Home
Posted By: ryck Damned MacKeeper - 07/12/15 06:56 PM
If anyone ever doubted that MacKeeper is a disease..........

From another thread I learned about DetectX and downloaded it. The only item it found in all of its searches was a 3 year old MacKeeper document in my Library Preferences called: .3FAD0F65-FC6E-4889-B975-B96CBF807B78

Clicking on DetectX's "Send to Trash" did not get rid of the MacKeeper document.

I managed to find the file (it was invisible) and attempted to move it to the trash. I got a dialogue box that says: "The operation can’t be completed because backup items can’t be modified."

Now, however, like any other viral disease, the MacKeeper file is replicating itself. Instead of just the one, I now have about 20 documents with the same name.

Any thoughts on how to purge my drive of the pernicious MacKeeper file (now files)?
Posted By: artie505 Re: Damned MacKeeper - 07/12/15 07:06 PM
Don't know if it will work, but have you tried "rm"ing it in Terminal?

Edit: I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter for how to uninstall MacKeeper properly."

Have you tried that?

Edit 2: I just d/l'ed DetectX, and it found a "MacKeeper" file with a name similar to yours; I was able to move it to the trash (on my own) and delete it. Personally, I think the file was erroneously identified as a MacKeeper file, possibly because its name was similar to one, but its very minimal contents seemed innocuous, so I gambled. I also had a second such file with absolutely no contents which I deleted before running DetectX.
Posted By: ryck Re: Damned MacKeeper - 07/12/15 08:36 PM
Originally Posted By: artie505
Personally, I think the file was erroneously identified as a MacKeeper file, possibly because its name was similar to one….

I wonder if that's also the case with my mysterious document. I subsequently closed everything, including DetectX. I then re-opened it and ran another search. This time DectectX didn't find anything and gave me a 'thumbs up'.

Originally Posted By: artie505
Don't know if it will work, but have you tried "rm"ing it in Terminal?

While it now seems the file may not be MacKeeper, there are about 20 copies of the file instead of one. For the sake of keeping things tidy I wouldn't mind removing all the redundant copies. Do you know what the Terminal command would be? Or is it even possible to remove all but one?
Posted By: artie505 Re: Damned MacKeeper - 07/12/15 09:03 PM
What I don't get is why the file replicated itself; have you opened it to see what's in it?

The Terminal command is rm -rf  (Don't forget the two [2] spaces.); then drag a file into Terminal, and its path will appear in the command, after which you hit "return". (I've never tried dragging multiple files.)
Posted By: ryck Re: Damned MacKeeper - 07/12/15 10:57 PM
Originally Posted By: artie505
What I don't get is why the file replicated itself….

To make it more curious, it appears that other files are also replicating themselves.

Originally Posted By: artie505
...have you opened it to see what's in it?

I opened one with TextEdit and it said:


fJHrQnNdmElH2bXFFhU46ZGWwjDgfpV6sEa31vlxps
+m
+QVKtdIVJSg/VdGE6Gm/lhAzK9L7EiFZKP6wZhS4QQ5oZRWvVbgYG1wzza9l/8n62qOv3Wk05VXXVg1og2tmGCPuIa2J
+n5okwKa/OOy1/UODWwPATPlFW7JXdB1b
+gbVWOnbEVUVC0diWrIrf7iDF7BmfYdRmthrpowqL5c0aeV/QygydFpfoUysdni37qDmmBUPW8Cux
+PhUfzFtIORuqerqRP5PSbNxrBSxplQ9KXjSCxh0Hk3MI7M0+GYjETTSpa6X7hr90
+YrEwrKP+Fhml1glEAw0F/GLVEAmZPA==

NOTE: I put the carriage returns in the above information from TextEdit because it pasted as one long line headed somewhere out the right side of the FTM screen.

Originally Posted By: artie505
...then drag a file into Terminal, and its path will appear in the command, after which you hit "return"

The path does appear but, as soon as I hit 'return' Terminal adds: Permission Denied, and the delete does not occur.
Posted By: artie505 Re: Damned MacKeeper - 07/12/15 11:25 PM
What other files?

