ANNOYING MACKEEPER TABS AND POPUP ADS

arsi.17 wrote:

I too tried Linc Davis method but nothing happened after i clicked "reveal in folder". i am stuck at that step so any kind of help will be much appreciated. Thankyou in advance.

Link Davis no longer posts here. His procedure was rater arcane and idiosyncratic. There's really no one who can help you with it. I suggest you start your own thread. Explain your problem and the steps you've taken already. You'll get lots of help.

In the meantime, here are some resources:

Phony "tech support" / "ransomware" popups and web pages

Malwarebytes and Etrecheck are two applications, each written by a trusted, long time member of these forums:

Malwarebytes | Free Cyber Security & Anti-Malware Software

https://www.etrecheck.com/

Start time: 13:24:07 12/24/17

Model Identifier: MacBookPro14,2

System Version: macOS 10.12.6 (16G29)

Kernel Version: Darwin 16.7.0

System Integrity Protection: Enabled

Time since boot: 10:37

FileVault: On

Diagnostic reports

2017-12-19 firefox hang

2017-12-24 VLC crash

Log

Dec 17 13:39:27 com.google.keystone.user.agent: Service exited with abnormal code: 1

Dec 24 02:47:31 com.apple.Kerberos.digest-service: Service exited with abnormal code: 1

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/XPCServic es/com.apple.FCiCloudPrefUpdater.xpc/Contents/MacOS/com.apple.FCiCloudPrefUpdate r error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc/Contents/MacOS/XPCTimeStampingService error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc/Contents/MacOS/com.apple.DictionaryServiceHelper error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/ Contents/MacOS/com.apple.hiservices-xpcservice error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc/Contents/MacOS/XPCKeychainSandboxCheck error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc/Contents/MacOS/IOServiceAuthorizeAgent error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc/Contents/MacOS/com.apple.S peechRecognitionCore.brokerd error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc, error = 1: Operation not permitted

Dec 24 02:49:43 com.apple.mdworker.shared.UUID: Service exited with abnormal code: 255

CPU per process: AddressBookManag (UID 501) is using 82.4 %

kexts

com.malwarebytes.mbam.rtprotection (3.1.1) UUID

Daemons

com.malwarebytes.mbam.rtprotection.daemon

com.microsoft.office.licensingV2.helper

com.malwarebytes.mbam.settings.daemon

com.adobe.fpsaud

Agents

com.skype.skype.shareagent

com.malwarebytes.mbam.frontend.agent

com.biomagnetic.di.app

/Library/sculper/sculper

com.apple.iBooksX.CacheDelete

com.google.keystone.user.agent

com.apple.AirPortBaseStationAgent

Bundles

/Library/Extensions/com.malwarebytes.mbam.rtprotection.kext

- com.malwarebytes.mbam.rtprotection

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

Library/Address Book Plug-Ins/SkypeABCaller.bundle

- com.skype.SkypeABCaller

Library/Address Book Plug-Ins/SkypeABChatter.bundle

- com.skype.SkypeABChatter

Library/Address Book Plug-Ins/SkypeABDialer.bundle

- com.skype.SkypeABDialer

Library/Address Book Plug-Ins/SkypeABSMS.bundle

- com.skype.SkypeABSMS

Library/Keyboard/en-dynamic.lm

- com.apple.LanguageModeling.en

App extensions

com.skype.skype.ShareExtension

Contents of /etc/hosts (checksum 3099933916)

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

Contents of /etc/pf.conf (checksum 2891177609)

scrub-anchor "com.apple/*"

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Contents of /etc/syslog.conf (checksum 2399118465)

install.* @127.0.0.1:32376

Contents of /etc/pam.d/authorization (checksum 1288902703)

auth optional pam_krb5.so use_first_pass use_kcminit

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_aks (checksum 841932527)

auth required pam_aks.so

account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_ctk (checksum 2418984201)

auth required pam_smartcard.so use_first_pass pkinit

account required pam_opendirectory.so

Contents of /etc/pam.d/authorization_la (checksum 2713564393)

auth required pam_localauthentication.so

auth required pam_aks.so

account required pam_opendirectory.so

Contents of /etc/pam.d/checkpw (checksum 2672765862)

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so no_check_home no_check_shell

