You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

ANNOYING MACKEEPER TABS AND POPUP ADS

Hi there,


I bought a new macbook air 2 weeks ago, all has been well and good (new to mac products, always for android, still am).


Safari has also been good, as well as chrome, but as of recently, this whole "MacKeeper", "Zeobit.com" **** is completely taking over my search engines etc, problems including:


- Clean up mac ads everywhere, as well as the typical "Get a new iPhone 5' rubbish

- When clicking on links, my top sites tab shows up as well as the typical "MacKeeper" download page in another. I can only open links by pressing command to open in new tabs, however my top sites tab opens as well as the Mackeeper download page, along with it's fling annoying ads

- Ads as well before relevant google search links, like "Pages related to...." With zeobit.com on every inch of my ******* screen


Note that:


- I HAVE NOT downloaded anything to do with mackeeper, so uninstalling programs etc is unnecessary information - purely mackeeper tab and popup annoyances

- I have TRIED to 'restart' safari and remove cache, nothing works

- I have done the whole system preferences, privacy, remove all website data (which this zeobit.com **** is listed), and I remove zeobit.com but it just goes back on the list when I go through this process again

- Yes I have 'block popup ads' ticked


Can someone give me a solution to removing these popups with anything to do with zeobit.com and fling mackeeper which doesn't require me to read a long page of information? I'm about to smash my screen in here.

Posted on Jul 10, 2014 4:48 AM

Reply
341 replies

Jul 9, 2017 8:05 AM in response to arsi.17

arsi.17 wrote:


I too tried Linc Davis method but nothing happened after i clicked "reveal in folder". i am stuck at that step so any kind of help will be much appreciated. Thankyou in advance.

Link Davis no longer posts here. His procedure was rater arcane and idiosyncratic. There's really no one who can help you with it. I suggest you start your own thread. Explain your problem and the steps you've taken already. You'll get lots of help.


In the meantime, here are some resources:


Phony "tech support" / "ransomware" popups and web pages


Malwarebytes and Etrecheck are two applications, each written by a trusted, long time member of these forums:


Malwarebytes | Free Cyber Security & Anti-Malware Software


https://www.etrecheck.com/

Dec 24, 2017 8:41 PM in response to Linc Davis

Start time: 13:24:07 12/24/17



Model Identifier: MacBookPro14,2

System Version: macOS 10.12.6 (16G29)

Kernel Version: Darwin 16.7.0

System Integrity Protection: Enabled

Time since boot: 10:37



FileVault: On



Diagnostic reports



2017-12-19 firefox hang

2017-12-24 VLC crash



Log



Dec 17 13:39:27 com.google.keystone.user.agent: Service exited with abnormal code: 1

Dec 24 02:47:31 com.apple.Kerberos.digest-service: Service exited with abnormal code: 1

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/XPCServic es/com.apple.FCiCloudPrefUpdater.xpc/Contents/MacOS/com.apple.FCiCloudPrefUpdate r error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc/Contents/MacOS/XPCTimeStampingService error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc/Contents/MacOS/com.apple.DictionaryServiceHelper error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/ Contents/MacOS/com.apple.hiservices-xpcservice error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc/Contents/MacOS/XPCKeychainSandboxCheck error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc/Contents/MacOS/IOServiceAuthorizeAgent error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc/Contents/MacOS/com.apple.S peechRecognitionCore.brokerd error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityA gent.bundle

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc, error = 1: Operation not permitted

Dec 24 02:47:33 com.apple.xpc.launchd.domain.pid.SecurityAgent.223: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc, error = 1: Operation not permitted

Dec 24 02:49:43 com.apple.mdworker.shared.UUID: Service exited with abnormal code: 255



