You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
Hello everyone .. I would like to ask if the adwaremedic program is the safest way to remove adware from the mac. Lately I m having some pop up advertisements from a specific site called mac keeper. I have no idea how this ad came up since I am not downloading torrents nor visiting any suspicious site .
So is this the only way to permanently remove the adware? Is it safe , since this is a third party program? Thanks in advance everyone
If you've decided to resist "adwaremedic" on this site, well done. That attitude will protect you from the same, or worse, problems in the future.
A
You seem to have an incomplete installation of the "Flashmall" trojan. Take the steps below to disable it. Many of the items listed below will not be present in your case. I'm posting the full procedure because others, like you, will find this thread.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:
com.crossrider
com.extensions
com.flashmall
com.Installer.completer
com.webhelper
com.webtools
flashmall
UpdateDownloader
WebSocketServerApp
Move any such files to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with either of these names:
webHelperApp
IM.Installer
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Open this folder in the same way as above:
~/Library/ScriptingAdditions
and remove an item named
BrowserHelper.osax
if present.
5. Open this folder:
~/Library
Look for subfolders with either of these names:
flashmall
WebTools
and move them to the Trash, if present.
6. Open the Applications folder. If it contains an item named "Flashmall" or "WebTools", move that to the Trash.
Important: You can't delete applications by trying to drag them from the Dock or the LaunchPad. Open the Applications folder in the Finder.
7. Open this folder in the same way as above:
~/Applications
This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name like this:
flashmall
and move it to the Trash, if present.
Empty the Trash.
8. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "GoldenBoy," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
B
"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the application, if it's running, and drag it from the Applications folder to the Trash.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.
In the same folder, there may also be a file named
com.jdibackup.ZipCloud.notify.plist
Move that to the Trash as well.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
<Edited By Host>
Linc has a well documented dislike of AdwareMedic, which you can see in many, many posts here. Yet what you will find many more times by searching here is how it has solved issues for other users. For Adware removal, I will continue to recommend
The Easy, safe, effective method:
http://www.adwaremedic.com/index.php
If you are comfortable doing manual file removals use the somewhat more difficult method:
http://support.apple.com/en-us/HT203987
Also read the articles below to be more prepared for the next time there is an issue on your computer.
https://discussions.apple.com/docs/DOC-7471
https://discussions.apple.com/docs/DOC-8071
http://www.thesafemac.com/tech-support-scam-pop-ups/
Pete
<Edited By Host>
Linc Davis wrote:
The only defense against malware is to empower users to understand what has happened to them at the file level and what they have to do to reverse it.
But, Linc, blindly following a complicated set of instructions does not "empower users to understand what has happened to them…"
They're just blindly following a complicated set of instructions.
Why do this when AdWare Medic accomplishes the task with a GUI they can understand?
You seem to make the (wrong) assumption that people coming here for help are as wise in the ways of logs and Terminal as you are. Most aren't.
You often talk about not trusting advice from strangers; but you are a stranger to these posters, too.
If I ever need it (and I hope I'm careful enough in my browsing and downloads that I don't), I would not hesitate to use AdwareMedic.
Linc Davis wrote:
If you've decided to resist "adwaremedic" on this site, well done.
If Linc's comments here cause anyone to think that AdwareMedic is not trustworthy, I'd ask you to discuss the matter with a local Apple tech, such as an Apple Genius at a local Apple Store. There's no need to take my word, Linc's, or anyone else's here, on the matter. An Apple representative can clear up the matter for you.
Start time: 11:56:58 06/20/15
Model Identifier: MacBookPro7,1
System Version: OS X 10.10.3 (14D136)
Kernel Version: Darwin 14.3.0
Time since boot: 3:33
SATA
ST9250315ASG
Diagnostic reports
2015-06-10 com.apple.preference.security.remoteservice crash
2015-06-18 coreaudiod crash
2015-06-19 WindowServer crash
2015-06-19 com.apple.preferences.extensions.remoteservice crash
Log
Jun 18 19:22:32 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 18 19:47:37 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 08:15:00 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 08:15:37 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 19 09:04:23 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 19 09:15:44 jnl: b(1, 2): replay_journal: from: 7744000 to: 12556800 (joffset 0x743000)
Jun 19 09:15:44 jnl: b(1, 2): journal replay done.
