Mac crashes on restart if I have deleted . . .

Yes, do an erase and install of Mac OS and NEVER install any antivirus, cleaning or ANY third party maintenance utilities. Mac OS does not benefit from any of these, all Mac OS need to run trouble free is to be kept up-to-date and otherwise left alone. After you are done the erase and install manually restore your data from your Time Machine backup and manually install all third party apps, do not restore them!

I just had this same issue after cleaning my parents El Capitan OSX install infested with MacKeeper (and other wonderful optimization programs) and spending a couple days trying to isolate why.

After a couple of tries/recovery attempts I found the removal of MKAuthPlugin.bundle as shown in ClamXAV caused the laptop to crash right before login.

I followed the instructions in the following Stack Overflow post to modify your AuthPlugin list and remove the reference to MKAuthPlugin BEFORE you get ClamX to remove/quarantine that file. If you remove the file and your authplugin still references it, you crash.

xcode - Custom login/lock screen in OS X Mavericks - Stack Overflow

1. security authorizationdb read system.login.console > outfile.plist

2. edit the outfile.plist and delete the lines with references to MKAuthPlugin (i think there was 2 or three in mine)
3. Save the file
4. security authorizationdb write system.login.console < outfile.plist

Once that's done - reboot to ensure you didn't break anything (back up before you do any of this). Then you can safely remove that file (now that there's no longer a reference to it on boot) and reboot again to make sure you didn't break anything.

That should clean you up.

I just saw this discussion, and I'm intrigued. I am actually responsible for Malwarebytes for Mac, and I can't recall ever having seen that MKAuthPlugin before. I searched all our rules, and I don't see anything that ought to detect that file.

If you're able and willing, I'd be very interested in seeing the entire contents of the /Library/Security/SecurityAgentPlugins/MKAuthPlugin.bundle folder. If you still have that, and are willing to help, please do the following:

1) In the Finder, choose Go to Folder from the Go menu, and enter the following path in the window that appears:

/Library/Security/SecurityAgentPlugins

Then click Go.

2) Select the MKAuthPlugin.bundle item.

3) Choose Compress "MKAuthPlugin.bundle" from the File menu. A file named "MKAuthPlugin.bundle.zip" will be created on the desktop.

4) Go to the Malwarebytes support site here:

https://support.malwarebytes.com/community/consumer/pages/contact-us

5) Fill out the form under Create Ticket, including a link to this discussion, mentioning me by name (Thomas Reed), and attach that MKAuthPlugin.bundle.zip file. Submit the form.

Thanks!

For the benefit of everyone else reading, this is definitely not detected by Malwarebytes for Mac at this time. It sounds like this is actually a good thing in this case, as removal of the bundle itself will cause a boot failure, due to entries in the authorization database.

This looks like it's nasty to remove, requiring changes to the authorization database, which could be a very bad thing if done improperly. I do not recommend doing so if you don't know exactly what you're doing. (This reminds me of a similar issue with the Genieo malware years ago, which caused a similar problem if the launchd.conf file was not edited or deleted along with a couple dylib files. I saw many people mess up removal and brick their Macs.)

For those who do feel confident in their ability to follow them, the directions posted by krustydonkey above should work. Just be extremely cautious, and make sure you have good backups in case something goes wrong.

I will be doing further research to determine exactly what this plugin is doing, what the security implications are, and how we can properly remove it for folks who are not able to confidently remove it manually.

Hi Thomas,

I recovered the MKAuthPlugin.bundle, zipped it and attached it to ticket 2389853.

Cheers,