Contents of /etc/pam.d/chkpasswd (checksum 335781771)

auth required pam_opendirectory.so

account required pam_opendirectory.so

password required pam_permit.so

session required pam_permit.so

Contents of /etc/pam.d/cups (checksum 2842188894)

auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so

Contents of /etc/pam.d/ftpd (checksum 2001169128)

auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so

Contents of /etc/pam.d/login (checksum 1242678644)

auth optional pam_krb5.so use_kcminit

auth optional pam_ntlm.so try_first_pass

auth optional pam_mount.so try_first_pass

auth required pam_opendirectory.so try_first_pass

account required pam_nologin.so

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_launchd.so

session required pam_uwtmp.so

session optional pam_mount.so

Contents of /etc/pam.d/login.term (checksum 3930746290)

account required pam_nologin.so

account required pam_opendirectory.so

session required pam_uwtmp.so

Contents of /etc/pam.d/other (checksum 2748091512)

auth required pam_deny.so

account required pam_deny.so

password required pam_deny.so

session required pam_deny.so

Contents of /etc/pam.d/passwd (checksum 1026516346)

auth required pam_permit.so

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_permit.so

Contents of /etc/pam.d/screensaver (checksum 3141704602)

auth optional pam_krb5.so use_first_pass use_kcminit

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_aks (checksum 3209544573)

auth required pam_aks.so

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_ctk (checksum 367670211)

auth required pam_smartcard.so use_first_pass

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/screensaver_la (checksum 589164084)

auth required pam_localauthentication.so

auth required pam_aks.so

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Contents of /etc/pam.d/smbd (checksum 2516643123)

account required pam_sacl.so sacl_service=smb allow_trustacct

session required pam_permit.so

Contents of /etc/pam.d/sshd (checksum 2989478361)

auth optional pam_krb5.so use_kcminit

auth optional pam_ntlm.so try_first_pass

auth optional pam_mount.so try_first_pass

auth required pam_opendirectory.so try_first_pass

account required pam_nologin.so

account required pam_sacl.so sacl_service=ssh

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_launchd.so

session optional pam_mount.so

Contents of /etc/pam.d/su (checksum 2045483434)

auth sufficient pam_rootok.so

auth required pam_opendirectory.so

account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe

account required pam_opendirectory.so no_check_shell

password required pam_opendirectory.so

session required pam_launchd.so

Contents of /etc/pam.d/sudo (checksum 3515993703)

auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so

Contents of /etc/periodic/daily/110.clean-tmps (checksum 4099837049)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_tmps_enable" in

[Yy][Ee][Ss])

if [ -z "$daily_clean_tmps_days" ]

then

echo '$daily_clean_tmps_enable is set but' \

'$daily_clean_tmps_days is not'

rc=2

else

echo ""

echo "Removing old temporary files:"

set -f noglob

args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days"

args="${args} -ctime +$daily_clean_tmps_days"

dargs="-empty -mtime +$daily_clean_tmps_days"

dargs="${dargs} ! -name .vfs_rsrc_streams_*"

[ -n "$daily_clean_tmps_ignore" ] && {

args="$args "`echo " ${daily_clean_tmps_ignore% }" |

sed 's/[ ][ ]*/ ! -name /g'`

dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" |

sed 's/[ ][ ]*/ ! -name /g'`

...and 21 more line(s)

Contents of /etc/periodic/daily/130.clean-msgs (checksum 4292599426)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_msgs_enable" in

[Yy][Ee][Ss])

if [ ! -d /var/msgs ]

then

echo '$daily_clean_msgs_enable is set but /var/msgs' \

"doesn't exist"

rc=2

else

echo ""

echo "Cleaning out old system announcements:"

[ -n "$daily_clean_msgs_days" ] &&

arg=-${daily_clean_msgs_days#-} || arg=

msgs -c $arg && rc=0 || rc=3

fi;;

*) rc=0;;

esac

exit $rc

Contents of /etc/periodic/daily/140.clean-rwho (checksum 659374794)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_rwho_enable" in

[Yy][Ee][Ss])

if [ -z "$daily_clean_rwho_days" ]

then

echo '$daily_clean_rwho_enable is enabled but' \

'$daily_clean_rwho_days is not set'

rc=2

elif [ ! -d /var/rwho ]

then

echo '$daily_clean_rwho_enable is enabled but /var/rwho' \

"doesn't exist"

rc=2

else

echo ""

echo "Removing stale files from /var/rwho:"

case "$daily_clean_rwho_verbose" in

[Yy][Ee][Ss])

print=-print;;

*)

print=;;

...and 14 more line(s)

Contents of /etc/periodic/daily/199.clean-fax (checksum 1104983357)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

if [ -d /var/spool/fax ]; then

echo ""

echo "Removing scratch fax files"

cd /var/spool/fax && \

find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;

fi

Contents of /etc/periodic/daily/310.accounting (checksum 3208203734)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_accounting_enable" in