Jun 19 09:19:49 process WindowServer[136] caught causing excessive wakeups. Observed wakeups rate (per sec): 184; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45161
Jun 19 09:44:32 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 10:03:33 process com.apple.WebKit[2055] caught causing excessive wakeups. Observed wakeups rate (per sec): 222; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 84026
Jun 19 10:38:30 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 11:23:17 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 11:23:17 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 19 11:46:16 process com.apple.WebKit[13405] thread 96771 caught burning CPU!; EXC_RESOURCE supressed due to audio playback
Jun 19 18:01:46 process com.apple.WebKit[15694] caught causing excessive wakeups. Observed wakeups rate (per sec): 152; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45084
Jun 20 08:22:44 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 08:24:21 jnl: b(1, 2): replay_journal: from: 2558464 to: 7878656 (joffset 0x743000)
Jun 20 08:24:21 jnl: b(1, 2): journal replay done.
Jun 20 08:40:45 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 09:25:41 process WindowServer[139] caught causing excessive wakeups. Observed wakeups rate (per sec): 341; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 132916
Jun 20 09:53:59 process com.apple.WebKit[6826] caught causing excessive wakeups. Observed wakeups rate (per sec): 317; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 193858
Jun 20 10:00:27 process com.apple.WebKit[6816] caught causing excessive wakeups. Observed wakeups rate (per sec): 151; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 110481
Jun 20 10:03:12 process com.apple.WebKit[6816] thread 44797 caught burning CPU! It used more than 50% CPU (Actual recent usage: 55%) over 180 seconds. thread lifetime cpu usage 274.491970 seconds, (255.551102 user, 18.940868 system) ledger info: balance: 90004187734 credit: 268746226789 debit: 178742039055 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 163410230035
Jun 20 11:03:50 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 11:57:04 process smcDiagnose[17932] caught causing excessive wakeups. Observed wakeups rate (per sec): 49281; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 47232
Activity
CPU: user 8%, system 6%
Daemons
com.apple.installer.osmessagetracing
com.adobe.fpsaud
Agents
com.webtools.update.0.0.0.9.agent
com.webhelper
com.spotify.webhelper
com.apple.AirPortBaseStationAgent
com.webtools.uninstaller.app
Bundles
/System/Library/Extensions/JMicronATA.kext
- com.jmicron.JMicronATA
/Library/Internet Plug-Ins/Flash Player.plugin
- N/A
/Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin
- com.microsoft.officelive.browserplugin
/Library/PreferencePanes/Flash Player.prefPane
- com.adobe.flashplayerpreferences
Contents of Library/LaunchAgents/com.spotify.webhelper.plist (checksum 2241827825)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.spotify.webhelper</string>
<key>KeepAlive</key>
<dict>
<key>NetworkState</key>
<true/>
</dict>
<key>RunAtLoad</key>
<true/>
<key>Program</key>
<string>/Users/USER/Library/Application Support/Spotify/SpotifyWebHelper</string>
<key>SpotifyPath</key>
<string>/Applications/Spotify.app</string></dict>
</plist>
Contents of Library/LaunchAgents/com.webhelper.plist (checksum 948416710)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.webhelper</string>
<key>EnableGlobbing</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/webHelperApp/launch</string>
<string>-guid</string>
<string>UUID</string>
<string>-source</string>
<string>pr-1520</string>
<string>-brand</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>OnDemand</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/null</string>
...and 6 more line(s)
Contents of Library/LaunchAgents/com.webtools.uninstaller.plist (checksum 347991739)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.webtools.uninstaller.app</string>
<key>EnableGlobbing</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/Applications/WebTools.app</string>
</array>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/webHelperApp/uninstall</string>
</array>
</dict>
</plist>
Contents of Library/LaunchAgents/com.webtools.update.agent.plist (checksum 873177358)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnableGlobbing</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.webtools.update.0.0.0.9.agent</string>
<key>OnDemand</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/WebTools/UpdateAgent/run_update.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
<key>StartInterval</key>
<integer>600</integer>
<key>ThrottleInterval</key>
...and 3 more line(s)
Firewall: On
Wi-Fi
link auth: wpa-psk
User login items
iTunesHelper
- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
Spotify
- /Applications/Spotify.app
Restricted files: 44
Elapsed time (s): 268
You installed the "Flashmall" trojan. Take the steps below to disable it.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:
com.crossrider
com.extensions
com.flashmall
com.Installer.completer
com.webhelper
com.webtools
flashmall
UpdateDownloader
WebSocketServerApp
Move any such files to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with either of these names:
webHelperApp
IM.Installer
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Open this folder in the same way as above:
~/Library/ScriptingAdditions
and remove an item named
BrowserHelper.osax
if present.
