Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 2872 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to remove osx/fakeav-dpu

MarkMacFadyen

Hello,

I just started using Sophos and like the product. It found a number of viruses on my computer, including:

OSX/FakeAV-DPU

Mal/VB-JM

W32/Hostinf-A

I tried having them automatically deleted upon detection, but this was not possible. I tried to manually clean with a custom scan, but this also failed. The action available is now "clean up manually", but I'm not sure how to do this. I tried searching for the filename specified to delete it, but my search doesn't turn anything up, even when I specify to also search for hidden files. Any help is greatly appreciated. I have made sure the drive has read/write access to all users.

Best Wishes,

Mark MacFadyen

Nova Scotia, Canada

:1002995


This thread was automatically locked due to age.
  • 0

    OSX/FakeAV-DPU will be found in /Applications/MacProtector.app and ~/Downloads/MacProtector.mpkg.  This might also be found inside ~/Downloads/anti-malware.zip.

    :1003017
  • 0

    Hi Andrew,

    I found one under /Downloads/MacProtector.mpkg which was easily deleted.   I still have two I can't find

    Archive.pax.gz

    anti-malware.zip

    /Downloads/anti-malware.zip. ( I can't find these either.)

    /Applications/MacProtector.app (I can't find these either. )

    I found MacProtector but a pop up quickly says "You can't open the application "macProtector" because it is not supported on this architrecture"  and wants me to  hit OK.  

    :1003045
  • 0

    anti-malware.zip auto-deletes if you are using Safari and have "Open safe files" enabled in the preferences.  It expands to MacProtector.mpkg.

    Archive.pax.gz resides inside the MacProtector.mpkg installer bundle.

    If you remove the mpkg file, that should be all you need to do.

    :1003047
  • 0

    I am really ignorant as to how to remove this file. Would you please give me step-by-step instructions to follow? I have never fully installed the MacProtector, but I can find it when searching "Archive.pax.gz". I do use Safari and have the "Open safe files" preference checked. I have run two custom scans and still cannot get it off my quarantine list.

    :1003147
  • 0

    As I stated previously, the Archive.pax.gz file is inside MacProtector.mpkg inside your downloads folder.  Move the mpkg file to the trash and emptpy the trash to remove it.

    :1003163
  • 0

    Hi there I ran a scan - and even though teh name archive.pax.gz showed up while the search was running - at the end it said "no threats detected" - does that mean its not on hte computer? I checked the downloads section but couldnt find the folder name MacProtector.mpkg - is there anywhere else it could be or does it mean its not on the computer?
    Thanks

    VidH

    :1009764
  • 0

    Check your Applications folder -- is there anything odd in there?

    MacProtector.mpkg is an installer package that contains an installer archive named archive.pax.gz -- and THIS contains the malware.  On some variants, the Fake AV software does a drive-by download that will automatically install the software into your Applications folder and delete the installer if you're logged in using an administrator account.  If you're logged in as a user only, it will prompt you for your admin password before this can take place.

    If you can't see anything in your downloads or applications folder, check the scan log to see where the malware was detected.  If it's not there anymore, you're likely fine.

    Then again, MacProtector/MacDefender is pretty blatant about when it exists, as it's sole purpose is to get you to enter your personal information to purchase a license for this fake AV software.

    :1009770