[Yy][Ee][Ss])

if [ ! -f /var/account/acct ]

then

echo '$daily_accounting_enable is set but /var/account/acct' \

"doesn't exist"

rc=2

elif [ -z "$daily_accounting_save" ]

then

echo '$daily_accounting_enable is set but ' \

'$daily_accounting_save is not'

rc=2

else

echo ""

echo "Rotating accounting logs and gathering statistics:"

cd /var/account

rc=0

n=$daily_accounting_save

rm -f acct.$n.gz acct.$n || rc=3

m=$n

...and 18 more line(s)

Contents of /etc/periodic/daily/400.status-disks (checksum 1480768650)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_disks_enable" in

[Yy][Ee][Ss])

echo ""

echo "Disk status:"

df $daily_status_disks_df_flags && rc=1 || rc=3

;;

*) rc=0;;

esac

exit $rc

Contents of /etc/periodic/daily/420.status-network (checksum 2730873650)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_network_enable" in

[Yy][Ee][Ss])

echo ""

echo "Network interface status:"

case "$daily_status_network_usedns" in

[Yy][Ee][Ss])

netstat -i && rc=0 || rc=3;;

*)

netstat -in && rc=0 || rc=3;;

esac;;

*) rc=0;;

esac

exit $rc

Contents of /etc/periodic/daily/430.status-rwho (checksum 3455351261)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_rwho_enable" in

[Yy][Ee][Ss])

rwho=$(echo /var/rwho/*)

if [ -f "${rwho%% *}" ]

then

echo ""

echo "Local network system status:"

prog=ruptime

else

echo ""

echo "Local system status:"

prog=uptime

fi

rc=$($prog | tee /dev/stderr | wc -l)

if [ $? -eq 0 ]

then

[ $rc -gt 1 ] && rc=1

else

rc=3

fi;;

...and 3 more line(s)

Contents of /etc/periodic/daily/999.local (checksum 2319755381)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $daily_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc

Contents of /etc/periodic/monthly/199.rotate-fax (checksum 3437454680)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

echo ""

printf %s "Rotating fax log files:"

cd /var/log/fax

for i in *.log; do

if [ -f "${i}" ]; then

echo -n " $i"

if [ -x /usr/bin/gzip ]; then gzext=".gz"; else gzext=""; fi

if [ -f "${i}.3${gzext}" ]; then mv -f "${i}.3${gzext}" "${i}.4${gzext}"; fi

if [ -f "${i}.2${gzext}" ]; then mv -f "${i}.2${gzext}" "${i}.3${gzext}"; fi

if [ -f "${i}.1${gzext}" ]; then mv -f "${i}.1${gzext}" "${i}.2${gzext}"; fi

if [ -f "${i}.0${gzext}" ]; then mv -f "${i}.0${gzext}" "${i}.1${gzext}"; fi

if [ -f "${i}" ]; then mv -f "${i}" "${i}.0" && if [ -x /usr/bin/gzip ]; then gzip -9 "${i}.0"; fi; fi

touch "${i}" && chmod 640 "${i}" && chown root:admin "${i}"

fi

done

echo ""

Contents of /etc/periodic/monthly/200.accounting (checksum 3541581936)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

oldmask=$(umask)

umask 066

case "$monthly_accounting_enable" in

[Yy][Ee][Ss])

W=/var/log/wtmp

rc=0

remove=NO

if [ $rc -eq 0 ]

then

echo ""

echo "Doing login accounting:"

rc=$(ac -p | sort -nr -k 2 | tee /dev/stderr | wc -l)

[ $rc -gt 0 ] && rc=1

fi

[ $remove = YES ] && rm -f $W.0;;

*) rc=0;;

esac

umask $oldmask

exit $rc

Contents of /etc/periodic/monthly/999.local (checksum 2355967272)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $monthly_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc

Contents of /etc/periodic/weekly/320.whatis (checksum 922328658)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$weekly_whatis_enable" in

[Yy][Ee][Ss])

echo ""

echo "Rebuilding whatis database:"

MANPATH=`/usr/bin/manpath -q`

if [ $? = 0 ]

then

if [ -z "${MANPATH}" ]

then

echo "manpath failed to find any manpage directories"

rc=3

else

rc=0

/usr/libexec/makewhatis.local "${MANPATH}" || rc=3

if [ X"${man_locales}" != X ]

then

for i in ${man_locales}

do

LC_ALL=$i /usr/libexec/makewhatis.local -a \

-L "${MANPATH}" || rc=3

...and 9 more line(s)