5. Open this folder:
~/Library
Look for subfolders with either of these names:
flashmall
WebTools
and move them to the Trash, if present.
6. Open the Applications folder. If it contains an item named "Flashmall" or "WebTools", move that to the Trash.
Important: You can't delete applications by trying to drag them from the Dock or the LaunchPad. Open the Applications folder in the Finder.
7. Open this folder in the same way as above:
~/Applications
This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name like this:
flashmall
and move it to the Trash, if present.
Empty the Trash.
8. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "GoldenBoy," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
Thanks. This worked great! I'm so glad to have my Safari working normal again. Seriously appreciate the help!
Start time: 18:58:36 06/22/15
Model Identifier: MacBookPro9,2
System Version: OS X 10.10.2 (14C109)
Kernel Version: Darwin 14.1.0
Time since boot: 50 days 23:57
Diagnostic reports
2015-05-29 discoveryd crash
2015-06-16 MacKeeper crash x3
2015-06-16 QuickLookSatellite crash
2015-06-16 mdworker crash x2
2015-06-16 softwareupdated crash
Log
Jun 16 12:05:45 Sound assertion in AppleHDAFunctionGroup at line 1058
Jun 16 12:39:46 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 17 10:40:06 Sound assertion in AppleHDAFunctionGroup at line 1058
Jun 17 10:42:12 com.mackeeper.MacKeeper.Uninstaller.61660: Service exited with abnormal code: 1
Jun 22 18:53:56 Sound assertion in AppleHDAFunctionGroup at line 1058
Swap (MiB): 5884
Daemons
com.apple.installer.osmessagetracing
com.microsoft.office.licensing.helper
Agents
com.webtools.update.0.0.0.9.agent
com.mackeeper.MacKeeper.service.clean
com.mackeeper.MacKeeper.Helper
com.google.keystone.user.agent
com.apple.AirPortBaseStationAgent
Bundles
/System/Library/Extensions/JMicronATA.kext
- com.jmicron.JMicronATA
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
- com.microsoft.sharepoint.browserplugin
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
- com.microsoft.sharepoint.webkitplugin
Contents of Library/LaunchAgents/com.google.keystone.agent.plist (checksum 3591276108)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.google.keystone.user.agent</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bu ndle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftw areUpdateAgent</string>
<string>-runMode</string>
<string>ifneeded</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>3523</integer>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
Contents of Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist (checksum 2605203230)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>EnvironmentVariables</key>
<dict>
<key>ZBTimeStamp</key>
<string>20150512181220</string>
</dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.mackeeper.MacKeeper.Helper</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>Program</key>
<string>/Applications/MacKeeper.app/Contents/Services/MacKeeper Helper.app/Contents/MacOS/MacKeeper Helper</string>
</dict>
</plist>
Contents of Library/LaunchAgents/com.webtools.update.agent.plist (checksum 1944118573)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnableGlobbing</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.webtools.update.0.0.0.9.agent</string>
<key>OnDemand</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/WebTools/UpdateAgent/run_update.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
<key>StartInterval</key>
<integer>600</integer>
<key>ThrottleInterval</key>
...and 3 more line(s)
DNS: 75.75.75.75 (static)
Listeners
cupsd: ipp
User login items
iTunesHelper
- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
Google Chrome
- /Applications/Google Chrome.app
Restricted files: 80
Lockfiles: 6
Elapsed time (s): 253
You have MacKeeper installed. That's a scam. Remove it:
http://applehelpwriter.com/2011/09/21/how-to-uninstall-mackeeper-malware/
You also have some adware installed. See:
http://www.thesafemac.com/arg-bundlore/
Alternately, if you'd prefer not to use manual removal instructions, use AdwareMedic:
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)
A
There is no need to download anything to solve this problem. You installed, and seem to have partially removed, the "Flashmall" trojan. Take the steps below to disable it.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:
com.crossrider
com.extensions
com.flashmall
com.Installer.completer
com.webhelper
com.webtools
flashmall
UpdateDownloader
WebSocketServerApp
Move any such files to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with either of these names:
webHelperApp
IM.Installer
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Open this folder in the same way as above:
~/Library/ScriptingAdditions
and remove an item named
BrowserHelper.osax
if present.
