How to spot and remove a fake trojan scam

What’s worse than a trojan virus? Perhaps a fake trojan virus. Fake trojans appear in the form of a pop-up window, usually in a browser, and claim that your computer has been infected at that you need to take urgent action to get rid of it. This article will deal with what you should do if you find yourself in that situation. If you think you’ve downloaded a real trojan virus, read this article on how to get rid of it.

What is the “we have detected a trojan virus” scam?

This scam, also known as “e.tre456_worm_osx” after the name of the worm it claims to have found, displays a pop-up window, with an Apple logo in red (designed to both scare you and make you think the warning is from Apple) and text that says your system is infected with viruses. The headline text is also in red, along with text in black that says “immediate action required”. The window may be accompanied by a high-pitched alarm tone which is also designed to scare you into taking action. There’s a button at the bottom of the window that says “Scan” and the whole thing is designed to get you to press that button. 

Like most malware, it relies on a combination of fear and urgency to scare you into taking action before you have a chance to rationally consider whether there really is something wrong with your Mac.

What should I do if I see the fake trojan?

If you see it in a web browser, close the window immediately and close the tab or window of the site you visited that hosted the pop-up. Don’t visit it again. If you don’t know which site launched the window, or if the window won’t let you close it, quit the browser. If you can’t access the menu and pressing Command-Q doesn’t work, force quit it either by pressing Command-Option-Escape and selecting Force Quit in the window that opens or by right-clicking the browser’s icon in the Dock and choosing Force Quit.

Fake trojans can also appear in applications you’ve downloaded from the internet. For example, if you clicked on a link that told you it was an update to Flash or a seemingly legitimate application that was hiding a fake trojan. 

This shouldn’t happen if you’re running a recent version of macOS as the GateKeeper tool allows only apps from the App Store or those that are code signed by developers to be installed. Installing anything else requires you to take specific action to allow it to be installed. 

However, if you’re using an older version of macOS or you disabled GateKeeper then it’s possible a fake app may have been installed. In this case, you should quit or force quit the app immediately — don’t click on anything in the window. You should then remove the app.

However, just dragging the app to the Trash isn’t enough. Most apps store files in several locations on your system and simply removing the main app won’t delete those files. You could search for files in ~/Library and in the main Library folder, but without knowing what you’re looking for it will be very time-consuming. Instead use an uninstaller like the one in CleanMyMac X. That will remove all the files associated with the app and make sure there’s no trace of it left behind.

What should I do if I’ve already clicked the link?

Don’t panic. Clicking the link doesn’t necessarily mean you’ll have downloaded malware. However, if you're taken to a page that asks for personal information, and particularly financial details so that you can download software to remove the “trojan” don’t provide them. If you’ve done so already, contact your bank or credit card provider and tell them your account may have been compromised. 

If you clicked on the link within the last hour, launch System Preferences from the Apple menu and click on Security & Privacy. Choose the General tab. If any application has tried to install itself on your Mac in the last hour it will be shown there. Gatekeeper will have prevented installation and will allow you to manually give it permission to install. If you do nothing, it won’t install. You can grab the installer from your Downloads folder and put it in the Trash.

If you think you may have downloaded malware by clicking a link on the fake trojan pop-up, you should scan your Mac using an antivirus tool. There are several good ones available for the Mac, most of which will scan for malware free of charge. Some will then require that you pay for the full version before they will remove anything you find, while others will remove it for free. Another option is to use the malware tool in CleanMyMac X

Removing malware files

It scans your Mac and compares what it finds with a regularly updated database of malware. If it finds anything it will tell you and you will be able to remove it with one click. If it doesn’t find anything it will tell you your Mac has a clean bill of health. It’s worth scanning your Mac for malware every week or so after an incident where you think it might have been compromised.

The “we have detected a trojan virus" scam is a particularly nasty piece of malware because it’s designed to trick you into thinking there is something wrong with your Mac when in fact all that’s happened is that you’ve visited a website that’s host to adware. Closing the window should be enough to solve the problem and if you can’t do that, just quit your web browser and relaunch it.

If you’re worried that you may have downloaded malware, however, you should scan your Mac using either an antivirus tool or the malware module in CleanMyMac X.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.