Removing Scamware: Generic Instructions

With the ongoing FAKE anti-virus scamware (rogueware/scareware) rat attack, I thought it would be useful to provide a generic set of instructions for removing these annoying and illegal programs. Clearly the rats perpetrating this garbage are persistent. As of May 8th there are three versions of this scam. Therefore, keeping these instructions generic is all the more useful. If you have any questions, please comment below and I'll do my best to update these instructions to provide better clarity.

BTW: Thanks to the folks at MacScan for getting the ball rolling with their instructions for removing the MAC Defender scamware.

How To Remove Scamware (v1.0.0):

Introduction: There are three concerns when removing scamware. The first is stopping the currently running scamware process. The second is removing the application. The third is removing any reference to application in your startup process files. You will see these three concerns addressed below. (Note that this removal procedure does NOT apply to rootkit infections, which require a more complicated removal procedure).

Stomping Steps:

1) Note the name of the scamware (rogueware) you have inadvertently installed.

2) Run the Activity Monitor program, located in your Applications/Utilities folder. Be certain that the pop-up menu at the top of the app's window is set to "All Processes".

3) Filter or scan down the list of active processes for the name of the scamware. In the case of "MAC Defender", the process is named 'MacDefender'. Similar process names most likely will apply to other scamware. (Note: It is easier to scan the list of processes if you click the "Process Name" column header in order to sort the process names alphabetically).

4) Click on the name of the scamware process to highlight it.

5) At the top left of the app window, click on the "Quit Process" button. It looks like a red stop sign.

6) In the resulting drop-down box, click on "Force Quit". That stops the scamware process from running in your computer, for the moment. You can Quit Activity Monitor at this point.

7) Navigate using the Finder to the Applications folder. It is likely that somewhere in this folder will be the application file for the scamware. Either Search for it or scan down the list of applications (including inside the Utilities folder) to find it.

8) Click on the name of the scamware. Drag it to your Trash. Empty your trash. (Note that if you attempt to empty the trash while the scamware is still running, the system will stop you. Quit the scamware process first via Activity Monitor).

9) Remove any reference to the scamware from your startup process list: You can do this by opening your System Preferences the opening the 'Accounts' preferences pane. Along the top of the pane you will see two tab buttons. Click on 'Login Items'.

10) Scan down the list of Login Items until you see the name of the scamware. Click on the name to highlight it.

11) Click on the minus sign (-) below the list in order to remove the scamware from your Login Items. You're done.

That may be all you need to do to get rid of the thing. There are other ways for malware in general to infect themselves into your system. If further search and navigation methods are required to remove further traces of the scamware, I will add them to the instructions above and progress the version number of these instructions another iteration.

Hope that helps!

:-Derek