Suspicious "Mac Protector" application

mac protector version 2.6

I got as far as step 2, but I cannot delete it.

thanks vida

Thanks vida! I followed the steps you outlined. The icon is gone and so far no porn garbage! I sure appreciate the help!

So - my wife just brings over her work MacBook - a slow POS that doesn't have Activity monitor or Terminal and sure enough - she clicked scan and installed MacProtector!! After me telling her this is why she doesn't have a logon to my computer with anything more than very limited rights (and to only one does she have that) I was able to remove it by using an X11 session - running top to find the MacProtector process. Killing that process and then deleting all 5 packages she downloaded plus the installed application. Since the computer belongs to the school system (she's an AP at an elementary school) it has AV SW which was of zero help. Annoying!

And people wonder why I refer to Mac AV software as overpriced crap. If at the very least it were adept at finding the small fraction of malware that exists for a Mac, it might be worth a few bucks for a year's subscription. Unfortunately, they charge an arm and a leg to scan primarily for Windows maladies.

Ahh you are a brave, brave man Brian putting that in black and white. If we do not hear from you for a while, will know you have been grounded!

harryb2448 said:

Ahh you are a brave, brave man Brian putting that in black and white. If we do not hear from you for a while, will know you have been grounded!

Click to expand...

Hehe :Blushing: Yes - I may have gotten a little carried away there - I had the dog taste my food first tonight just to be on the safe side.

I fell for it

I got the Mac Defender for $59.95....it seemed real to me.....a lesson learned. Followed the directions to get this off my MacBook Pro...it is GONE!!!!

Called my bank, transferred all the $$$ out of my account into our joint account.....

There is a 30 day money back guarantee.....I called them....and they transferred my $$ back...said it would take 3-5 days.

Will close that debit card as soon as I see the money...if I ever do.....

Lesson Learned.

Open activity monitor and force quit mac defender, then open applications folder and delete the mac defender app, then empty the trash, go to system preferences, accounts, your account, login items and highlight mac defender and press the minus button to get rid of it.

that is exactly what I did and it worked perfectly

I got my money back already.....cancelling the card now.....

BrianLachoreVPI said:

So - my wife just brings over her work MacBook - a slow POS that doesn't have Activity monitor or Terminal

Click to expand...

Just wondering how is this possible? A macbook without terminal or activity monitor?

thurstmw said:

Just wondering how is this possible? A macbook without terminal or activity monitor?

Click to expand...

I couldn't tell you. Perhaps the school IT folks thought it shouldn't be there? I don't know.

mac protector

Thanks for your post!!

I recently switched from PC to Mac hoping for virus free internet connection but unfortunately I have had a terrible experience with a whole lot of graphic porn bombarding my computer and interestingly at the same time I had Mac Protector pop up and tell me that I need to register so I can clean up the 5 viruses it said I have on my computer.

I tried to register because I assumed it was legit but it wouldn't accept my credit card details. I then realised that it was probably a scam.

I have no idea how to remove this program off my computer, or how to stop the porn from flashing onto my screen every 5 mins or so.

If anyone could offer some help I'd greatly appreciate it!!

It is possible to delete even mission critical apps such as terminal and activity monitor if you enable root user and log in as such, but very stupid to do so. I guess the IT people must have thought that they were protecting the user from damaging their installation by playing with tools they didn't understand.

All of the problems mentioned here could have been avoided; prevention is better than cure. Even with the "open safe files after downloading" check box ticked, MacProtector (which contains a nasty trojan payload in Archive.pax.gz) cannot install itself; the file opened is a zip which opens into a package installer. You then have to double click on this and authenticate with your password. As far as i am aware this is the only way a virus can ever find its way on to a Mac and despite the bleating of the Windows community that the only reason we aren't suffering as they do is because there aren't as many of us, I suspect it always will be...

A rogue image hosting site sent me no less than three copies of MacProtector by hiding the download link in a box closure button but it's not on my computer because I didn't install it. Instead I ran Clam XAV to isolate the Trojan and then shredded every copy of it with PGP shredder. Simple precautions.

My advice to non-tech savvy Mac users is this

1) Do not panic! At the moment there are no viruses for Macs that install themselves; you have to do it.

2) Any person or site that tells you you must have their software because your Mac is at risk without it is just trying to sell you something. Don't trust them.

3) Don't get into the appalling habit of authenticating with your password at the drop of a hat. Authentication should be the second stage in a chain of intent which starts with you wanting to install an application which you have selected and of which know the provenance. Think before you click.

4) Install Clam XAV ClamXav and run folder sentry on startup. Set it to watch your downloads folder.

5) Install the Web of Trust plug in on your browser Safe Browsing Tool | WOT (Web of Trust). This will flag suspicious sites with a red icon and known safe sites with a green icon. Be sure to play your part by registering an account and rating dodgy sites yourself if you encounter them.

@Rubi If you are still searching for removal instructions try How to remove MAC Defender malware. Two different removal methods are listed about 75% of the way down the page. The beginning of the article is a description of the problem and some safe browsing tips.

