Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MAC.OSX.Trojan.FakeAlert.M what sort of threat?

T

Tim in Scottsdale

macrumors member
Original poster
Mar 13, 2016
70
3
Scottsdale Arizona
Guys

This crept into my Time Machine external backup drive, a WD 500 gig Passport device, and an erase of that drive failed to delete it.

How can I get rid of this thing?

Bitdefender is telling me "unable to quarantine"

I just bought the external drive a week ago.

iMac 21.5
 
You erased your Passport and its still there?

Have your tried running MalwareBytes on your system?
 
I'd say your system is infected by it, so until you remove it from your system drive, you'll not be able to clean it up from the external drive.

Have you tried using Malwarbytes on your system (with the external drive disconnected), making sure its clean then reconnect the external drive and reformat.

So in your OP, you mentioned its still on the external drive after a reformat - Just out of curiosity, where does it exist, in the root?
 
Hello


I have installed Bitdefender, Malwarebytes Sophos and Easyfind.

I am scanning the iMac hard drive right now with Sophos, and it is taking all night!

I am not experienced enough to look into the external drive to determine where the bug is hiding; I'll have to get back to you on that.
 
Tim,

MAC.OSX.Trojan.FakeAlert is one name that some security companies use to refer to MacDefender, which is very old malware that has long been extinct. See the following examples on VirusTotal, which some vendors call MAC.OSX.Trojan.FakeAlert, but others call MacDefender.

https://www.virustotal.com/en/file/...666ef2dcb337ce9fa6cd653c6d2903cef25/analysis/
https://www.virustotal.com/en/file/...d82cf88733dc4f397c955b1ec8d5f40cde9/analysis/

For some additional information about MacDefender, see:

http://www.thesafemac.com/?s=macdefender

Now, it seems rather unlikely that your backup drive could have a copy of MacDefender in it, unless it's got data in it that is several years old and you once had a copy of MacDefender on your hard drive. Further, it's utterly impossible for any threat to remain on a hard drive after it has been erased (assuming that you erased it using Disk Utility). So, as I see it, there are two possibilities.

First, it could be a false positive that's triggering on something specific about the Time Machine backup. That would explain why Bitdefender is only finding it on the backup, and why it came back after erasing the drive.

Second, it could be that Bitdefender is using that name to refer to something that is not MacDefender. (Why they would do such a thing, I don't know... but naming conventions of malware are quite inconsistent.) That could explain how it got back into the backup again. However, I can't say why it would be finding it only in the backup and not on the main hard drive; that doesn't make much sense. For that reason, my money's on the first explanation.
 
  • Like
Reactions: 997440 and Weaselboy
Tim,

Not sure what you're referring to... If you're talking about MacDefender, I wouldn't really classify it as phishing, but yes, essentially the scam was to get you to pay for fake anti-virus software to remove a fake virus from your computer. However, as I said, it's exceedingly unlikely that that is what this actually is.
 
Tim,

...

Not sure how that's related. You CANNOT pick up a MacDefender infection at this point, even from a porn site. It's been extinct for a while now.
 
Tim,

Pop-ups from Bitdefender, or from the site itself? I'm guessing the latter, since if it was Bitdefender, it wouldn't just be triggering on your Time Machine backups in such situations. If you're getting pop-ups from a website telling you that you're infected, they're scams. Ignore them, and avoid the site that you were on when they appeared.
 
Guys

I started the Sophos scan last night, and plugged in the external Time Machine drive this morning. The scan took 23! hours, and found 1 threat, but Sophos did not report what threat or what drive it was on, or how Sophos dealt with it, pretty vague. I have to get with those guys and find out how to interpret the scan.
 
Guys

I think I found the files for this virus in a folder called "Resources". The biggest item in there is called "mcshdr.pax.gz" and nothing I tried will delete it. Any ideas for deleting this menace?

30tggg7.jpg
 
Last edited:
Knowing nothing more about that file than the name, it's impossible to say whether it's legit or not. Where is this file, and for what reason have you decided that it's a "virus?"
 
Where specifically on the hard drive is it? I would need to have something like a full path to the file in order to have context.

Try uploading that file to VirusTotal (www.virustotal.com). What does that say about it?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back