Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Introducing the BleepingComputer Mac Rogue Remover Tool


  • Please log in to reply
17 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 26 May 2011 - 03:15 PM

We have been monitoring, analyzing, and writing easy to understand removal guides for rogues anti-spyware programs since 2005 when these types of malware started to become prevalent, and now a epidemic, in the Windows PC world. In the beginning, Windows rogues looked very similar to what we are seeing currently on the Macs. Fairly simple programs that display false alerts, but were easy to remove. As time went on, the malware developers introduced new techniques to make these programs more resilient to normal removal methods. These methods included helper processes that restarted the main rogue process when it was terminated, changing Registry entries so that the rogue would start when you ran any executable, uninstalling or deleting antivirus software if present, or just making it impossible to run any program. To make matters worse, many new Windows Windows rogues are also bundled with rootkits that make it much harder to remove.

Over the last month or so, Mac rogues have started to be released into the wild from the same developer as the FakeRean Windows rogue. These rogues, regardless of what may be said by Apple and its employees, have been successful. With our Mac rogue removal guides having an aggregate total of over 100,000 views and my receiving many emails from people thanking me for our guides, but stating they fell for the scam and purchased the program, we can be assured that the malware developers are making plenty of money from these programs. The purpose of these Mac rogues is to make money and if the developers are making it, we can be assured that they will continue to release new versions of these rogues that are trickier to install or remove.

This can be seen in the latest Mac rogue called Mac Guard. Previously, when this family of rogues was installed on your Mac you had to enter your password for the application to be installed. Mac Guard introduced a new technique that does not require your password to be entered if you are running an Administrator account. As you can see, the malware developers are already introducing new techniques to make it easier for their programs to be installed. I expect as time goes on, these developers will introduce new techniques that will make removing these programs harder to do.

BleepingComputer's goal for writing guides is to offer removal methods that are not only easy to understand but also easy to accomplish. With this in mind, I have created a new tool named Mac Rogue Remover Tool. This tool, when run, will scan your Mac and terminate the rogues processes, remove Login Items, the Application folders, and any left over folders or files that may reside in your Downloads folder. I have purposely made it so that it does not scan your entire disk for these applications in order to not have false positives with possibly legitimate programs that may be released in the future. Therefore, if you have installed these programs in a different location or changed the location where they are downloaded to, you should use the Manual Removal procedure that is present in all of the Mac rogue guides, which I have listed at the end of this post.

All of our Mac rogue guides have already been updated to contain two removal methods. The first is detailed instructions on how to use Mac Rogue Remover to remove the Mac rogues and the second is the manual removal method.

In summary, To use this tool, you need to download it from the following link:

http://www.bleepingcomputer.com/download/mac-rogue-remover-tool/

If Safari is configured to Open "safe" files after downloading, which you should disable to be more secure, the Mac Rogue Remover will automatically be unpacked for you in the folder that you downloaded it to. If not, then you will need to double-click on the file to extract the application. Once it is extracted, just double-click on the mac-rogue-remover app icon to launch it. When launched you will be presented with a license agreement that you must agree to in order to use the program. Once you agree to the license, Mac Rogue Remover will launch and remove any items associated with the rogue. It will then display what it has found and create a log of what actions it took on the desktop called mac-rogue-remover.txt. The rogue should now be removed from your mac.

At present, the Mac Rogue Remover Tool will remove the following:


Please let us know in this topic if there are issues running the tool.

I hope you find this tool helpful.


BC AdBot (Login to Remove)

 


m

#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,244 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:07 AM

Posted 26 May 2011 - 03:21 PM

Excellent work, Grinler! :clapping:

#3 sho-dan

sho-dan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Jah Jersey Shore
  • Local time:04:07 AM

Posted 26 May 2011 - 04:37 PM

Job well done! Grinler. Thanks :thumbup2:

#4 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 26 May 2011 - 07:39 PM

Wow this is awesome Grinler and I am sure it will be a big help to those many people that are infected with this annoying and eye opening issue. :)

sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat too! |


#5 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:03:07 AM

Posted 26 May 2011 - 10:24 PM

Good job, Grinler! Keep up the good work! :thumbsup:
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#6 Wingman

Wingman

  • Malware Response Team
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Coast - USA
  • Local time:05:07 AM

Posted 28 May 2011 - 10:01 AM

Equal opportunity malware removal! Excellent, nice work sir. :clapping:

Edited by Wing Man, 28 May 2011 - 10:01 AM.

Admin/Teacher at Malware Removal University You too could train to help others.
Member of UNITE
I seek not to know all the answers...but to understand the questions - Kwai Chang Caine

#7 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:07 AM

Posted 28 May 2011 - 09:22 PM

You, sir, are a steely-eyed missile man!

:clapping:


Edited by Union_Thug, 28 May 2011 - 09:23 PM.


#8 UNC61

UNC61

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fancy Prairie, IL
  • Local time:03:07 AM

Posted 01 June 2011 - 08:24 PM

I am curious and want your thoughts about keeping this up to date. As you are aware, another variant appeared and MAC malware is being spread virally on Facebook. I cannot imagine how one person would be able to keep up when other criminal elements come onboard the rip Mac a new one train. Then again, I am old, fat, ugly, and like jock itch, so what do I know?

#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 01 June 2011 - 08:40 PM

Yes, I am aware of the new variant and have already updated the tool.

Quite honestly, I am not concerned or worried about being able to keep up with the rogues for Mac. I do it already for Windows :)

#10 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:07 AM

Posted 01 June 2011 - 08:50 PM

...Quite honestly, I am not concerned or worried about being able to keep up with the rogues for Mac. I do it already for Windows :)


:)

#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 03 June 2011 - 08:32 AM

Update notes:

6/1/11: Updated to include new installer and downloader mdInstall.pkg and mdDownloader.app.
6/2/11: Updated for Mac Shield.
6/3/11: Updated for new installer for Mac Shield called mshSetup.pkg.

#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 04 June 2011 - 09:31 AM

Update:

6/4/11 - Updated to include diShield.pkg and /Applications/dShield.app.

#13 gtmda

gtmda

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 11 June 2011 - 05:11 PM

All I can say is WOW! What a wonderful tool for removing Mac Shield. I have had my iMac for 3 years and today was the very first time I got zapped by something like this. Mac Shield looked legit, but I found your website and quickly found out it was a scam and removed it. Many, many thanks! :thumbup2:

#14 Genex17

Genex17

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:07 AM

Posted 30 October 2013 - 08:16 AM

Thanks for the tool,no rogueware found.

 

I did however ran into an "app damaged" error when I tried to first open it in Mavericks 10.9 on my Macbook.  "Ctrl + click Open" (the usual Gatekeeper workaround) did not work,so I shut off the Gatekeeper in Security (and turned it back on) and it works fine now.

 

It only displays that error in the initial attempt.

 

Gene



#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 30 October 2013 - 10:40 AM

Thanks for the info. Will take a look.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users