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant future
Mac Specs: 2.8 GHz MacBook Pro 10.8,3 8 GB mem, 2.66 GHz Mac Pro - Dead, iPhone 4

Slydude is offline
@Rubi If you are still searching for removal instructions try How to remove MAC Defender malware. Two different removal methods are listed about 75% of the way down the page. The beginning of the article is a description of the problem and some safe browsing tips.

If that link proves helpful give a rep bump to CWA107. I followed his link in an earlier thread to find that method.

Sylvester Roque Former Contributing Editor About This Particular Macintosh

"Got Time to breathe. You got time for music." Denver Pyle as Briscoe Darling
QUOTE Thanks
BrianLachoreVPI

 
BrianLachoreVPI's Avatar
 
Member Since: Feb 24, 2011
Location: Maryland
Posts: 3,742
BrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant future
Mac Specs: March 2011 15" MBP 2.3GHz i7 Quad Core 8GB Ram | Mid 2011 27" iMac 3.4 GHz i7 16 GB RAM 2 TB HDD

BrianLachoreVPI is offline
Quote:
Originally Posted by Rubi View Post
Thanks for your post!!

I recently switched from PC to Mac hoping for virus free internet connection but unfortunately I have had a terrible experience with a whole lot of graphic porn bombarding my computer and interestingly at the same time I had Mac Protector pop up and tell me that I need to register so I can clean up the 5 viruses it said I have on my computer.

I tried to register because I assumed it was legit but it wouldn't accept my credit card details. I then realised that it was probably a scam.

I have no idea how to remove this program off my computer, or how to stop the porn from flashing onto my screen every 5 mins or so.

If anyone could offer some help I'd greatly appreciate it!!
I would also recommend you cancel that credit card - and get a new one sent in its place - ASAP.
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
There seem to be a lot of panicked people on here so I sacrificed one of my spare Macs to do a walkthrough to show you

1) where you are going wrong and how you are actually installing this thing in the first place

2) How you get rid of it.

I should point out that I am not a computer boffin, coder or malware specialist, just an ordinary user with some common sense, 54 years old and I didn't even have a computer until ten years ago, so this is not something I would expect to faze anyone of any age.

It starts when you google for something like some hot babe, in this case Claire Goose



the image outlined in red is the offending one. Even WOT (the little green icon in the corner) says it's safe.



As soon as you click on it the url redirects to another host which opens a fake finder window using Java. You can tell it's fake because the layout of the sidebar won't necessarily match that of your genuine finder. My HDD is called "iMac", but here it is called Macintosh HD, which is the default. Inexperienced users rarely bother to change this (highlight the name in Finder then draw the pointer and you can type in a new name for you hard drive. You could call it Fido or £$%^ if you wanted to) so are easily fooled. THe site immediately downloads a package installer in a zip file, opens it and starts the installer. No risk so far, but it's annoying that Safari allows unsolicited downloads from hostile URLs. Clicking continue is the first of three mistakes you will make.



Here is where things go wrong. The installer starts and looks legitimate. The inexperienced Mac user, panicked into believing that the the much vaunted Mac immunity to viruses is a myth, and convinced by the genuine looking "Apple Security Centre" blazon doesn't give a thought to continuing the installation.

Clicking install is your second mistake



your third mistake will be to enter your password into the authentication dialog box. If at any time you had thought "hang on, let me Google MacProtector and see where it comes from and whether it does what it says" and stopped the installation progress our computer would never be infected with MacProtector, but no, you enter your password without thinking and pass the point of no return. Malicious code will now be installed on your computer.



As soon as the installer has triumphantly announced that it has finished, MacProtector will attempt to connect to the following URL 95.64.55.5. God only knows what information it will be sending back. Fortunately my network filter Little Snitch has stopped it and is asking me whether I want it to connect. You don't have Little Snitch? Why not…?

Of course you will unthinkingly click "allow" instead of deny anyway, because you have no concept of basic web security, and why should you? you have just switched to Mac from PC and have been raised to believe that computing security is an arcane doctrine, the province of the brainiacs and have always trusted uncle Norton and Daddy MacAfee to look after this for you so you would never have to think for yourself…

Now you are a Mac User it's time to start living in the real world where computers are really rather easy; much easier than driving a car, for example.



