How do I remove MacKeeper and other adware on my mac? Please help

Question

Level 1

6 points

How do I remove MacKeeper and other adware on my mac? Please help

I Have recently joined the Mac community, my wife, thinking that a MacKeeper popup was a system program and installed it. Shortly thereafter our browsers began getting hijacked. Since then we have uninstalled MacKeeper, however I think it is still running in the background. Our browser is constantly redirecting to other sites. I found a post from a "linc Davis" that suggested running a command line Unix script to discover what was running in the background, and sure enough, MacKeeper is still there. if anyone out there can help me I would highly appreciate it. I'm at a loss, I use my Mac to view highly confidential info, and cannot even risk using it until I get this fixed. Thank you so much.

Mac mini, iOS 8.1.2

Posted on Dec 21, 2014 9:11 PM

Reply

Answer 1

Best reply

gail from maine

Level 9

52,575 points

Dec 21, 2014 9:21 PM in response to Elderathome

Hi Elderathome,

Here are several links from fellow Community Support member Thomas Reed that will help you get your Mac where you want it to be:

http://applehelpwriter.com/2011/09/21/how-to-uninstall-mackeeper-malware/

(one clarification - the link above was provided by Thomas Reed in his article about MacKeeper)

The Safe Mac » Mac Malware Guide

The Safe Mac - ADWARE REMOVAL

The Safe Mac » Adware Removal Tool

The Safe Mac - AdwareMedic

Thomas's The Safe Mac site is full of really good info on how to keep your Mac clean and safe.

Cheers,

GB

Reply

Answer 2

MadMacs0

Level 5

5,221 points

Dec 21, 2014 11:40 PM in response to Elderathome

Elderathome wrote:

I Have recently joined the Mac community, my wife, thinking that a MacKeeper popup was a system program and installed it. Shortly thereafter our browsers began getting hijacked. Since then we have uninstalled MacKeeper, however I think it is still running in the background.

I doubt that it's still running, but if it is you can stop that by navigating to /Library/LaunchAgents/ and drag "com.zeobit.MacKeeper.Helper" to the Trash. The best way to ensure that there isn't anything else is to use a utility like EasyFind or Find Any File to search your hard drive for both "zeobit" and "mackeeper" (without quotes).

I second gail from maine's recommendation for faster, more efficient identification and optional removal of all currently know adware, run AdwareMedic, available free from this Forum’s Malware Guru, owner of TheSafeMac blog and a colleague of mine.

If you find you have any, then to understand why this happened and how to avoid it in the future see John Galt’s How to install adware.

Reply

Answer 3

Linc Davis

Level 10

209,541 points

Dec 22, 2014 10:36 AM in response to Elderathome

A

"MacKeeper" is a scam with only one useful feature: it deletes itself.

First, back up all data.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

In the Finder, select

Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag the MacKeeper Dock icon to the Trash.

B

You may also have installed the "Downlite" or "VSearch" ad-injection malware. Follow the instructions on this Apple Support page to remove it.

Back up all data before making any changes.

One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.

If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, then you may have an adware variant not covered by the support article. Ask for instructions in that case.

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This malware is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates

if it's not already checked.

Reply

Answer 4

Elderathome Author

Level 1

6 points

Dec 22, 2014 6:58 PM in response to Linc Davis

thanks for the reply. I followed the directions for uninstalling MacKeeper and then reran your command shell script that I found in another post. Unfortunately, MacKeeper still has active scripts running, even after I uninstalled and restarted it. So what do I do if there are still MacKeeper files/scripts running even though I deleted it? I can post the results of that scan if you would like. Thanks again for your help.

Reply

Answer 5

Elderathome Author

Level 1

6 points

Dec 22, 2014 7:00 PM in response to MadMacs0

Thank you for your help, I appreciate it.

Reply

Answer 6

Linc Davis

Level 10

209,541 points

Dec 22, 2014 7:11 PM in response to Elderathome

I can post the results of that scan if you would like.

OK.