5. Open this folder:
~/Library
Look for subfolders with either of these names:
flashmall
WebTools
and move them to the Trash, if present.
6. Open the Applications folder. If it contains an item named "Flashmall" or "WebTools", move that to the Trash.
Important: You can't delete applications by trying to drag them from the Dock or the LaunchPad. Open the Applications folder in the Finder.
7. Open this folder in the same way as above:
~/Applications
This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name like this:
flashmall
and move it to the Trash, if present.
Empty the Trash.
8. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "GoldenBoy," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
B
"MacKeeper" is a scam with only one useful feature: it deletes itself.
First, back up all data.
Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.
If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.
IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.
In the Finder, select
Go ▹ Applications
from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.
☞ Quit MacKeeper before dragging it to the Trash.
☞ Let MacKeeper delete its other components before you empty the Trash.
☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.
☞ Don't try to remove MacKeeper while running in safe mode.
Start time: 14:25:05 06/23/15
Model Identifier: MacBookAir6,1
System Version: OS X 10.10.3 (14D136)
Kernel Version: Darwin 14.3.0
Time since boot: 1:37
Log
Jun 20 14:25:51 com.apple.spindump: Service exited with abnormal code: 75
Jun 20 14:26:01 com.apple.spindump: Service exited with abnormal code: 75
Jun 20 14:26:11 com.apple.spindump: Service exited with abnormal code: 75
Jun 20 14:26:21 com.apple.spindump: Service exited with abnormal code: 75
Jun 20 15:09:53 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 15:22:53 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 15:34:27 hfs: could not initialize summary table for Microsoft Error Reporting
Jun 20 15:34:27 hfs: mounted Microsoft Error Reporting on device disk2s2
Jun 20 15:34:28 hfs: unmount initiated on Microsoft Error Reporting on device disk2s2
Jun 20 15:56:23 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 15:57:07 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 15:58:25 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 15:59:15 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 15:59:15 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 20 15:59:15 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 16:18:29 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 17:05:44 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 20 17:23:07 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 21 08:45:00 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 21 12:52:22 [[0xffffff8029359000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Jun 23 08:48:06 [[0xffffff80293be000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.
Jun 23 09:07:15 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 23 12:48:30 jnl: b(1, 4): replay_journal: from: 5851136 to: 10187264 (joffset 0x384000)
Jun 23 12:48:30 jnl: b(1, 4): journal replay done.
Jun 23 14:15:54 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Daemons
com.microsoft.office.licensing.helper
com.adobe.fpsaud
Agents
com.google.keystone.user.agent
com.apple.AirPortBaseStationAgent
Bundles
/Library/Internet Plug-Ins/Flash Player.plugin
- N/A
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
- com.microsoft.sharepoint.browserplugin
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
- com.microsoft.sharepoint.webkitplugin
/Library/PreferencePanes/Flash Player.prefPane
- com.adobe.flashplayerpreferences
App extensions
com.evernote.Evernote.SharingExtension
Contents of Library/LaunchAgents/com.google.keystone.agent.plist (checksum 611145307)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.google.keystone.user.agent</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bu ndle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftw areUpdateAgent</string>
<string>-runMode</string>
<string>ifneeded</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>3523</integer>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
User login items
iTunesHelper
- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
Google Chrome
- /Applications/Google Chrome.app
Restricted files: 6
Elapsed time (s): 140
You don't have any adware, unless it's a Chrome extension. You can check for that in the Chrome application. Delete any extensions you don't know you need.
If I may make a suggestion, the best way to get help on this site is not to post to a discussion started by someone else, with information that no one asked for, and without even asking a question. If you can't find a solution by searching, start your own thread with a full description of the problem.
