Q: How do I remove MacKeeper and other adware on my mac? Please help
-
Dec 21, 2014 9:21 PMby gail from maine,Hi Elderathome,
Here are several links from fellow Community Support member Thomas Reed that will help you get your Mac where you want it to be:
http://applehelpwriter.com/2011/09/21/how-to-uninstall-mackeeper-malware/
(one clarification - the link above was provided by Thomas Reed in his article about MacKeeper)
The Safe Mac » Mac Malware Guide
The Safe Mac » Adware Removal Tool
Thomas's The Safe Mac site is full of really good info on how to keep your Mac clean and safe.
Cheers,
GB
-
Dec 21, 2014 11:40 PMby MadMacs0,Elderathome wrote:
I Have recently joined the Mac community, my wife, thinking that a MacKeeper popup was a system program and installed it. Shortly thereafter our browsers began getting hijacked. Since then we have uninstalled MacKeeper, however I think it is still running in the background.
I doubt that it's still running, but if it is you can stop that by navigating to /Library/LaunchAgents/ and drag "com.zeobit.MacKeeper.Helper" to the Trash. The best way to ensure that there isn't anything else is to use a utility like EasyFind or Find Any File to search your hard drive for both "zeobit" and "mackeeper" (without quotes).
I second gail from maine's recommendation for faster, more efficient identification and optional removal of all currently know adware, run AdwareMedic, available free from this Forum’s Malware Guru, owner of TheSafeMac blog and a colleague of mine.
If you find you have any, then to understand why this happened and how to avoid it in the future see John Galt’s How to install adware.
-
Dec 22, 2014 10:36 AMby Linc Davis,A
"MacKeeper" is a scam with only one useful feature: it deletes itself.
First, back up all data.
Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.
If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.
IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.
In the Finder, select
Go ▹ Applications
from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.
☞ Quit MacKeeper before dragging it to the Trash.
☞ Let MacKeeper delete its other components before you empty the Trash.
☞ Don't try to drag the MacKeeper Dock icon to the Trash.
B
You may also have installed the "Downlite" or "VSearch" ad-injection malware. Follow the instructions on this Apple Support page to remove it.
Back up all data before making any changes.
One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, then you may have an adware variant not covered by the support article. Ask for instructions in that case.
The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.
This malware is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates
if it's not already checked.
-
Dec 22, 2014 6:58 PMby Elderathome,thanks for the reply. I followed the directions for uninstalling MacKeeper and then reran your command shell script that I found in another post. Unfortunately, MacKeeper still has active scripts running, even after I uninstalled and restarted it. So what do I do if there are still MacKeeper files/scripts running even though I deleted it? I can post the results of that scan if you would like. Thanks again for your help.
-
Dec 23, 2014 8:17 PMby Elderathome,Boot Mode: Normal
Model: Macmini6,2
System diagnostics
2014-12-03 spindump crash
User diagnostics
2014-12-21 CalendarAgent crash
Kernel messages
--- last message repeated 122 times ---
Dec 21 23:10:54 BUG in process suhelperd[262]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Dec 21 23:44:38 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 122 times ---
Dec 21 23:45:23 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Dec 22 07:58:10 wl0: Roamed or switched channel, reason #2, bssid 0c:f8:93:e2:04:20, last RSSI -63
Dec 23 20:20:44 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
Dec 23 20:20:45 [[0xffffff802ab1a000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Dec 23 20:21:33 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 441 times ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 3 times ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 130 times ---
Dec 23 20:23:25 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 20 times ---
Dec 23 20:23:27 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 120 times ---
Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:35:30 [[0xffffff801a7b9000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Extrinsic daemons
com.adobe.fpsaud
Extrinsic agents
com.brother.LOGINserver
com.citrix.ServiceRecords
com.adobe.ARM.UUID
com.cinema-+-hd.updater
com.citrix.ReceiverHelper
com.citrix.AuthManager_Mac
com.zeobit.MacKeeper.Helper
com.google.keystone.user.agent
launchd items
/Library/LaunchAgents/com.brother.LOGINserver.plist
(com.brother.LOGINserver)
/Library/LaunchAgents/com.citrix.AuthManager_Mac.plist
(com.citrix.AuthManager_Mac)
/Library/LaunchAgents/com.citrix.ReceiverHelper.plist
(com.citrix.ReceiverHelper)
/Library/LaunchAgents/com.citrix.ServiceRecords.plist
(com.citrix.ServiceRecords)
/Library/LaunchDaemons/com.adobe.fpsaud.plist
(com.adobe.fpsaud)
Library/LaunchAgents/com.adobe.ARM.UUID.plist
(com.adobe.ARM.UUID)
Library/LaunchAgents/com.google.keystone.agent.plist
(com.google.keystone.user.agent)
Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
(com.zeobit.MacKeeper.Helper)
Extrinsic loadable bundles
/System/Library/Extensions/JMicronATA.kext
(com.jmicron.JMicronATA)
/Library/Internet Plug-Ins/AdobePDFViewer.plugin
(com.adobe.acrobat.pdfviewer)
/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin
(com.adobe.acrobat.pdfviewerNPAPI)
/Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin
(com.citrix.citrixicaclientplugIn)
/Library/Internet Plug-Ins/Flash Player.plugin
(com.macromedia.Flash Player.plugin)