Now Mac Protector starts its shenanigans. It looks like its scanning your computer for viruses and finding loads, but it's OK because it can clean your system for you so stop worrying , Mac Protector is here to take care of things for you, but wait; you have to register and pay for it first because, sorry, nothing's for free in this world..



What you don't realise is that the apparent busy activity is all fake. It's a Java program running in your browser…



The clue is here; there is no program called MacProtector shown running in the dock, nor does it appear in the ForceQuit menu. That's because it's running inside your browser. Force quitting your browser will kill it



It's anyone's guess what happens if you click "remove all". I chose not to, but I suspect if you do it will run some malicious code.



OK, so now you have completely bolloxed up your computer by breaking all the rules of common sense and actually installing a malicious application with so much as a thought to the consequences. And now you can't get rid of it…

Yes, you can, it's a Mac, and you have control of it. to be continued...
QUOTE Thanks
BrianLachoreVPI

 
BrianLachoreVPI's Avatar
 
Member Since: Feb 24, 2011
Location: Maryland
Posts: 3,742
BrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant future
Mac Specs: March 2011 15" MBP 2.3GHz i7 Quad Core 8GB Ram | Mid 2011 27" iMac 3.4 GHz i7 16 GB RAM 2 TB HDD

BrianLachoreVPI is offline
Nice post. From most of the other posts here - I believe that clicking remove takes you to a screen where you are prompted to purchase the removal software - and now they have your cc info.
QUOTE Thanks
dtravis7

 
dtravis7's Avatar
 
Member Since: Jan 04, 2005
Location: Modesto, Ca.
Posts: 27,747
dtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond reputedtravis7 has a reputation beyond repute
Mac Specs: iMac 2.4 C2D 10.10, iMac 2.16 C2d 10.6.8, Macbook2007 10.8.4, Mac Mini 10.8.4, iPhone 3GS Note 8!!

dtravis7 is offline
I tried it. I stopped the download that automatically started and quit the tab. I am amazed at some would click allow on something like that when that site clearly downloaded and launched something.

I tried the url in Firefox. It goes to that address but sits at a white screen and nothing downloads, nothing shows.

Opera opens it and offers it for for download!

So Firefox will not even open that fake app or start the download which is a good thing. CWA take note!
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
Quote:
Originally Posted by BrianLachoreVPI View Post
Nice post. From most of the other posts here - I believe that clicking remove takes you to a screen where you are prompted to purchase the removal software - and now they have your cc info.
Thanks I put a lot of work into it last night. The second half of the walkthrough deals with the removal procedure for which you need a freeware app called TrashMe but I had to split it into two to meet the forum rules on image content and couldn't post the second half last night as I had to wait for mod approval for the first half to appear...
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
Quote:
Originally Posted by dtravis7 View Post
I tried it. I stopped the download that automatically started and quit the tab. I am amazed at some would click allow on something like that when that site clearly downloaded and launched something.

I tried the url in Firefox. It goes to that address but sits at a white screen and nothing downloads, nothing shows.

Opera opens it and offers it for for download!

So Firefox will not even open that fake app or start the download which is a good thing. CWA take note!
It is amazing isn't it! I do a lot of voluntary work and in this capacity I'm often called upon to help people with problems with their computers and it constantly amazes me how little they bother to learn about even the simplest security procedures or how to set up their computer. I come across even intelligent sensible people like writers and civil servants using laptops without password protection and using it to do their internet banking on, allowing their browsers to save passwords and user ID's for bank and building society accounts...
QUOTE Thanks
BrianLachoreVPI

 
BrianLachoreVPI's Avatar
 
Member Since: Feb 24, 2011
Location: Maryland
Posts: 3,742
BrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant futureBrianLachoreVPI has a brilliant future
Mac Specs: March 2011 15" MBP 2.3GHz i7 Quad Core 8GB Ram | Mid 2011 27" iMac 3.4 GHz i7 16 GB RAM 2 TB HDD

BrianLachoreVPI is offline
Quote:
Originally Posted by octavedoctor View Post
Thanks I put a lot of work into it last night. The second half of the walkthrough deals with the removal procedure for which you need a freeware app called TrashMe but I had to split it into two to meet the forum rules on image content and couldn't post the second half last night as I had to wait for mod approval for the first half to appear...
I think there are quite a few variants on the same theme with this little bugger. For instance - when doing an image search for something a couple of weeks ago - using Google - I simply clicked on an image from the Google search - to go look at the source - and was immediately treated to that java show. This was before I knew about the Safari checkbox - and I saw it download and launch. Of course, I knew that I could simply close it - and delete the downloaded file - and was none the worse for wear. It's easy to see how many folks would be a little taken in by it though. That actually happened 3 separate times in 5 minutes!