Start time: 19:47:04 06/24/15
Model Identifier: MacBookPro8,2
System Version: OS X 10.10.3 (14D136)
Kernel Version: Darwin 14.3.0
Time since boot: 1:17
SATA
Hitachi HTS545050B9A302
Diagnostic reports
2015-05-27 com.apple.WebKit.Plugin.64 crash
2015-06-13 Safari crash
2015-06-16 Any Video Converter Pro hang
Log
Jun 23 20:34:41 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 24 06:02:42 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 24 06:36:02 process com.apple.WebKit[4116] thread 249455 caught burning CPU! It used more than 50% CPU (Actual recent usage: 73%) over 180 seconds. thread lifetime cpu usage 90.168083 seconds, (87.245998 user, 2.922085 system) ledger info: balance: 90003528444 credit: 90006585096 debit: 3056652 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 123190362104
Jun 24 06:42:14 process com.apple.WebKit[4126] thread 251581 caught burning CPU! It used more than 50% CPU (Actual recent usage: 89%) over 180 seconds. thread lifetime cpu usage 90.293780 seconds, (87.416361 user, 2.877419 system) ledger info: balance: 90000719485 credit: 90003469843 debit: 2750358 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 100400862948
Jun 24 06:48:02 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 24 06:48:07 com.apple.iTunesHelper.24456: Service exited with abnormal code: 1
Jun 24 18:31:09 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)
Jun 24 18:31:14 com.apple.locationd: Service exited with abnormal code: 1
Jun 24 18:31:20 com.apple.locationd: Service exited with abnormal code: 1
Jun 24 18:32:05 com.apple.spindump: Service exited with abnormal code: 75
Jun 24 18:32:15 com.apple.spindump: Service exited with abnormal code: 75
Jun 24 18:32:25 com.apple.spindump: Service exited with abnormal code: 75
Jun 24 18:38:35 process com.apple.WebKit[456] thread 7517 caught burning CPU! It used more than 50% CPU (Actual recent usage: 87%) over 180 seconds. thread lifetime cpu usage 90.252561 seconds, (88.045862 user, 2.206699 system) ledger info: balance: 90007592238 credit: 90010099090 debit: 2506852 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 102447122890
Jun 24 18:53:49 process com.apple.WebKit[498] thread 14141 caught burning CPU! It used more than 50% CPU (Actual recent usage: 84%) over 180 seconds. thread lifetime cpu usage 90.374814 seconds, (88.187499 user, 2.187315 system) ledger info: balance: 90000615454 credit: 90003614228 debit: 2998774 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 106222352698
Jun 24 19:12:04 process com.apple.WebKit[537] thread 20451 caught burning CPU! It used more than 50% CPU (Actual recent usage: 71%) over 180 seconds. thread lifetime cpu usage 90.389978 seconds, (87.747053 user, 2.642925 system) ledger info: balance: 90002596548 credit: 90007372830 debit: 4776282 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 126343534551
Jun 24 19:19:41 process com.apple.WebKit[546] thread 22818 caught burning CPU! It used more than 50% CPU (Actual recent usage: 79%) over 180 seconds. thread lifetime cpu usage 90.325617 seconds, (87.048523 user, 3.277094 system) ledger info: balance: 90002466674 credit: 90004621971 debit: 2155297 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 113121167187
Jun 24 19:30:53 MacAuthEvent en1 Auth result for: 18:ef:63:9b:1d:4b Auth request tx failed
Jun 24 19:31:56 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1
Jun 24 19:31:57 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 24 19:31:57 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1
Jun 24 19:39:22 AppleUSBEthernetHost::disable: failed to set alt interface 0, e00002c0
Jun 24 19:39:23 AppleUSBEthernetHost::disable: failed to set alt interface 0, e00002c0
Jun 24 19:41:44 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1
Jun 24 19:43:14 process com.apple.WebKit[595] thread 30207 caught burning CPU! It used more than 50% CPU (Actual recent usage: 66%) over 180 seconds. thread lifetime cpu usage 90.298691 seconds, (87.783835 user, 2.514856 system) ledger info: balance: 90001090795 credit: 90104993429 debit: 103902634 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 135051707965
Jun 24 19:47:11 process smcDiagnose[790] caught causing excessive wakeups. Observed wakeups rate (per sec): 49475; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45563
Swap (MiB): 4870
Activity
CPU: user 11%, system 6%
CPU per process: com.apple.WebKit (UID 501) is using 101.7 %
I/O per process: kernel_task (UID 0) is using 17 MB/s
Memory: com.apple.WebKit (UID 501) is using 1439 MB