Have you done a command-I to see if they're locked?

You can to try the same rm command but preceded by sudo(space): sudo rm -rf(space).

Maybe they are MacKeeper and you ought to follow the link I posted.

(Looks like you moved...pretty country; good luck! smile )
Posted By: jchuzi Re: Damned MacKeeper - 07/12/15 11:26 PM
Try the command sudo rm -rf. Be sure to leave a space after -rf After you drag the file into Terminal and press Return, enter your administrator password and press Return again. (Nothing will appear to happen while you're typing the password.)
Posted By: ryck Re: Damned MacKeeper - 07/12/15 11:46 PM
Originally Posted By: artie505
(Looks like you moved...pretty country; good luck! smile )

Ya, one of our daughters advised we are going to have our first grandchild so we decided we should be where the child is. That decision took about a millisecond.

I'm just heading out to get someone from the airport, and will have a busy evening, so I'll get back to you and Jon tomorrow.
Posted By: ryck Re: Damned MacKeeper - 07/14/15 05:02 PM
Originally Posted By: artie505
What other files?

There's a whole range of them, some of which are folders with Unix Executable Files inside them. In all cases the duplicates, when examined using Get Info, appear to be exactly the same...dates created, modified, et cetera.

Some names are:
.3lbxjVRJ8r
.AutoBindDone
.background (which is a Folder with a Unix Executable File)
.38 Special (which is a MacPaint Image)
.3246584E-0CF8-4153-835D-C7D952862F9D
.AccessibilityAPIEnabled

Originally Posted By: artie505
Have you done a command-I to see if they're locked?

Yes but, even after unlocking them, they won't allow themselves to be removed to trash. Also, unlocking one also unlocks every duplicate.

Originally Posted By: artie505
You can to try the same rm command but preceded by sudo(space): sudo rm -rf(space).

Originally Posted By: jchuzi
Try the command sudo rm -rf. Be sure to leave a space after -rf After you drag the file into Terminal and press Return, enter your administrator password and press Return again.

It still rejects the attempt to remove and advises "Permission Denied"


Unless it's just coincidental, I do notice that I am seeing the spinning beachball periodically when in regular use of the computer. Prior to this, I almost never saw it.

Is this one of those times when you just scratch your head and keep on walking?
Posted By: artie505 Re: Damned MacKeeper - 07/14/15 07:34 PM
This is starting to sound like something that came up a looong time ago, so just maybe... Try booting into another volume and running Disk Utility > Repair Disk on your disagreeable volume, and then reboot and see if your recalcitrant files are any more agreeable.
Posted By: Douglas Re: Damned MacKeeper - 07/14/15 07:42 PM
Just my 2 cents worth. If you can boot into another volume, do that and then navigate back to the original volume and delete the files. That should work if you get all of them.

IMHO MacKeeper should be banned.
Posted By: grelber Re: Damned MacKeeper - 07/14/15 07:48 PM
Originally Posted By: ryck
Originally Posted By: artie505
(Looks like you moved...pretty country; good luck! smile )

Ya, one of our daughters advised we are going to have our first grandchild so we decided we should be where the child is. That decision took about a millisecond.

'Tis indeed a lovely area ... for the moment. But just as living on the island is dangerous, so is the Lower Mainland right up to the Rockies: When the tectonic plates shift — any time now, according to the pundits ... hold your breath or don't — Golden will be beachfront property. tongue smirk
Posted By: ryck Re: Damned MacKeeper - 07/14/15 09:31 PM
Originally Posted By: grelber
'Tis indeed a lovely area ... for the moment. But just as living on the island is dangerous, so is the Lower Mainland right up to the Rockies: When the tectonic plates shift….

Except that I am in the spot deemed the lowest earthquake risk in the province. When the insurance person tried to sell me the same earthquake insurance I had on the island, I pointed out that the insurance company's back-up servers were here for that very reason - lowest risk of earthquake.
Posted By: ryck Re: Damned MacKeeper - 07/14/15 09:46 PM
Originally Posted By: artie505
Try booting into another volume and running Disk Utility > Repair Disk on your disagreeable volume, and then reboot and see if your recalcitrant files are any more agreeable.