Contents of /etc/periodic/weekly/999.local (checksum 3078968429)

if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $weekly_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc

Contents of /Library/Preferences/com.apple.security.appsandbox.plist (checksum 2599182411)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>UnrestrictSpotlightContainerScope</key>

<true/>

</dict>

</plist>

Contents of /Library/Preferences/SystemConfiguration/com.apple.Boot.plist (checksum 1199119104)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Kernel Flags</key>

<string></string>

</dict>

</plist>

Root crontab

46 * * * * /Library/decad.bz/decad.bz cr

User login items

iTunesHelper

- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

uTorrent

- missing value

Restricted files: 6

Lockfiles: 1

Elapsed time (s): 176

Although this thread is rather old, I notice you had All2MP3 listed in your apps.

Anyway, to others, All2MP3 is/has been bundling MacKeeper with their updates and installation is obligatory. It's possible people are taking their 100% free, absolutely no malware nonsense a bit too literally, and ignoring the initial notice that MacKeeper will be installed.

Delete the app, unless you have a really old version, as the newer versions will just keep pulling in MacKeeper, no matter what anti-Zeobit strategies. There are possibly other apps that will do the same thing. OSX updates should include a blacklist that will simply refuse to install apps like All2MP3, no options, no workarounds.

Yes... till now... the problem is still here... I also tried to re-install Chrome but there are still pop-up tabs about those Mackeeper stuff... very annoying... and sometimes... I even have problem quiting that tab... like everytime I click into a link or tab or anything on some websites... it brings me to another pop-up ads about Mackeeper... there are also ads which uses the Apple web page as the background... pls help Apple or anyone

StephenWu2003 wrote:

pls help Apple or anyone

This is a User Forum, so Apple rarely responds and since the discussion is almost three years old, nobody else is likely to either.

First run MalwareBytes Anti-Malware for Mac to make sure you don't haven't installed any Adware or other nasty stuff.

If you didn't see anything else posted that helped you, best to start your own discussion and give more detail on what you are seeing and have done already. Run EtreCheck and post the results to your new discussion.

Linc no longer participates in these Forums, nor is there a way to edit an entry after fifteen minutes or so.

That's one of the reasons we don't recommend paying strict attention to discussions like this that is almost three years old.

If you need help, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary. That's just the way this Forum works best.

Hi

I dont know if anybody in this thread is gonna be still around to answer cause it was posted three years ago but I am having the same issue and it is so annoying. I tried the above method but it sys no dile found. what do i do?any suggestions?

Thank you so much!

I am having this problem too, now in 2017, were you able to solve it? Nothing comes up, even when I tried pasting /Library/LaunchAgents/com.vsearch.agent.plist in the Go To Folder in Finder, it says "The folder can't be found"

Help please, anyone?

Linc no longer participates in these Forums and nobody else is able to interpret his diagnostics.

That's one of the reasons we don't recommend paying strict attention to discussions like this which is over three years old.

If you need help and don't see it here, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary, without jumping to conclusions as to it's cause. That's just the way this Forum works best.

I had the same problem, and I've tried everything and nothing worked.

Today I've got the solution. I've created a new user in my mac, and then copied the "safari" folder inside "library" of the new account into my old user "library" folder, replaced the files and finally the tabs and popups were gone.
Hope it works for you too.

Best!

hi there Linc! I've seen that a lot of people had great results with your steps on removing these ads in safari, however i'm not one of them 😟 i have the same issue, everytime i open up safari an ad will show up, most of the times are mackeeper ads. I followed your steps but was still facing the same issue. One thing you might want to know is that none of the folders mentioned in your steps ( ones to delete ) are present during the process. I tried nearly everything and even upgrading my software. Still, nothing happened.Please help! :"(

Linc no longer participates in these Forums and nobody else is able to interpret his diagnostics.

That's one of the reasons we don't recommend paying strict attention to discussions like this which is almost four years old. It's no surprise that those folders no longer exist after three OS updates.

If you need help and don't see it here, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary, without jumping to conclusions as to it's cause. That's just the way this Forum works best.

Use the malware removal tool here > The Safe Mac » Adware Removal Guide

You installed the "DownLite" trojan, perhaps under a different name. Remove it as follows.

Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.vsearch.agent.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/VSearch
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

This trojan is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the DownLite developer has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight is inexcusable and has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.