CPU per process: AddressBookManag (UID 501) is using 82.4 %



kexts



com.malwarebytes.mbam.rtprotection (3.1.1) UUID



Daemons



com.malwarebytes.mbam.rtprotection.daemon

com.microsoft.office.licensingV2.helper

com.malwarebytes.mbam.settings.daemon

com.adobe.fpsaud



Agents



com.skype.skype.shareagent

com.malwarebytes.mbam.frontend.agent

com.biomagnetic.di.app

/Library/sculper/sculper

com.apple.iBooksX.CacheDelete

com.google.keystone.user.agent

com.apple.AirPortBaseStationAgent



Bundles



/Library/Extensions/com.malwarebytes.mbam.rtprotection.kext

- com.malwarebytes.mbam.rtprotection

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

Library/Address Book Plug-Ins/SkypeABCaller.bundle

- com.skype.SkypeABCaller

Library/Address Book Plug-Ins/SkypeABChatter.bundle

- com.skype.SkypeABChatter

Library/Address Book Plug-Ins/SkypeABDialer.bundle

- com.skype.SkypeABDialer

Library/Address Book Plug-Ins/SkypeABSMS.bundle

- com.skype.SkypeABSMS

Library/Keyboard/en-dynamic.lm

- com.apple.LanguageModeling.en



App extensions



com.skype.skype.ShareExtension



Contents of /etc/hosts (checksum 3099933916)



127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost



Contents of /etc/pf.conf (checksum 2891177609)



scrub-anchor "com.apple/*"

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"



Contents of /etc/syslog.conf (checksum 2399118465)



install.* @127.0.0.1:32376



Contents of /etc/pam.d/authorization (checksum 1288902703)



auth optional pam_krb5.so use_first_pass use_kcminit

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so



Contents of /etc/pam.d/authorization_aks (checksum 841932527)



auth required pam_aks.so

account required pam_opendirectory.so



Contents of /etc/pam.d/authorization_ctk (checksum 2418984201)



auth required pam_smartcard.so use_first_pass pkinit

account required pam_opendirectory.so



Contents of /etc/pam.d/authorization_la (checksum 2713564393)



auth required pam_localauthentication.so

auth required pam_aks.so

account required pam_opendirectory.so



Contents of /etc/pam.d/checkpw (checksum 2672765862)



auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so no_check_home no_check_shell



Contents of /etc/pam.d/chkpasswd (checksum 335781771)



auth required pam_opendirectory.so

account required pam_opendirectory.so

password required pam_permit.so

session required pam_permit.so



Contents of /etc/pam.d/cups (checksum 2842188894)



auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so



Contents of /etc/pam.d/ftpd (checksum 2001169128)



auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so



Contents of /etc/pam.d/login (checksum 1242678644)



auth optional pam_krb5.so use_kcminit

auth optional pam_ntlm.so try_first_pass

auth optional pam_mount.so try_first_pass

auth required pam_opendirectory.so try_first_pass

account required pam_nologin.so

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_launchd.so

session required pam_uwtmp.so

session optional pam_mount.so



Contents of /etc/pam.d/login.term (checksum 3930746290)



account required pam_nologin.so

account required pam_opendirectory.so

session required pam_uwtmp.so



Contents of /etc/pam.d/other (checksum 2748091512)



auth required pam_deny.so

account required pam_deny.so

password required pam_deny.so

session required pam_deny.so



Contents of /etc/pam.d/passwd (checksum 1026516346)



auth required pam_permit.so

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_permit.so



Contents of /etc/pam.d/screensaver (checksum 3141704602)



auth optional pam_krb5.so use_first_pass use_kcminit

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe



Contents of /etc/pam.d/screensaver_aks (checksum 3209544573)



auth required pam_aks.so

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe



Contents of /etc/pam.d/screensaver_ctk (checksum 367670211)



auth required pam_smartcard.so use_first_pass

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe



Contents of /etc/pam.d/screensaver_la (checksum 589164084)



auth required pam_localauthentication.so

auth required pam_aks.so

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe



Contents of /etc/pam.d/smbd (checksum 2516643123)



account required pam_sacl.so sacl_service=smb allow_trustacct

session required pam_permit.so



Contents of /etc/pam.d/sshd (checksum 2989478361)



auth optional pam_krb5.so use_kcminit

auth optional pam_ntlm.so try_first_pass

auth optional pam_mount.so try_first_pass

auth required pam_opendirectory.so try_first_pass

account required pam_nologin.so

account required pam_sacl.so sacl_service=ssh

account required pam_opendirectory.so

password required pam_opendirectory.so

session required pam_launchd.so

session optional pam_mount.so



Contents of /etc/pam.d/su (checksum 2045483434)



auth sufficient pam_rootok.so

auth required pam_opendirectory.so

account required pam_group.so no_warn group=admin,wheel ruser root_only fail_safe

account required pam_opendirectory.so no_check_shell

password required pam_opendirectory.so

session required pam_launchd.so



Contents of /etc/pam.d/sudo (checksum 3515993703)



auth required pam_opendirectory.so

account required pam_permit.so

password required pam_deny.so

session required pam_permit.so



Contents of /etc/periodic/daily/110.clean-tmps (checksum 4099837049)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_tmps_enable" in