Nope….didn't work. However, I did take the opportunity to do a Directory Rebuild - which I haven't done for a while - using DiskWarrior.
Posted By: ryck Re: Damned MacKeeper - 07/14/15 09:48 PM
Originally Posted By: Douglas
If you can boot into another volume, do that and then navigate back to the original volume and delete the files.

Good thought….except the files are invisible and I believe they can only be made visible on the booted volume.
Posted By: jchuzi Re: Damned MacKeeper - 07/14/15 10:29 PM
Since you were denied permission to do this, try repairing permissions. True, permission repair is not as necessary as it once was, but it won't hurt to try.
Posted By: artie505 Re: Damned MacKeeper - 07/14/15 11:11 PM
Quote:
I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter(*) for how to uninstall MacKeeper properly."

I posted that a while back; have you tried it?

(*) how to uninstall MacKeeper – updated | (The instructions specifically mention the file you originally referenced, i.e. /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78)
Posted By: artie505 Re: Damned MacKeeper - 07/14/15 11:55 PM
Originally Posted By: ryck
Originally Posted By: Douglas
If you can boot into another volume, do that and then navigate back to the original volume and delete the files.

Good thought….except the files are invisible and I believe they can only be made visible on the booted volume.

When I make my invisibles visible (with XtraFinder) they show in all of my volumes...boot, bootable, and non-bootable.
Posted By: ryck Re: Damned MacKeeper - 07/15/15 01:04 AM
Originally Posted By: artie505
Quote:
I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter(*) for how to uninstall MacKeeper properly."

I posted that a while back; have you tried it?

Yes, and I couldn't find any method that would work for me.

Originally Posted By: artie505
The instructions specifically mention the file you originally referenced, i.e. /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78)

That's correct and it also mentions that this is one requiring removal in Terminal….which we have tried but no go.

I note that the site mentions that DetectX has been updated to search for the items in their list, including .3FAD0F….., but that isn't the case with me. DetectX found the file once but, in any search since then, it does not. I am using the latest version of DetectX.
Posted By: ryck Re: Damned MacKeeper - 07/15/15 01:06 AM
Originally Posted By: artie505
When I make my invisibles visible (with XtraFinder) they show in all of my volumes...boot, bootable, and non-bootable.

I'll give that a try tomorrow.
Posted By: Virtual1 Re: Damned MacKeeper - 07/15/15 01:40 PM
Originally Posted By: ryck
[quote=artie505]
I opened one with TextEdit and it said:


fJHrQnNdmElH2bXFFhU46ZGWwjDgfpV6sEa31vlxps
+m
+QVKtdIVJSg/VdGE6Gm/lhAzK9L7EiFZKP6wZhS4QQ5oZRWvVbgYG1wzza9l/8n62qOv3Wk05VXXVg1og2tmGCPuIa2J
+n5okwKa/OOy1/UODWwPATPlFW7JXdB1b
+gbVWOnbEVUVC0diWrIrf7iDF7BmfYdRmthrpowqL5c0aeV/QygydFpfoUysdni37qDmmBUPW8Cux
+PhUfzFtIORuqerqRP5PSbNxrBSxplQ9KXjSCxh0Hk3MI7M0+GYjETTSpa6X7hr90
+YrEwrKP+Fhml1glEAw0F/GLVEAmZPA==

NOTE: I put the carriage returns in the above information from TextEdit because it pasted as one long line headed somewhere out the right side of the FTM screen.


unfortunately that mauled it good. those pluses indicate truncation. (data loss) that's base64 encoded text and is normally readable but is easier to deal with when it's complete.

1. open a terminal window and type "cat " (notice the space after the "t", it's important, and don't type the quotes), DON'T hit return yet
2. drag and drop the file into the terminal window so it will enter its path for you
3. type " | openssl base64 -d" and hit return
if the file is legal base64, it will decode it for you. the output may be binary, and unreadable. if it is, close the terminal window and open a new one, and repeat above but for the second part, add this instead:
3. type " | openssl base64 -d | xxd -c 32" and hit return
and see what that gets you

I took a look at a chunk of it though and it looks like binary data

If that doesn't work, try this step three instead:
3. " | while read x ; do echo "$x" | sed 's/.\{64,64\}/& /g' | tr ' ' '\n' | openssl base64 -d ; done | xxd -c 32"


Posted By: MacManiac Re: Damned MacKeeper - 07/15/15 02:24 PM
It sounds to me like you might have a format error in your attempts to use SUDO RM - RF from the Terminal command line.