Reply

Answer 7

Elderathome Author

Level 1

6 points

Dec 23, 2014 8:17 PM in response to Linc Davis

Boot Mode: Normal

Model: Macmini6,2

System diagnostics

2014-12-03 spindump crash

User diagnostics

2014-12-21 CalendarAgent crash

Kernel messages

--- last message repeated 122 times ---

Dec 21 23:10:54 BUG in process suhelperd[262]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

Dec 21 23:44:38 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 122 times ---

Dec 21 23:45:23 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

Dec 22 07:58:10 wl0: Roamed or switched channel, reason #2, bssid 0c:f8:93:e2:04:20, last RSSI -63

Dec 23 20:20:44 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

Dec 23 20:20:45 [[0xffffff802ab1a000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Dec 23 20:21:33 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 441 times ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 3 times ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 130 times ---

Dec 23 20:23:25 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 20 times ---

Dec 23 20:23:27 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 120 times ---

Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:35:30 [[0xffffff801a7b9000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Extrinsic daemons

com.adobe.fpsaud

Extrinsic agents

com.brother.LOGINserver

com.citrix.ServiceRecords

com.adobe.ARM.UUID

com.cinema-+-hd.updater

com.citrix.ReceiverHelper

com.citrix.AuthManager_Mac

com.zeobit.MacKeeper.Helper

com.google.keystone.user.agent

launchd items

/Library/LaunchAgents/com.brother.LOGINserver.plist

(com.brother.LOGINserver)

/Library/LaunchAgents/com.citrix.AuthManager_Mac.plist

(com.citrix.AuthManager_Mac)

/Library/LaunchAgents/com.citrix.ReceiverHelper.plist

(com.citrix.ReceiverHelper)

/Library/LaunchAgents/com.citrix.ServiceRecords.plist

(com.citrix.ServiceRecords)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

Library/LaunchAgents/com.adobe.ARM.UUID.plist

(com.adobe.ARM.UUID)

Library/LaunchAgents/com.google.keystone.agent.plist

(com.google.keystone.user.agent)

Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

(com.zeobit.MacKeeper.Helper)

Extrinsic loadable bundles

/System/Library/Extensions/JMicronATA.kext

(com.jmicron.JMicronATA)

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

(com.adobe.acrobat.pdfviewer)

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

(com.adobe.acrobat.pdfviewerNPAPI)

/Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin

(com.citrix.citrixicaclientplugIn)

/Library/Internet Plug-Ins/Flash Player.plugin

(com.macromedia.Flash Player.plugin)

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

(com.apple.java.JavaAppletPlugin)

/Library/PreferencePanes/Flash Player.prefPane

(com.adobe.flashplayerpreferences)

DNS (from DHCP): 24.116.0.53

User login items

iTunesHelper

Restricted user files: 49

Elapsed time (s): 118

Reply

Answer 8

Elderathome Author

Level 1

6 points

Dec 23, 2014 8:21 PM in response to Elderathome

Sorry, here is a little more ordered version

Boot Mode: Normal

Model: Macmini6,2

System diagnostics

2014-12-03 spindump crash

User diagnostics

2014-12-21 CalendarAgent crash

Kernel messages

--- last message repeated 122 times ---

Dec 21 23:10:54 BUG in process suhelperd[262]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

Dec 21 23:44:38 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 122 times ---

Dec 21 23:45:23 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

Dec 22 07:58:10 wl0: Roamed or switched channel, reason #2, bssid 0c:f8:93:e2:04:20, last RSSI -63

Dec 23 20:20:44 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

Dec 23 20:20:45 [[0xffffff802ab1a000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Dec 23 20:21:33 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 441 times ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 3 times ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:23:12 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 130 times ---

Dec 23 20:23:25 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 20 times ---

Dec 23 20:23:27 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 120 times ---

Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:23:36 BUG in process suhelperd[167]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 23 20:35:30 [[0xffffff801a7b9000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Extrinsic daemons

com.adobe.fpsaud

Extrinsic agents

com.brother.LOGINserver

com.citrix.ServiceRecords

com.adobe.ARM.UUID

com.cinema-+-hd.updater

com.citrix.ReceiverHelper

com.citrix.AuthManager_Mac

com.zeobit.MacKeeper.Helper

com.google.keystone.user.agent

launchd items

/Library/LaunchAgents/com.brother.LOGINserver.plist

(com.brother.LOGINserver)