[Yy][Ee][Ss])

if [ -z "$daily_clean_tmps_days" ]

then

echo '$daily_clean_tmps_enable is set but' \

'$daily_clean_tmps_days is not'

rc=2

else

echo ""

echo "Removing old temporary files:"

set -f noglob

args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days"

args="${args} -ctime +$daily_clean_tmps_days"

dargs="-empty -mtime +$daily_clean_tmps_days"

dargs="${dargs} ! -name .vfs_rsrc_streams_*"

[ -n "$daily_clean_tmps_ignore" ] && {

args="$args "`echo " ${daily_clean_tmps_ignore% }" |

sed 's/[ ][ ]*/ ! -name /g'`

dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" |

sed 's/[ ][ ]*/ ! -name /g'`



...and 21 more line(s)



Contents of /etc/periodic/daily/130.clean-msgs (checksum 4292599426)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_msgs_enable" in

[Yy][Ee][Ss])

if [ ! -d /var/msgs ]

then

echo '$daily_clean_msgs_enable is set but /var/msgs' \

"doesn't exist"

rc=2

else

echo ""

echo "Cleaning out old system announcements:"

[ -n "$daily_clean_msgs_days" ] &&

arg=-${daily_clean_msgs_days#-} || arg=

msgs -c $arg && rc=0 || rc=3

fi;;

*) rc=0;;

esac

exit $rc



Contents of /etc/periodic/daily/140.clean-rwho (checksum 659374794)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_clean_rwho_enable" in

[Yy][Ee][Ss])

if [ -z "$daily_clean_rwho_days" ]

then

echo '$daily_clean_rwho_enable is enabled but' \

'$daily_clean_rwho_days is not set'

rc=2

elif [ ! -d /var/rwho ]

then

echo '$daily_clean_rwho_enable is enabled but /var/rwho' \

"doesn't exist"

rc=2

else

echo ""

echo "Removing stale files from /var/rwho:"

case "$daily_clean_rwho_verbose" in

[Yy][Ee][Ss])

print=-print;;

*)

print=;;



...and 14 more line(s)



Contents of /etc/periodic/daily/199.clean-fax (checksum 1104983357)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

if [ -d /var/spool/fax ]; then

echo ""

echo "Removing scratch fax files"

cd /var/spool/fax && \

find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;

fi



Contents of /etc/periodic/daily/310.accounting (checksum 3208203734)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_accounting_enable" in

[Yy][Ee][Ss])

if [ ! -f /var/account/acct ]

then

echo '$daily_accounting_enable is set but /var/account/acct' \

"doesn't exist"

rc=2

elif [ -z "$daily_accounting_save" ]

then

echo '$daily_accounting_enable is set but ' \

'$daily_accounting_save is not'

rc=2

else

echo ""

echo "Rotating accounting logs and gathering statistics:"

cd /var/account

rc=0

n=$daily_accounting_save

rm -f acct.$n.gz acct.$n || rc=3

m=$n



...and 18 more line(s)



Contents of /etc/periodic/daily/400.status-disks (checksum 1480768650)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_disks_enable" in

[Yy][Ee][Ss])

echo ""

echo "Disk status:"

df $daily_status_disks_df_flags && rc=1 || rc=3

;;

*) rc=0;;

esac

exit $rc



Contents of /etc/periodic/daily/420.status-network (checksum 2730873650)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_network_enable" in

[Yy][Ee][Ss])

echo ""

echo "Network interface status:"

case "$daily_status_network_usedns" in

[Yy][Ee][Ss])

netstat -i && rc=0 || rc=3;;

*)

netstat -in && rc=0 || rc=3;;

esac;;