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
(com.apple.java.JavaAppletPlugin)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
DNS (from DHCP): 24.116.0.53
User login items
iTunesHelper
Restricted user files: 49
Elapsed time (s): 118
-
Dec 23, 2014 8:21 PMby Elderathome,Sorry, here is a little more ordered version
Boot Mode: Normal
Model: Macmini6,2
System diagnostics
2014-12-03 spindump crash
User diagnostics
2014-12-21 CalendarAgent crash
Kernel messages
--- last message repeated 122 times ---
Dec 21 23:10:54 BUG in process suhelperd[262]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Dec 21 23:44:38 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 122 times ---
Dec 21 23:45:23 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Dec 22 07:58:10 wl0: Roamed or switched channel, reason #2, bssid 0c:f8:93:e2:04:20, last RSSI -63
Dec 23 20:20:44 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
Dec 23 20:20:45 [[0xffffff802ab1a000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Dec 23 20:21:33 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 441 times ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 3 times ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 130 times ---
Dec 23 20:23:25 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 20 times ---
Dec 23 20:23:27 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 120 times ---
Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 1 time ---
Dec 23 20:35:30 [[0xffffff801a7b9000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Extrinsic daemons
com.adobe.fpsaud
Extrinsic agents
com.brother.LOGINserver
com.citrix.ServiceRecords
com.adobe.ARM.UUID
com.cinema-+-hd.updater
com.citrix.ReceiverHelper
com.citrix.AuthManager_Mac
com.zeobit.MacKeeper.Helper
com.google.keystone.user.agent
launchd items
/Library/LaunchAgents/com.brother.LOGINserver.plist
(com.brother.LOGINserver)
/Library/LaunchAgents/com.citrix.AuthManager_Mac.plist
(com.citrix.AuthManager_Mac)
/Library/LaunchAgents/com.citrix.ReceiverHelper.plist
(com.citrix.ReceiverHelper)
/Library/LaunchAgents/com.citrix.ServiceRecords.plist
(com.citrix.ServiceRecords)
/Library/LaunchDaemons/com.adobe.fpsaud.plist
(com.adobe.fpsaud)
Library/LaunchAgents/com.adobe.ARM.UUID.plist
(com.adobe.ARM.UUID)
Library/LaunchAgents/com.google.keystone.agent.plist
(com.google.keystone.user.agent)
Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
(com.zeobit.MacKeeper.Helper)
Extrinsic loadable bundles
/System/Library/Extensions/JMicronATA.kext
(com.jmicron.JMicronATA)
/Library/Internet Plug-Ins/AdobePDFViewer.plugin
(com.adobe.acrobat.pdfviewer)
/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin
(com.adobe.acrobat.pdfviewerNPAPI)
/Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin
(com.citrix.citrixicaclientplugIn)
/Library/Internet Plug-Ins/Flash Player.plugin
(com.macromedia.Flash Player.plugin)
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
(com.apple.java.JavaAppletPlugin)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
DNS (from DHCP): 24.116.0.53
User login items
iTunesHelper
Restricted user files: 49
Elapsed time (s): 118
-
Dec 23, 2014 8:36 PMby MadMacs0,Elderathome wrote:
Unfortunately, MacKeeper still has active scripts running, even after I uninstalled and restarted it.
Where do you see a MacKeeper script running? Is it MacKeeper Helper or something else.
Extrinsic agents
com.zeobit.MacKeeper.Helper
launchd items
Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
(com.zeobit.MacKeeper.Helper)
Either you didn't follow Linc's instructions or (more probably) the MacKeeper uninstall routine leaves files behind.
So go back to what I told you to do aboveand it will stop.
-
Dec 23, 2014 8:55 PMby Elderathome,MadMacs0 wrote:
I doubt that it's still running, but if it is you can stop that by navigating to /Library/LaunchAgents/ and drag "com.zeobit.MacKeeper.Helper" to the Trash. The best way to ensure that there isn't anything else is to use a utility like EasyFind or Find Any File to search your hard drive for both "zeobit" and "mackeeper" (without quotes).
So when I navigate to that folder there is no file like that listed. I think it is hidden.... like I said before, I am new to Mac, and have no Idea how to find a hidden file, I will attempt to post a screen shot of what I see.
-
Dec 23, 2014 8:59 PMby Linc Davis,A
Back up all data before proceeding.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item selected. Move the selected item to the Trash. Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
B
You also installed the "CinemaPlus" ad-injection malware. I suggest the procedure below to disable it. This procedure may leave a few small files behind, but it will permanently deactivate the malware (as long as you never reinstall it.)
Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data before proceeding.
Step 1
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including one called "Cinema-Plus." If in doubt, uninstall all extensions. Do the equivalent in the Chrome browser, if you use it.
Step 2
Triple-click anywhere in the line below on this page to select it:
~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/144ee21a-8997-41ab-96a6-b13f40648ffd@1ab45825-655a-4789-a375-a283ea7ca5c5.comRight-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.
If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder may open with an item selected. It will have a long name ending in ".com". Move it to the Trash.
Move this item, if it exists, to the Trash in the same way:
~/Library/LaunchAgents/cinemas-+-plus-+_updater.plist
If there are any other files in the same folder with a similar name beginning in "cinemas-+-plus", move them to the Trash too.
Log out or restart the computer and empty the Trash.