...just to clarify the terminal command for removing a file permanently while using ROOT permissions temporarily (as SUDO):

to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

when you are in the Terminal this will leave your text entry cursor at the exact spot that the path to your file in question needs to be entered in order to complete the command.

NOW is when you use the Finder to drag and drop the file in question onto the Terminal window where it will write the rest of your command and complete it with proper syntax and format.

When you hit return, you will be prompted to enter your admin password (which will NOT display as you type it), then hit return again.....that file should now be gone.

(If you enter an additional sudo command before the internal timer releases your password, the Terminal will execute it without requesting you to type your admin password a second time.....once the internal timer expires, you will be prompted for your password again.)
Posted By: grelber Re: Damned MacKeeper - 07/15/15 04:54 PM
Originally Posted By: MacManiac
to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

Au contraire: There is no space after the -rf in its presentation in your response; but it does show up when I use the "Quote" option to respond. Obviously a formatting issue within UBB.threads.
The fact that you pointed out the issue should be sufficient.
Posted By: dkmarsh Re: Damned MacKeeper - 07/15/15 05:34 PM

There is a single space after the -rf on my machine (OS X 10.10.3, Safari 8.0.6) when I select the command by dragging across it as instructed by MacManiac:

space.png
Posted By: grelber Re: Damned MacKeeper - 07/15/15 05:44 PM
Originally Posted By: dkmarsh
There is a single space after the -rf on my machine (OS X 10.10.3, Safari 8.0.6) when I select the command by dragging across it as instructed by MacManiac:
space.png

Not mine: OS X 10.7.5, Firefox 39.0.
Posted By: Virtual1 Re: Damned MacKeeper - 07/15/15 06:24 PM
remember the spaces are compressed, they're only a few pixels wide and don't show up well on the ends. it's there on the end though.
Posted By: artie505 Re: Damned MacKeeper - 07/15/15 08:17 PM
grelber is correct.

The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom).
Posted By: grelber Re: Damned MacKeeper - 07/15/15 09:56 PM
Originally Posted By: artie505
grelber is correct.
The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom).

Yep, that's exactly what I see under the 2 conditions I mentioned.
Posted By: dkmarsh Re: Damned MacKeeper - 07/15/15 10:23 PM

It's there in the page source, so it's obviously not a UBB.threads issue.

FWIW, the space is there in Google Chrome as well. I suspect the folks at Mozilla have simply coded their browser to strip out apparently excess white space a little more aggressively than others.
Posted By: cyn Re: Damned MacKeeper - 07/16/15 09:23 AM
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in.
Posted By: grelber Re: Damned MacKeeper - 07/16/15 09:52 AM
Originally Posted By: cyn
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in.

The discussion was useful and many points made therein potentially valuable to avoid future interpretive problems vis-à-vis advice proffered.
It should have been relegated (as suggested) to the Feedback forum rather than peremptorily deleted/censored — the latter not being an auspicious sign in these forums.
Posted By: ryck Re: Damned MacKeeper - 07/18/15 02:57 PM
Originally Posted By: Virtual1
1. open a terminal window and type "cat " (notice the space after the "t", it's important, and don't type the quotes), DON'T hit return yet
2. drag and drop the file into the terminal window so it will enter its path for you
3. type " | openssl base64 -d" and hit return

This step returned: Dads-iMac:~ myname$


Originally Posted By: Virtual1
...close the terminal window and open a new one, and repeat above but for the second part, add this instead:
3. type " | openssl base64 -d | xxd -c 32" and hit return
and see what that gets you

Although there was no output in the first step I gave the above a try anyway. The result continued to be: Dads-iMac:~ myname$

