Help with mackeeperapp2 hijacking

It's malware.

Use the removal tool here > The Safe Mac » Adware Removal Guide

About read about: Beware MaKeeper zeobit here > http://www.thesafemac.com/?s=zeobit&submit=Search

Exposing the /Home/Library/ Folder

Pick one of the following methods:

A. This method will make the folder visible permanently. Open the Terminal application in your Utilities folder and paste the following at the command prompt:

chflags nohidden ~/Library

Press RETURN.

B. Click on the Desktop, press the OPTION (⌥) button, select Library from the Finder's Go menu.

C. Select Go To Folder from the Finder's Go menu. Paste the following in the path field:

~/Library

Press the Go button.

You will find the Saved Application State folder in the /Home/Library/ folder.

The Safe Mac » Adware Removal Guide

How to Remove MacKeeper

Some of those scam pages can be dismissed very easily. Press command-W to close the tab or window. A huge box will pop up. Press the return key and both the box and the page will close. If that doesn't happen, continue.

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Security

and uncheck the box marked Enable JavaScript. Leave the preferences dialog open.

Close the malicious window or tab.

Re-enable JavaScript and close the preferences dialog.

If the Preferences menu item is grayed out, quit Safari. Force quit if necessary. Relaunch it by holding down the shift key and clicking its icon in the Dock. From the menu bar, select

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

to get rid of any cookies or other data left by the server. Open your Downloads folder and delete anything you don't recognize.

THIS IS GRNGIRL again. Had to log on as a different user because my husband logged on lastnight and I dont know his password, so this conversation is continuing with me as Ilisidi.

The malware has not been installed yet. So uninstall processes and removal tools arent helpful. I'm just afraid that if I click 'cancel' or 'ok' I will inadvertantly install mackeeperapp2. What I need to do is make Safari forget where I last was so that it opens fresh. I just learned about Time Machine back up - since I didnt know about it, it wasnt turned on. Is there any other way to reset the computer to a time before I was hijacked?

-I was able to find the library. With Safari opened, I was able to find the com.apple.safari.savedstate folder and remove it to the trash, and empty the trash. I then closed Safari and reopened it - but all of the windows opened again. (I could not find the saveState folder when Safari was closed)

-Command W did nothing

-Preferences are grayed out even with computer in safemode and Safari opened while holding the shift key

-I have not deleted cookies or cach or downloads yet

Just click OK or do whatever the page is trying to get you to do. Nothing will be installed. Some garbage will be downloaded, which you can then delete. Then go into Safari's preferences and check the setting for the home page. If you don't know what it is, delete it.

Ok. I pushed OK and the world didnt end. It didnt appear to download anything, but I went ahead and deleted downloads anyway. My home page was still set, so I guess I'm in the clear and I don't need to panic next time something like that happens - I just need to click ok and look for unknown downloads.

Thanks for the help!!!!!

To keep the mackeeper page from ever bothering you again, you can enter this in the terminal (copy/paste):

sudo bash -c "echo 127.0.0.1$'\t'mackeeperapp2.zeobit.com>>/private/etc/hosts"

It will ask you for your password, then add mackeeperapp2.zeobit.com to your localhost list in your hosts file. After that, run this:

dscacheutil -flushcache;sudo killall -HUP mDNSResponder

to flush your cache. You will be asked to enter your password again.

You can test if this worked by then going to mackeeperapp2.zeobit.com in your web browser of choice.

It should say something like "cant connect to the server" if you have done everything correctly.

If it loads the webpage, then you did something wrong.