*) rc=0;;

esac

exit $rc



Contents of /etc/periodic/daily/430.status-rwho (checksum 3455351261)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$daily_status_rwho_enable" in

[Yy][Ee][Ss])

rwho=$(echo /var/rwho/*)

if [ -f "${rwho%% *}" ]

then

echo ""

echo "Local network system status:"

prog=ruptime

else

echo ""

echo "Local system status:"

prog=uptime

fi

rc=$($prog | tee /dev/stderr | wc -l)

if [ $? -eq 0 ]

then

[ $rc -gt 1 ] && rc=1

else

rc=3

fi;;



...and 3 more line(s)



Contents of /etc/periodic/daily/999.local (checksum 2319755381)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $daily_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc



Contents of /etc/periodic/monthly/199.rotate-fax (checksum 3437454680)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

echo ""

printf %s "Rotating fax log files:"

cd /var/log/fax

for i in *.log; do

if [ -f "${i}" ]; then

echo -n " $i"

if [ -x /usr/bin/gzip ]; then gzext=".gz"; else gzext=""; fi

if [ -f "${i}.3${gzext}" ]; then mv -f "${i}.3${gzext}" "${i}.4${gzext}"; fi

if [ -f "${i}.2${gzext}" ]; then mv -f "${i}.2${gzext}" "${i}.3${gzext}"; fi

if [ -f "${i}.1${gzext}" ]; then mv -f "${i}.1${gzext}" "${i}.2${gzext}"; fi

if [ -f "${i}.0${gzext}" ]; then mv -f "${i}.0${gzext}" "${i}.1${gzext}"; fi

if [ -f "${i}" ]; then mv -f "${i}" "${i}.0" && if [ -x /usr/bin/gzip ]; then gzip -9 "${i}.0"; fi; fi

touch "${i}" && chmod 640 "${i}" && chown root:admin "${i}"

fi

done

echo ""



Contents of /etc/periodic/monthly/200.accounting (checksum 3541581936)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

oldmask=$(umask)

umask 066

case "$monthly_accounting_enable" in

[Yy][Ee][Ss])

W=/var/log/wtmp

rc=0

remove=NO

if [ $rc -eq 0 ]

then

echo ""

echo "Doing login accounting:"

rc=$(ac -p | sort -nr -k 2 | tee /dev/stderr | wc -l)

[ $rc -gt 0 ] && rc=1

fi

[ $remove = YES ] && rm -f $W.0;;

*) rc=0;;

esac

umask $oldmask

exit $rc



Contents of /etc/periodic/monthly/999.local (checksum 2355967272)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $monthly_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc



Contents of /etc/periodic/weekly/320.whatis (checksum 922328658)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

case "$weekly_whatis_enable" in

[Yy][Ee][Ss])

echo ""

echo "Rebuilding whatis database:"

MANPATH=`/usr/bin/manpath -q`

if [ $? = 0 ]

then

if [ -z "${MANPATH}" ]

then

echo "manpath failed to find any manpage directories"

rc=3

else

rc=0

/usr/libexec/makewhatis.local "${MANPATH}" || rc=3

if [ X"${man_locales}" != X ]

then

for i in ${man_locales}

do

LC_ALL=$i /usr/libexec/makewhatis.local -a \

-L "${MANPATH}" || rc=3



...and 9 more line(s)



Contents of /etc/periodic/weekly/999.local (checksum 3078968429)



if [ -r /etc/defaults/periodic.conf ]

then

. /etc/defaults/periodic.conf

source_periodic_confs

fi

rc=0

for script in $weekly_local

do

echo ''

case "$script" in

/*)

if [ -f "$script" ]

then

echo "Running $script:"

sh $script || rc=3

else

echo "$script: No such file"

[ $rc -lt 2 ] && rc=2

fi;;

*)

echo "$script: Not an absolute path"

[ $rc -lt 2 ] && rc=2;;

esac

done

exit $rc



Contents of /Library/Preferences/com.apple.security.appsandbox.plist (checksum 2599182411)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>UnrestrictSpotlightContainerScope</key>

<true/>

</dict>

</plist>



Contents of /Library/Preferences/SystemConfiguration/com.apple.Boot.plist (checksum 1199119104)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Kernel Flags</key>

<string></string>

</dict>

</plist>



Root crontab



46 * * * * /Library/decad.bz/decad.bz cr



User login items



iTunesHelper

- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

uTorrent

- missing value



Restricted files: 6



Lockfiles: 1



Elapsed time (s): 176

Feb 11, 2017 10:33 AM in response to chickashnaz

Although this thread is rather old, I notice you had All2MP3 listed in your apps.