Originally Posted By: Virtual1
If that doesn't work, try this step three instead:
3. " | while read x ; do echo "$x" | sed 's/.\{64,64\}/& /g' | tr ' ' '\n' | openssl base64 -d ; done | xxd -c 32"

This time I got:

0000000: 7c91 eb42 735d 9849 47d9 b5c5 1615 38e9 9196 c230 e07e 957a b046 b7d6 f971 a6cf |..Bs].IG.....8....0.~.z.F...q..
0000020: a6f9 054a b5d2 1525 283f 55d1 84e8 69bf 9610 332b d2fb 1221 5928 feb0 6614 b841 ...J...%(?U...i...3+...!Y(..f..A
0000040: 0e68 6515 af55 b818 1b5c 33cd af65 ffc9 fada a3af dd69 34e5 55d7 560d 6883 6b66 .he..U...\3..e.......i4.U.V.h.kf
0000060: 1823 ee21 ad89 fa7e 6893 029a fce3 b2d7 f50e 0d6c 0f01 33e5 156e c95d d075 6fe8 .#.!...~h..........l..3..n.].uo.
0000080: 1b55 63a7 6c45 5454 2d1d 896a c8ad fee2 0c5e c199 f61d 466b 61ae 9a30 a8be 5cd1 .Uc.lETT-..j.....^....Fka..0..\.
00000a0: a795 fd0c a0c9 d169 7e85 32b1 d9e2 dfba 839a 6054 3d6f 02bb 1f8f 8547 f316 d20e .......i~.2.......`T=o.....G....
00000c0: 46ea 9eae a44f e4f4 9b37 1ac1 4b1a 6543 d297 8d20 b187 41e4 dcc2 3b33 4f86 6231 F....O...7..K.eC... ..A...;3O.b1
00000e0: 134d 2a5a e97e e1af dd3e 62b1 30ac a3fe 1619 a5d6 0944 030d 05fc 62d5 1009 993c .M*Z.~...>b.0........D....b....<
Dads-iMac:~ myname$
Posted By: ryck Re: Damned MacKeeper - 07/18/15 03:42 PM
Originally Posted By: MacManiac
It sounds to me like you might have a format error in your attempts to use SUDO RM - RF from the Terminal command line.

...just to clarify the terminal command for removing a file permanently while using ROOT permissions temporarily (as SUDO):

to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

when you are in the Terminal this will leave your text entry cursor at the exact spot that the path to your file in question needs to be entered in order to complete the command.

NOW is when you use the Finder to drag and drop the file in question onto the Terminal window where it will write the rest of your command and complete it with proper syntax and format.

When you hit return, you will be prompted to enter your admin password (which will NOT display as you type it), then hit return again.....that file should now be gone.

(If you enter an additional sudo command before the internal timer releases your password, the Terminal will execute it without requesting you to type your admin password a second time.....once the internal timer expires, you will be prompted for your password again.)

This may be one of those "old dog/new trick" things but I can't get to the point where it asks for my password...although I am certain I have followed the above 'to the letter'. Instead, the result just says I can't do this. This is what I got:

Dads-iMac:~ myname$ sudo rm -rf /Volumes/Time\ Machine/Backups.backupdb/Dad’s\ iMac/2015-07-04-090902/Macintosh\ HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm: /Volumes/Time Machine/Backups.backupdb/Dad’s iMac/2015-07-04-090902/Macintosh HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78: Operation not permitted
Dads-iMac:~ myname$
Posted By: artie505 Re: Damned MacKeeper - 07/18/15 08:01 PM
Maybe time to boot into another volume, make your invisibles visible, and see if you can delete from there?
Posted By: ryck Re: Damned MacKeeper - 07/18/15 10:08 PM
I took a little different approach and used Automator. Here's what I did:

1. Used Finder to make Invisible files visible.

2. Opened "Automator"
3. Chose "Application"
4. Under "Actions-Library", chose Files & Folders
5. Under "Variables", chose Move Finder Items to Trash
6. Selected all documents named ".3FAD0F65-FC6E-4889-B975-B96CBF807B78"
7. Dragged them to the Automator window
8. Instructed Automator to "Remove" (which needed to be done a document at a time)

Automator appeared to have removed them all, as they disappeared from the Finder list.

