Q: MacKeeper install nightmare

@Kurt Lang

I already had EasyFind, which was unable to "see" any of the items, although File Buddy can.

File Buddy found pishaugupd.root   (@0 K) in Macintosh HD/private/var/tmp

It found cellulate    (of size - ) in Macintosh HD/private/var

It found com.apple.launchd.peruser.401 twice, once  in Macintosh HD/private/var/db/launchd.db   and once in Macintosh HD/private/var/log

Each of these items showed a tiny red minus sign over the folder icon and will not allow me to open or delete it in File Buddy

All four items are the last which appeared in the one or two minutes during the MacKeeper install

What Size supposedly allowed me to delete these items as admin, EXCEPT for some parts of cellulate bc it said it is owned by root.

@thomas_r.

I followed your Terminal suggestions, but grr.

Macs-MacBook-Pro:~ MBPr$ dscl . -list /Users UniqueID | grep 401

cellulate               401

The create user command asked for my password, which I supplied, but this "cellulate" user does NOT show up in SysPrefs. and so, I cannot delete it.

Tried the two Terminal commands a second time with the same results.

File Buddy cannot find cellulate anymore, although it does find the 0 K pishaugupd.root which What Size ostensibly deleted. What Size cannot find cellulate either.

I did a safe boot and a reboot and Other still shows up on the login screen.

ARG!!!

I am still searching for answers, and in another forum one guy said the Other on my login screen is a "Group user" because the icon looks like this

Don't know if this makes any difference in possible solutions.

tried that and got

Last login: Thu May 12 17:51:19 on ttys000

Macs-MacBook-Pro:~ MBPr$ sudo dscl . delete /Users/cellulate

Password:

delete: Invalid Path

<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)

Macs-MacBook-Pro:~ MBPr$

Even more weirdly, the earlier Command

dscl . -list /Users UniqueID | grep 401

now yields no result

HA! I just logged out and MIRACLE! the Other group login has disappeared!

Thanks for your help thomas_r.

FWIW there is still one item left from the two minutes during that MacKeeper install

pishaugupd.root

File Buddy's info

I tried changing the owner to myself to delete, but NG.

Cannot find one iota of info about this apparently empty exec

File Buddy continues to find the 0 bytes pishaugupd.root in

Macintosh HD/private/var/tmp

What Size can find it, and I tried as admin to delete it, but it did not

Same for Easy Find, which cannot open the folder via Reveal In Finder

Finder>Go can't find it either

tried Terminal

defaults write com.apple.finder AppleShowAllFiles TRUE && killall Finder

pishaugupd.root doesn't show up so I can't drag it to the trash

tried

Macs-MacBook-Pro:~ MBPr$ chown MBPr pishaugupd.root

chown: pishaugupd.root: No such file or directory

I'm beginning to think there is some ghost in the machine with respect to these various 3rd party apps continuing to find this file.

here's Terminal's response to

ls -alO /private/var/tmp/

total 368

drwxrwxrwt  13 root  wheel  -  442 May 13 17:31 .

drwxr-xr-x  27 root  wheel  -  918 May 12 12:31 ..

-rw-r--r--  1 root  wheel  -    0 Mar 27  2015 DeferredInstallFixup.file_list

drwxr-xr-x  2 root  wheel  -    68 Mar 13  2015 MPSJ2IBU

drwxr-xr-x  2 root  wheel  -    68 Aug  1  2015 MPVSJES7

-rw-r--r--  1 MBPr  wheel  -  3411 Sep 23  2014 cfnetworkagent.log

-rw-r--r--  1 root  wheel  - 14281 Aug 19  2014 configd-pattern.plist

-rw-r--r--  1 root  wheel  -  8649 Aug 19  2014 configd-reachability

-rw-r--r--  1 root  wheel  - 11814 Aug 19  2014 configd-session.plist

-rw-r--r--  1 root  wheel  - 88233 Aug 19  2014 configd-state

-rw-r--r--  1 root  wheel  - 49277 Aug 19  2014 configd-store.plist

drwx------  3 root  wheel  -  102 May 12 12:55 launchd

srwxr-x---  1 root  wheel  -    0 May  2 19:47 pishaugupd.root

P.S. Just curious, what is the meaning of that command you had me enter?

Many, many thanks to thomas_r. for patiently working with me to solve this nightmare.

FWIW I recommend File Buddy (not cheap, but worth it) which can search for and find just about anything via any number of criteria. I initially used it to ascertain what had been done in the two minutes during the MacKeeper installation.

I also looked thru the pertinent console install log and perused it carefully. That is where I discovered my browsers' preferences had been hijacked to use search-quick.com as a default search engine.

    "Search-quick.com virus is a browser hijacker that is distributed to random computer systems together with freeware applications. It infiltrates to Internet Explorer, Mozilla Firefox, Google Chrome and Safari, and once there, changes the main settings of these browsers."

Be careful out there!