My wife - I don't really know what happened - as she couldn't articulate it that well - but somehow she managed to have 5 of the packages downloaded - and the java show was pretty entertaining. The problem for her was - she clicked scan. Frankly - because she has a antivirus package installed (by the school) - she may have thought it was actually doing something. That was enough to convince her to click scan - before she realized something didn't seem right and called me over to look at it.

Fortunately - like I said before - it's easy to eliminate - and led to the discovery of that Safari setting.
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
Yep. I think there is a rollover link or something because i ended up with about six packages without clicking on anything.

You could also disable Java in prefs; I'm not sure how often that is needed for the most part. Google Docs utilises it I think. I'll have to try it one day. Not javascript though, that's quite different.

The important thing to remember is that there are no Mac viruses that can install themselves, and nor should there ever be, as long as OSX respects the UNIX security policy. Until then, all attackers have is exploits which make use of users naiveté and fear of the machine to get them to install the nasties themselves. The idea that the only reason Macs aren't inundated with viruses is because there aren't as many of us is complete rubbish. It's important to drum that home to new Mac users because it puts the onus on them to think about their security instead of trusting it to third parties flogging commercial software. AV is now a huge industry and a lot of people are making money out of it. I'm sure Microsoft could address Windows' virus vulnerability if they really wanted to but it would not be politic to undermine that sector of the IT economy. Far better to spread the idea that more secure OSes are equally at risk, then you open up a whole new market for your products. And the Mac market is generally more affluent and less tech savvy, so you can bilk them for a lot more...
QUOTE Thanks
octavedoctor

 
Member Since: May 21, 2011
Posts: 6
octavedoctor will become famous soon enough

octavedoctor is offline
Part two. how to kill the beast.

First go to System Preferences in the Apple menu, up there in the top left. Look for the Accounts Preferences



Once you are in your account, select login items from the menu and look for MacProtector.

Remove it by highlighting the item and clicking on the minus sign down below left.



Restart your computer. This will kill all active processes, including any code that MacProtector might be running. It won't restart when you start up again. Hopefully...



See? There it was, gone.



Some people have suggested using spotlight to track down the files mac protector installs. Sorry, doesn't work. Spotlight only reveals the app and the installer.



Instead you need to download "Trash Me" a freeware application that acts as a Universal Uninstaller. I use AppZapper which will work as well, but I found that Trash Me detected a file in Home/Library/Caches that App Zapper didn't.



TrashMe has a simple drag and drop window,



or you can use the file browser option.



Click on the "related files" button and you will see all the files that have been installed. The folder com.aple.sv lurks elusively in Users/Home/Library/Caches. you want shot of them all.



Er, yes...



Once you have said goodbye to all those files (and the installers, if you haven't already trashed them) your system should be free of MacProtectionRacket.

Uploaded with ImageShack.us
QUOTE Thanks
blazinfx332

 
Member Since: Oct 04, 2011
Posts: 2
blazinfx332 is on a distinguished road

blazinfx332 is offline
thank you Lizzybluts, your directions for removing the Macprotector virus worked just as you said they would cheers!
QUOTE Thanks

Post Reply New Thread Subscribe


« lion install with new air | OS X Lion Trackpad question »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
A Switchers guide to recommended free Apps to download to your new Mac the8thark Switcher Hangout 67 03-19-2013 10:48 AM
Launching an application while executing an applescript? Commander_FarkU OS X - Development and Darwin 0 06-13-2010 09:32 PM
Facebook application facebuck55 iPod Hardware and Accessories 8 12-11-2009 07:14 PM
relaunch an application in OS X Leopard jomafaki OS X - Development and Darwin 0 06-19-2009 10:28 AM
How to call my own application instead of Phone Application when user press dial? gadget iOS and Apps 0 02-10-2009 07:59 PM

All times are GMT -4. The time now is 02:29 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?