Daemons
com.microsoft.office.licensing.helper
com.google.keystone.daemon
com.oracle.java.Helper-Tool
jp.co.canon.MasterInstaller
com.adobe.fpsaud
Agents
com.apple.PTPCamera.76144.UUID
com.google.keystone.system.agent
com.apple.photostream-agent
com.oracle.java.Java-Updater
com.apple.AirPortBaseStationAgent
Bundles
/Library/Audio/MIDI Drivers/TASCAM US1xx MIDI Driver.plugin
- com.tascam.usb2audio.midi
/Library/Audio/Plug-Ins/HAL/TASCAM_US1xx.driver
- com.tascam.usb2.coreaudio
/Library/Audio/Plug-Ins/HAL/TASCAM_US1xx.plugin
- com.tascam.usb2audio.hal
/Library/Extensions/TASCAM_US1xx.kext
- com.tascam.usb2audio.driver
/Library/Internet Plug-Ins/EPPEX Plugin.plugin
- N/A
/Library/Internet Plug-Ins/Flash Player.plugin
- N/A
/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin
- com.Google.GoogleEarthPlugin.plugin
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
- com.microsoft.sharepoint.browserplugin
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
- com.microsoft.sharepoint.webkitplugin
/Library/Internet Plug-Ins/Silverlight.plugin
- com.microsoft.SilverlightPlugin
/Library/PreferencePanes/Flash Player.prefPane
- com.adobe.flashplayerpreferences
Library/Caches/com.apple.Safari/Extensions/macfest.safariextension/3.safariexte nsion
- com.yourcompany.extension
Library/Caches/com.apple.Safari/Extensions/macfest.safariextension
- com.raman.macfest
App extensions
com.getdropbox.dropbox.garcon
Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist (checksum 3012644940)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>org.apache.httpd</string>
<key>EnvironmentVariables</key>
<dict>
<key>XPC_SERVICES_UNAVAILABLE</key>
<string>1</string>
</dict>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/httpd-wrapper</string>
<string>-D</string>
<string>FOREGROUND</string>
</array>
<key>OnDemand</key>
<false/>
</dict>
</plist>
Contents of /Library/LaunchDaemons/jp.co.canon.MasterInstaller.plist (checksum 4111951265)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>jp.co.canon.MasterInstaller</string>
<key>Program</key>
<string>/Library/PrivilegedHelperTools/jp.co.canon.MasterInstaller</string>
<key>ProgramArguments</key>
<array>
<string>/Library/PrivilegedHelperTools/jp.co.canon.MasterInstaller</string>
</array>
<key>ServiceIPC</key>
<true/>
<key>Sockets</key>
<dict>
<key>MasterSocket</key>
<dict>
<key>SockFamily</key>
<string>Unix</string>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/jp.co.canon.MasterInstaller.socket</string>
<key>SockType</key>
...and 5 more line(s)
Contents of Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist (checksum 4071182229)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.adobe.AAM.Scheduler-1.0</string>
<key>Program</key>
<string>/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility</string>
<string>-mode=scheduled</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Minute</key>
<integer>0</integer>
<key>Hour</key>
<integer>2</integer>
</dict>
</dict>
</plist>
Listeners
cupsd: ipp
User login items
iTunesHelper
- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
VMware Fusion Start Menu
- /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Start Menu.app
Dropbox
- /Applications/Dropbox.app
OpenDNS Updater
- /Applications/OpenDNS Updater.app
CFAgent
- /Applications/Clickfree/CFAgent.app
Safari extensions
macfest
Restricted files: 162
Lockfiles: 9
Elapsed time (s): 891
Back up all data before making any changes.
You installed a variant of the "VidX" trojan. To remove it, first open the Applications folder by selecting
Go ▹ Applications
from the Finder menu bar, or by pressing the key combination shift-command-A. Look for an item named "VidX," "MacVx," "MacFest," "MacMin," or similar. If present, drag it to the Trash and empty. If in doubt, order the folder window by date modified and delete any application near the top that you don't recognize.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extension you don't know you need. If in doubt, remove all of them. None is needed for normal operation. You may have more than one that's malicious. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
AdwareMadic is totally safe and is being used by every Mac technician I know so you should be fine. A lot safer than having someone that you don't know suggesting Terminal commands that you know know nothing about. Very dangerous advice if you do not enter them exactly as they should be. But your choice to use the easy and proven method or the dodgy advice.
Pete
Adwaremedic is it safe ?