If that link proves helpful give a rep bump to CWA107. I followed his link in an earlier thread to find that method.

Rubi said:

Thanks for your post!!

I recently switched from PC to Mac hoping for virus free internet connection but unfortunately I have had a terrible experience with a whole lot of graphic porn bombarding my computer and interestingly at the same time I had Mac Protector pop up and tell me that I need to register so I can clean up the 5 viruses it said I have on my computer.

I tried to register because I assumed it was legit but it wouldn't accept my credit card details. I then realised that it was probably a scam.

I have no idea how to remove this program off my computer, or how to stop the porn from flashing onto my screen every 5 mins or so.

If anyone could offer some help I'd greatly appreciate it!!

Click to expand...

I would also recommend you cancel that credit card - and get a new one sent in its place - ASAP.

Nice computer; shame if anything should happen to it...

There seem to be a lot of panicked people on here so I sacrificed one of my spare Macs to do a walkthrough to show you

1) where you are going wrong and how you are actually installing this thing in the first place

2) How you get rid of it.

I should point out that I am not a computer boffin, coder or malware specialist, just an ordinary user with some common sense, 54 years old and I didn't even have a computer until ten years ago, so this is not something I would expect to faze anyone of any age.

It starts when you google for something like some hot babe, in this case Claire Goose



the image outlined in red is the offending one. Even WOT (the little green icon in the corner) says it's safe.



As soon as you click on it the url redirects to another host which opens a fake finder window using Java. You can tell it's fake because the layout of the sidebar won't necessarily match that of your genuine finder. My HDD is called "iMac", but here it is called Macintosh HD, which is the default. Inexperienced users rarely bother to change this (highlight the name in Finder then draw the pointer and you can type in a new name for you hard drive. You could call it Fido or £$%^ if you wanted to) so are easily fooled. THe site immediately downloads a package installer in a zip file, opens it and starts the installer. No risk so far, but it's annoying that Safari allows unsolicited downloads from hostile URLs. Clicking continue is the first of three mistakes you will make.



Here is where things go wrong. The installer starts and looks legitimate. The inexperienced Mac user, panicked into believing that the the much vaunted Mac immunity to viruses is a myth, and convinced by the genuine looking "Apple Security Centre" blazon doesn't give a thought to continuing the installation.

Clicking install is your second mistake



your third mistake will be to enter your password into the authentication dialog box. If at any time you had thought "hang on, let me Google MacProtector and see where it comes from and whether it does what it says" and stopped the installation progress our computer would never be infected with MacProtector, but no, you enter your password without thinking and pass the point of no return. Malicious code will now be installed on your computer.



As soon as the installer has triumphantly announced that it has finished, MacProtector will attempt to connect to the following URL 95.64.55.5. God only knows what information it will be sending back. Fortunately my network filter Little Snitch has stopped it and is asking me whether I want it to connect. You don't have Little Snitch? Why not…?

Of course you will unthinkingly click "allow" instead of deny anyway, because you have no concept of basic web security, and why should you? you have just switched to Mac from PC and have been raised to believe that computing security is an arcane doctrine, the province of the brainiacs and have always trusted uncle Norton and Daddy MacAfee to look after this for you so you would never have to think for yourself…

Now you are a Mac User it's time to start living in the real world where computers are really rather easy; much easier than driving a car, for example.



Now Mac Protector starts its shenanigans. It looks like its scanning your computer for viruses and finding loads, but it's OK because it can clean your system for you so stop worrying , Mac Protector is here to take care of things for you, but wait; you have to register and pay for it first because, sorry, nothing's for free in this world..



What you don't realise is that the apparent busy activity is all fake. It's a Java program running in your browser…



The clue is here; there is no program called MacProtector shown running in the dock, nor does it appear in the ForceQuit menu. That's because it's running inside your browser. Force quitting your browser will kill it



It's anyone's guess what happens if you click "remove all". I chose not to, but I suspect if you do it will run some malicious code.



OK, so now you have completely bolloxed up your computer by breaking all the rules of common sense and actually installing a malicious application with so much as a thought to the consequences. And now you can't get rid of it…

Yes, you can, it's a Mac, and you have control of it. to be continued...

Nice post. From most of the other posts here - I believe that clicking remove takes you to a screen where you are prompted to purchase the removal software - and now they have your cc info.

I tried it. I stopped the download that automatically started and quit the tab. I am amazed at some would click allow on something like that when that site clearly downloaded and launched something.

I tried the url in Firefox. It goes to that address but sits at a white screen and nothing downloads, nothing shows.

Opera opens it and offers it for for download!

So Firefox will not even open that fake app or start the download which is a good thing. CWA take note!

BrianLachoreVPI said:

Nice post. From most of the other posts here - I believe that clicking remove takes you to a screen where you are prompted to purchase the removal software - and now they have your cc info.

Click to expand...

Thanks I put a lot of work into it last night. The second half of the walkthrough deals with the removal procedure for which you need a freeware app called TrashMe but I had to split it into two to meet the forum rules on image content and couldn't post the second half last night as I had to wait for mod approval for the first half to appear...