On May 25, 2011, at 8:44 AM, Dan wrote: > And now we have all the sites announcing that there are articles on other > sites that announce that Apple has announced that they'll have an update to > address the current trojan, MacDefender. *cough*
So great, now we have the Great Advent of Malware on the Mac...of course it's offering us protection from all the non-existent Mac malware...:-/ At least this "mac antivirus" is honest about the fact that it simply wants to steal money from us :-) There's something just too meta about this whole thing. It IS out there in the wild, I hit it this weekend on my laptop at home. (via a poisoned Google search) This is what the Mac version looks like: <http://dbdev2.pharmacy.arizona.edu/miscjunk/mac_version.png> It automatically downloaded 'anti-malware.zip'.* Also note: my hard drive is NOT called 'Macintosh HD, nor is my user name (and hence my home folder) called 'computer', nor do I have a folder 'work' in my sidebar. Dropbox is purely a guess. The red dots with the numbers randomly change, they're not even careful enough to make sure they always increase, the one in computer wen from 10 to 56 to 25 to 30 which happened to be when I took the screen shot. They keep listing total gibberish in the list, it's quite amusing, if it weren't for the fact that if my mother runs into this I'm going to get a panicked call. Simply changing my browser ID to say it's IE7 gets me this from the same web site: <http://dbdev2.pharmacy.arizona.edu/miscjunk/windows_version.png> > > Less painful to just read the tech note, I think: > > http://support.apple.com/kb/HT4650 ROFLMAO. How to remove Mac fake antivirus: "Kill the process named MacDefender. Drag the MacDefender Application to the trash. Optionally delete the login item." How to remove Windows fake antivirus: (from <http://www.techvts.com/antivirus-pro-removal>) Stop Antivirus Pro processes: [random name].exe Remove Antivirus Pro Registry Entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\rundll32.exe” = ‘C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center’ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random numbers and characters]” Remove Antivirus Pro files: C:\ProgramData\[random].dat C:\ProgramData\[random].ico %AppData%\[random].dat %AppData%\[random].ico %Temp%\ins2.tmp %Temp%\mv3.tmp %Temp%\wrk4.tmp Good luck identifying the [random] process. This is the process list of my (uninfected) Win7 VM: Quick! identify [random].exe! Image Name ========================= System Idle Process System smss.exe csrss.exe wininit.exe csrss.exe services.exe winlogon.exe lsass.exe lsm.exe svchost.exe VBoxService.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe SavService.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe SAVAdminService.exe ManagementAgentNT.exe ALsvc.exe RouterNT.exe swi_service.exe svchost.exe svchost.exe taskhost.exe userinit.exe dwm.exe explorer.exe VBoxTray.exe cmd.exe conhost.exe net.exe net1.exe jusched.exe ALMon.exe reader_sl.exe SearchIndexer.exe cmd.exe conhost.exe SearchProtocolHost.exe SearchFilterHost.exe tasklist.exe WmiPrvSE.exe * Because I am not brain-dead, I disable 'Open Safe Files after download' in Safari the moment I first log onto a new computer. This is a festering security hole in Safari that I WISH Apple would eliminate. It's not like they haven't been burned by this...back in the 10.2 days Safari would open saved terminal files..yes apple, lets automatically run shell scripts downloaded from random web sites. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/g3-5-list