9. Restarted the Mac
10. Ran DetectX (V1.28), which gave a 'thumbs up'
11. Used Finder to make invisible files visible.

And, yup, the 'suspect' documents were all back. So now I am wondering if they are, in fact, 'suspect'. Is there anything to date that might suggest DetectX is correct ? i.e. they are not MacKeeper

Posted By: artie505 Re: Damned MacKeeper - 07/18/15 10:29 PM
There may be something about those files that prevents their being trashed from your boot volume but not from a different volume, so I still suggest your rebooting (as per Douglas).

I don't know what those files are, but they're certainly something I wouldn't want on my deuced Mac(hina).
Posted By: ryck Re: Damned MacKeeper - 07/21/15 09:57 AM
Okay, we have some good news, some bad news, and a "Well, duh" moment.

Good news - the issue is resolved and the offending document has been banished along with a bunch of others. Along the way I also learned that the items could not be removed by booting from a different volume.

Bad news - I appear to have burned up a lot of peoples' time for naught.

"Well, duh" moment - I booted from my backup, made invisibles visible, and tried unsuccessfully to remove the documents. Thinking they may be locked I used 'Get Info' to unlock. Then I noticed that 'Get Info' included this pertinent datum: "/Volumes/Time Machine/Backups.backupdb/Dad’s iMac/".

The offending documents weren't even on my main drive.

Anyway, long story short, I erased my Time Machine drive, recorded it anew, and all the bad stuff is now gone.

Well, duh.
Posted By: dkmarsh Re: Damned MacKeeper - 07/21/15 10:52 AM

I think the fact that you couldn't delete the items in question has nothing to do with having been booted from a different volume; I believe it's because these items were part of a Time Machine backup. Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons. (There is a Terminal workaround, but it's a bit more involved than a simple rm.)
Posted By: Virtual1 Re: Damned MacKeeper - 07/21/15 12:26 PM
I'm pretty sure time machine is using hard links. The gist of that is you save the file in one folder, and then hard-link to it from another folder. The file now appears to exist in both places at once. For all practical purposes, a hard link is functionally identical to the real file. If it's a document and you edit it, the change shows up regardless of how you "get to" the document. Also, if you delete (trash or rm) the document, you remove only ONE of the hard links to the file, so the file remains on the hard drive and completely accessible via any of its other existing hard links. (in reality, whenever you save a document, it gets one hard link to itself, the file you see IS a hard link, it's just the ONLY one for that file, so when that link gets removed, the file gets deleted)

Files can have a (virtually) unlimited number of hard links to them, and the file's disk space is only freed when the hard link count to the file drops to zero.

This allows time machine to have a hundred backups of the same file or folder of files, without taking up much additional disk space. Just more space for more directory entries - the hard links in the directory all point to the same file. (it only makes an actual new copy of an existing file if it has changed) Finder has been "specially educated" about time machine folders, and takes several special steps when doing a drag-and-drop copy. Permissions must be enabled on both ends for example. But it's the best way to copy a time machine backup. If you try to use DITTO from terminal, it won't reconstruct the hard-linking, and you'll quickly run out of disk space on the destination, as each hard link to the same file on the source will produce completely unique files on the destination. (been there, done that, much head-scratching ensued)

One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct. (two different hard links to the same file can have different file names, in addition to being in different folders - they must however be on the same volume)

The other two types of "file aliases" are symbolic links and Finder Aliases, and all three have very different properties and behaviors.
Posted By: ryck Re: Damned MacKeeper - 07/22/15 01:21 PM
Originally Posted By: dkmarsh
Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons.

Originally Posted By: Virtual1
One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct.

And now we may have the cause (which would be me blush ). A few weeks back I watched a conference on-line and, rather than take notes, recorded the event, which was saved in iMovie. As it turned out, I didn't need the recording after all and deleted it from my hard drive.

However, it was recorded in Time Machine and caused TM to stop making backups (which were now too large) even though the original had been deleted. So I thought I'd remove the recording from Time Machine. I went to Time Machine>Backups.backupb>Dad's iMac and found a series of dated folders.