Anyway, to others, All2MP3 is/has been bundling MacKeeper with their updates and installation is obligatory. It's possible people are taking their 100% free, absolutely no malware nonsense a bit too literally, and ignoring the initial notice that MacKeeper will be installed.


Delete the app, unless you have a really old version, as the newer versions will just keep pulling in MacKeeper, no matter what anti-Zeobit strategies. There are possibly other apps that will do the same thing. OSX updates should include a blacklist that will simply refuse to install apps like All2MP3, no options, no workarounds.

May 20, 2017 11:44 PM in response to chickashnaz

Yes... till now... the problem is still here... I also tried to re-install Chrome but there are still pop-up tabs about those Mackeeper stuff... very annoying... and sometimes... I even have problem quiting that tab... like everytime I click into a link or tab or anything on some websites... it brings me to another pop-up ads about Mackeeper... there are also ads which uses the Apple web page as the background... pls help Apple or anyone

May 21, 2017 2:09 AM in response to StephenWu2003

StephenWu2003 wrote:


pls help Apple or anyone

This is a User Forum, so Apple rarely responds and since the discussion is almost three years old, nobody else is likely to either.


First run MalwareBytes Anti-Malware for Mac to make sure you don't haven't installed any Adware or other nasty stuff.


If you didn't see anything else posted that helped you, best to start your own discussion and give more detail on what you are seeing and have done already. Run EtreCheck and post the results to your new discussion.

Jun 28, 2017 7:29 PM in response to Decayedapple

Linc no longer participates in these Forums, nor is there a way to edit an entry after fifteen minutes or so.


That's one of the reasons we don't recommend paying strict attention to discussions like this that is almost three years old.


If you need help, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary. That's just the way this Forum works best.

Dec 24, 2017 8:52 PM in response to jineeshmp

Linc no longer participates in these Forums and nobody else is able to interpret his diagnostics.


That's one of the reasons we don't recommend paying strict attention to discussions like this which is over three years old.


If you need help and don't see it here, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary, without jumping to conclusions as to it's cause. That's just the way this Forum works best.

Feb 3, 2018 9:03 AM in response to chickashnaz

I had the same problem, and I've tried everything and nothing worked.

Today I've got the solution. I've created a new user in my mac, and then copied the "safari" folder inside "library" of the new account into my old user "library" folder, replaced the files and finally the tabs and popups were gone.
Hope it works for you too.

Best!

Feb 6, 2018 2:38 AM in response to Linc Davis

hi there Linc! I've seen that a lot of people had great results with your steps on removing these ads in safari, however i'm not one of them 😟 i have the same issue, everytime i open up safari an ad will show up, most of the times are mackeeper ads. I followed your steps but was still facing the same issue. One thing you might want to know is that none of the folders mentioned in your steps ( ones to delete ) are present during the process. I tried nearly everything and even upgrading my software. Still, nothing happened.Please help! :"(

Feb 6, 2018 2:43 AM in response to TwinklingExo12

Linc no longer participates in these Forums and nobody else is able to interpret his diagnostics.


That's one of the reasons we don't recommend paying strict attention to discussions like this which is almost four years old. It's no surprise that those folders no longer exist after three OS updates.


If you need help and don't see it here, start a new discussion topic, explaining in detail exactly what you are observing, to include screenshots where necessary, without jumping to conclusions as to it's cause. That's just the way this Forum works best.

Jul 10, 2014 8:22 AM in response to chickashnaz

You installed the "DownLite" trojan, perhaps under a different name. Remove it as follows.

Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.vsearch.agent.plist

Right-click or control-click the line and select

Services â–¹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/VSearch
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

From the Safari menu bar, select

Safari â–¹ Preferences... â–¹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

This trojan is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the DownLite developer has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight is inexcusable and has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go â–¹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

ANNOYING MACKEEPER TABS AND POPUP ADS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.