/Library/LaunchAgents/com.citrix.AuthManager_Mac.plist

(com.citrix.AuthManager_Mac)

/Library/LaunchAgents/com.citrix.ReceiverHelper.plist

(com.citrix.ReceiverHelper)

/Library/LaunchAgents/com.citrix.ServiceRecords.plist

(com.citrix.ServiceRecords)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

Library/LaunchAgents/com.adobe.ARM.UUID.plist

(com.adobe.ARM.UUID)

Library/LaunchAgents/com.google.keystone.agent.plist

(com.google.keystone.user.agent)

Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

(com.zeobit.MacKeeper.Helper)

Extrinsic loadable bundles

/System/Library/Extensions/JMicronATA.kext

(com.jmicron.JMicronATA)

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

(com.adobe.acrobat.pdfviewer)

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

(com.adobe.acrobat.pdfviewerNPAPI)

/Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin

(com.citrix.citrixicaclientplugIn)

/Library/Internet Plug-Ins/Flash Player.plugin

(com.macromedia.Flash Player.plugin)

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

(com.apple.java.JavaAppletPlugin)

/Library/PreferencePanes/Flash Player.prefPane

(com.adobe.flashplayerpreferences)

DNS (from DHCP): 24.116.0.53

User login items

iTunesHelper

Restricted user files: 49

Elapsed time (s): 118

Reply

Answer 9

MadMacs0

Level 5

5,221 points

Dec 23, 2014 8:36 PM in response to Elderathome

Elderathome wrote:

Unfortunately, MacKeeper still has active scripts running, even after I uninstalled and restarted it.

Where do you see a MacKeeper script running? Is it MacKeeper Helper or something else.

Extrinsic agents

com.zeobit.MacKeeper.Helper

launchd items

Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

(com.zeobit.MacKeeper.Helper)

Either you didn't follow Linc's instructions or (more probably) the MacKeeper uninstall routine leaves files behind.

So go back to what I told you to do aboveand it will stop.

Reply

Answer 10

Elderathome Author

Level 1

6 points

Dec 23, 2014 8:55 PM in response to MadMacs0

MadMacs0 wrote:

I doubt that it's still running, but if it is you can stop that by navigating to /Library/LaunchAgents/ and drag "com.zeobit.MacKeeper.Helper" to the Trash. The best way to ensure that there isn't anything else is to use a utility like EasyFind or Find Any File to search your hard drive for both "zeobit" and "mackeeper" (without quotes).

So when I navigate to that folder there is no file like that listed. I think it is hidden.... like I said before, I am new to Mac, and have no Idea how to find a hidden file, I will attempt to post a screen shot of what I see.

Reply

Answer 11

Linc Davis

Level 10

209,541 points

Dec 23, 2014 8:59 PM in response to Elderathome

A

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Move the selected item to the Trash. Log out or restart the computer and empty the Trash.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

B

You also installed the "CinemaPlus" ad-injection malware. I suggest the procedure below to disable it. This procedure may leave a few small files behind, but it will permanently deactivate the malware (as long as you never reinstall it.)

Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including one called "Cinema-Plus." If in doubt, uninstall all extensions. Do the equivalent in the Chrome browser, if you use it.

Step 2

Triple-click anywhere in the line below on this page to select it:

~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/144ee21a-8997-41ab-96a6-b13f40648ffd@1ab45825-655a-4789-a375-a283ea7ca5c5.com

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.

If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder may open with an item selected. It will have a long name ending in ".com". Move it to the Trash.

Move this item, if it exists, to the Trash in the same way:

~/Library/LaunchAgents/cinemas-+-plus-+_updater.plist

If there are any other files in the same folder with a similar name beginning in "cinemas-+-plus", move them to the Trash too.

Log out or restart the computer and empty the Trash.

Reply

Answer 12

Elderathome Author

Level 1

6 points

Dec 23, 2014 9:29 PM in response to Linc Davis

Between your, and MadMac0's recommendations, all evidence of this stupid program is finally gone. Thank you all so much. I really appreciate it. Happy holidays to you all!

Reply