Following the wave of scam "MacDefender" software and its variants, Apple recently released a security update for Mac OS X 10.6 that updates the built-in "XProtect" feature to identify these threats; however, after installing the update, a number of people are finding the system is stuck with high CPU usage, resulting in the system being bogged down and running slowly. Upon checking Activity Monitor, a process called "MRT" is using a large percentage of CPU, and even with forcing the process to quit it will reappear and continue to use the CPU.
Apple's security update includes three components: an updated definitions file for XProtect, an automatic updater for XProtect, and a temporary system scanner called "MRT."
When you install the update, it replaces the XProtect definitions file and installs the XProtect updater application along with the updater's scheduler file that has it run on a daily basis (unless you turn this feature off in the new setting in the Security system preferences). In addition, the update installs and runs MRT (likely standing for "Malware Removal Tool"), which will scan your system for known malware and notify you that the malware has been removed if it has been located. The scanning process should take only a few minutes, but on some systems it appears to be getting stuck.
Generally forcing stuck processes to quit using Activity Monitor is all that's needed; however, the MRT process comes with a launch agent file that will tell the system to keep relaunching it to continue scanning your system. Normally the MRT process will run once and then self-destruct by removing its three components from the system when the scan is complete. But if the scan gets stuck and cannot complete, then it will not remove itself and will continually try to complete its initial scan.
If this happens to you, there are several approaches you can take, depending on whether you want to allow the MRT scanner to complete:
Permissions fix and general maintenance
If you want to have the scanner complete itself, try running a basic permissions fix on the hard drive using Disk Utility, and if that doesn't work then run a general maintenance routine to perform a more thorough cleaning. You can do these routines without any additional steps, but you can also do them by first disabling the MRT process, which may help it complete its scan properly. To do this, perform the following steps:
First stop the MRT process by running the following command in the Terminal:
sudo launchctl stop com.apple.mrt
Run a permissions fix on the boot drive with Disk Utility, or run a full general maintenance routine.
Restart the system (if you have not already done so) and if the MRT process does not automatically relaunch then run the following command in the Terminal:
sudo launchctl start com.apple.mrt
Manually remove MRT
MRT is not necessary to provide ongoing protection of your system. The tool is a temporary scanner that will root out any current detectable malware installations on your system, but when it is done it will remove itself. If you are confident your system does not have malware on it, then you can remove the MRT program and its components to prevent it from running. To do this, perform the following steps:
Disable MRT by opening the Terminal and running the following command:
sudo launchctl remove com.apple.mrt
You can also do this by going to the /System/Library/LaunchDaemons/ folder, deleting the file called "com.apple.mrt.plist," and then restarting your computer.
With the process stopped, remove the MRT-related files by locating and deleting the following items from your system via the Finder (removing just the first and restarting will prevent MRT from running, but without it the other three files have no purpose):
The last file is in a hidden system directory, so to remove it you can either use the Finder's "Go to folder" option or the Terminal. To do this with the Finder, select the "Go to folder" command from the "Go" menu and enter "/usr/libexec" in the text field. Then locate and delete the "MRT" file (do not remove any other files). To use the Terminal, launch the Terminal and then run the following command:
sudo rm /usr/libexec/MRT
If you decide to remove MRT without allowing it to complete its routine, be sure your system does not have any malware on it. If you have a third-party malware scanner that has been updated to identify these new malware threats, then be sure to use that to scan your system, or manually check for any installed malware on your system (see this article for locating and removing the recent MacDefender program).
• Securing your Mac from the new MacGuard malware variant
• Apple offers MacDefender malware removal instructions
• How to manage malware in OS X backups
• How to protect your Mac from recent malware
• 'Apple Security Center' malware targeting OS X users
• New MacDefender malware discovered for OS X
• Improve your Mac's security by running a Standard account