The Icrontic Mac Defender and Mac Protector removal tool

Phil Jaenke 22 May, 2011 at 9:59pm ET Article published in Tech

So, somehow you’ve gotten infected with Mac Defender or Mac Protector. It’s the latest malware to hit OS X users, and it’s turned out to be particularly rampant. Hundreds and hundreds of posts are out there from folks looking for a way to rid themselves of this insidious malware.

First, let’s clear something up—neither Mac Protector nor Mac Defender is a legitimate anti-virus tool, as they pose to be. They are malware, opening your browser to random porn links, and telling you that legitimate system files like Terminal are actually spyware. No, they aren’t—Mac Protector and Mac Defender is the spyware. When you try to “clean” with it, it says your copy is unregistered, and prompts you to enter your personal information including a credit card. Don’t. If you did? Contact your bank. You’re not buying anything—you’re just sending your credit card information to people who may not have your best interests in mind.

Obviously, with things like this out there, you should be running an anti-virus. There are a number of anti-virus products for Mac OS X from a variety of manufacturers. If you don’t feel like spending your hard earned money on one, Sophos offers their Home Edition for Mac OS completely free. However, Mac Defender and Mac Protector can interfere with installing legitimate anti-virus products. You need to remove them first.

That’s where your friends here at Icrontic come in. Search Apple support no more, call not the Genius Bar, return not to the shiny white store, my friends! For we deliver unto you: The Icrontic Mac Defender / Mac Protector Removal Tool!

This simple easy to use tool can completely remove Mac Protector AND Mac Defender from your infected systems in two clicks. Since it’s a shell script and an AppleScript, it is virtually impossible for this malware to interfere with its operation.

Using the Icrontic Mac Defender/Mac Protector Removal Tool

First, download the ZIP file. Double click on it to open it, and drag the two files anywhere on your system—even onto a USB drive or your Desktop. They can be run from anywhere, as long as both files are in the same folder. You should have “Clean_MacProtector.sh” and “Clean_MacProtector_Login.scpt”.

There are two possible ways to run this tool; if your Mac is configured to run .sh files from Terminal, this way will work:

Double click “Clean_MacProtector.sh” and Terminal should pop up while it runs. Wait while it cleans your system of Mac Defender or Mac Protector. If you have a lot of applications installed, or a large hard disk, the script can take a very long time to run. It actively searches every directory and drive on your Mac for possible infection, just in case it installed to an unexpected location or an alternate drive.

If that doesn’t work, and it just opens up a bunch of code in TextEdit, close TextEdit and do this:

Go to the folder where you have the .sh file. Hold down Control and click on the file. You’ll get a menu that pops up; select “Open With…” from that menu.
From “Open With”, select “Other”
Scroll down until you see “Utilities”, and double click that
At the bottom of that window you’ll see a box that says “Enable: Recommended Applications”. Click that and change it to “All applications”
Back up in the Utilities window, scroll down until you see “Terminal” and select that. Then click “Open” and the tool should run.

That’s all there is to it! Your system will be clean, no calls or visits to Apple necessary, and it’s free.

Stay safe!

Comments

22 May 2011 ~ 10:17pm Tushon You did better than Apple did
22 May 2011 ~ 11:11pm Bandrik Sweet, now THIS is customer support! Thank you Apple for finally admitting that you have a problem and coming up with this simple, easy-to-use tool that--

Oh wait. That's right. They didn't. In the meantime, awesome work, Phil. Hope this aids some poor fool that's in need of a helping hand.
23 May 2011 ~ 8:45am Kwitko This tool is useless since Macs never get viruses or malware or spyware. Clearly this is a failed attempt by PC users to denigrate the Apple name and its superior, magical products.
23 May 2011 ~ 11:06am Bandrik Mmm, taste the Apple magic! It tastes like... chalk dust. And... other strange, white substances.
23 May 2011 ~ 11:37am Tushon Someone who is on the apple forums should go and post a link in the support area for this. Page views over 9000?!?!?!
23 May 2011 ~ 12:20pm Annes Great job, Phil!
23 May 2011 ~ 10:41pm HO ...oh wait....Macs aren't supposed to be malware free????

Hmmmm, I'm happy with my Win7, at least MS doesn't hide the facts with Koolaid like Mapple, we know there is that called malware, not like Win7 get's a lot but is there, still, Mapple gets malware and like Hitler in WW2 denies it, yup, it's all koolaid for the mindless drones.
25 May 2011 ~ 1:14am Derek I just got that annoying macdefender. I googled it and came up with this site. I downloaded it and it didn't work. I then contacted the company and got help and they told me how to get to it from another direction. It worked beautifully and before I could send a thank you email, the system was cleaned and everything working great again.

As I told the rep I spoke with...you guys rock!!!
25 May 2011 ~ 1:26am primesuspect Haha, thanks Derek. We're not a company, per se... We're just a group of friends and geeks who help when and where we can. Phil (Rootwyrm) is the guy who wrote the software, and thanks to your emails with me, I updated the article with instructions in case it doesn't work.

Thanks for stopping by Icrontic!
25 May 2011 ~ 2:52am RootWyrm And the best part? There's a new version being worked on as I write this (@$%!*ING Xcode!) which will be even EASIER to use.
25 May 2011 ~ 9:38pm RootWyrm As a note; the current release (5/23/2011) does NOT and cannot remove the following new variants discovered as of 5/25:
MacGuard + avRunner Trojan Downloaer
MacSecurity
Work is in progress to obtain samples of these new variants and add the capability to remove them ASAP.
27 May 2011 ~ 1:13am Mike ManyThanks this thing downloaded itself and was bothersome.
appreciate the help.
27 May 2011 ~ 1:24am primesuspect Glad to have helped!
11 Jun 2011 ~ 9:11pm dansones wheres the zip file?
11 Jun 2011 ~ 9:18pm Thrax
11 Jun 2011 ~ 11:57pm Kwitko

RootWyrm wrote:

And the best part? There's a new version being worked on as I write this (@$%!*ING Xcode!) which will be even EASIER to use.

Even though I neither own a Mac nor like Apple, I think what you're doing is fucking epic. This is why I love Icrontic.
13 Jun 2011 ~ 10:06am Kate I tried the fix. It did not work. Suggestions?

Kate
14 Jun 2011 ~ 10:02pm Melanie Thank you, that virus was a pain, glad to have it gone, thank you.
15 Jun 2011 ~ 9:36am Mannix it didn't work
15 Jun 2011 ~ 4:16pm RootWyrm If you've updated OS X in the last month, either manually or automatically installed updates, this tool will no longer work. Apple finally added an automatic removal routine to OS X which attempts to block, and removes all 13+ variants. This tool can only remove the first two, and when Apple added their update, the malware authors started creating variants at a rate that was impossible to keep up with.
If you haven't installed the latest OS X updates, that's definitely the first thing you should do. Then make sure that automatic updating is turned on - Apple is still pushing new definitions every 24-48 hours or so.
9 Dec 2012 ~ 5:37pm Susan R. No matter how many times I use your Removal tool to remove MacDefender, the Removal tool always finds it again. I've done this 15 times already.

Also, Sophos always finds the Archive.pax.gz file, gets hung-up and basically freezes -- so I guess there really is SOMETHING BAD stuck in this Mac.
9 Dec 2012 ~ 7:37pm Tushon
If you haven't installed the latest OS X updates, that's definitely the first thing you should do.