I "drag and drop" moved to Trash the folders that had dates which I thought would contain a backup of the original recording.
Posted By: Virtual1 Re: Damned MacKeeper - 07/22/15 01:44 PM
the "recommended' method for removing items from backup is to enter time machine and find the item (which may require going back some days if it has since been deleted from your main hard drive), right click on it, and select the "delete from all backups" option. This will go into the TM drive and remove all hard links to the file made at each backup run it was present at, as well as removing it from time machine's search database.

Directly browsing the time machine backup using Finder will find the files, but if you trash them and empty the trash, you're unlikely to see an increase in available disk space since you most likely removed only one of the hard links to the file. With other hard links remaining (from other older backups) the file will continue to hold space on the drive. Such an action may also make it more difficult to locate and remove the file using the time machine interface, since the DB will expect the link to be there but it's not since you have directly deleted it. (you may have to dig back farther in time to find one that's still there to select for removal)
Posted By: ryck Re: Damned MacKeeper - 07/22/15 01:56 PM
Duly noted. Thanks.
Posted By: slolerner Re: Damned MacKeeper - 10/09/15 01:06 AM
Ok, so my friend just emailed me a screen shot of the dreaded MacKeeper window. Is there some kind of simple thing to advise her to do?
Posted By: Virtual1 Re: Damned MacKeeper - 10/09/15 02:00 PM
mackeeper has been updated (?) several times since it hit the scene, so it's difficult to say with any certainty which variation your friend has.

My general procedure for malware removal is to reboot into safe mode, and browse:
/Library/StartupItems/
/Library/LaunchAgents/
/Library/LaunchDaemons/
~/Library/LaunchAgents/
/Applications/

and also check system prefs, accounts, my account, login items

and remove everything that does not belong. I also look at what I am removing, to see what IT is trying to hook, and I go and throw that away too. Then restart.

MacKeeper is often known under "zeobit". You are very likely to encounter that prefix in the launch daemons and agents. ("com.zeobit.MacKeeper.plugin...") While there will be at least a FEW things that are not "com.apple....", those are the ones you should pay close attention to. Check another known ok mac when in doubt. Oracle, Microsoft, and Adobe are the top three normally found that belong there.
Posted By: Ira L Re: Damned MacKeeper - 10/09/15 04:47 PM
Not really that simple, but here is an article with a complete listing of steps and a very detailed listing of where to look.
Posted By: slolerner Re: Damned MacKeeper - 10/12/15 06:46 PM
Thanks, was ready to nuke and pave. (Apparently it came with a Pinterest download that was not from the Pinterest site.) The article is very clear, although she will not be able to do it herself, she just started using a Mac. Someone ought to write a MacKeeper Removal script.
Posted By: Virtual1 Re: Damned MacKeeper - 10/13/15 01:22 PM
install mackeeper, get pwned: http://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

script adapted from https://jamfnation.jamfsoftware.com/discussion.html?id=11659

Code:
#!/bin/bash

# delete MacKeeper files

# must run as root
if [ $EUID != 0 ] ; then
  sudo "$0" $USER
  exit 0
fi

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*
rm -rf /private/tmp/MacKeeper*

# Files inside home folder
rm -rf /Users/$1/Library/Application\ Support/MacKeeper\ Helper
rm -rf /Users/$1/Library/Launch\ Agents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Logs/MacKeeper.log
rm -rf /Users/$1/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$1/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$1/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$1/Library/Saved\ Application\ State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$1/Downloads/MacKeeper*
rm -rf /Users/$1/Documents/MacKeeper*

untested, shake well before using
Posted By: slolerner Re: Damned MacKeeper - 10/13/15 08:40 PM

Down a rabbit hole!
Posted By: jchuzi Re: Damned MacKeeper - 12/16/15 10:04 AM
MacKeeper hacked: 13 million account details exposed
Posted By: joemikeb Re: Damned MacKeeper - 12/16/15 04:38 PM
Avoiding the scourge of MacKeeper and other Scamware
© FineTunedMac