An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 2 1 2 >
Topic Options
#35034 - 07/12/15 11:56 AM Damned MacKeeper
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
If anyone ever doubted that MacKeeper is a disease..........

From another thread I learned about DetectX and downloaded it. The only item it found in all of its searches was a 3 year old MacKeeper document in my Library Preferences called: .3FAD0F65-FC6E-4889-B975-B96CBF807B78

Clicking on DetectX's "Send to Trash" did not get rid of the MacKeeper document.

I managed to find the file (it was invisible) and attempted to move it to the trash. I got a dialogue box that says: "The operation can’t be completed because backup items can’t be modified."

Now, however, like any other viral disease, the MacKeeper file is replicating itself. Instead of just the one, I now have about 20 documents with the same name.

Any thoughts on how to purge my drive of the pernicious MacKeeper file (now files)?


Edited by ryck (07/12/15 11:57 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35035 - 07/12/15 12:06 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
Don't know if it will work, but have you tried "rm"ing it in Terminal?

Edit: I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter for how to uninstall MacKeeper properly."

Have you tried that?

Edit 2: I just d/l'ed DetectX, and it found a "MacKeeper" file with a name similar to yours; I was able to move it to the trash (on my own) and delete it. Personally, I think the file was erroneously identified as a MacKeeper file, possibly because its name was similar to one, but its very minimal contents seemed innocuous, so I gambled. I also had a second such file with absolutely no contents which I deleted before running DetectX.


Edited by artie505 (07/12/15 12:48 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35037 - 07/12/15 01:36 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
Personally, I think the file was erroneously identified as a MacKeeper file, possibly because its name was similar to one….

I wonder if that's also the case with my mysterious document. I subsequently closed everything, including DetectX. I then re-opened it and ran another search. This time DectectX didn't find anything and gave me a 'thumbs up'.

Originally Posted By: artie505
Don't know if it will work, but have you tried "rm"ing it in Terminal?

While it now seems the file may not be MacKeeper, there are about 20 copies of the file instead of one. For the sake of keeping things tidy I wouldn't mind removing all the redundant copies. Do you know what the Terminal command would be? Or is it even possible to remove all but one?


Edited by ryck (07/12/15 01:41 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35039 - 07/12/15 02:03 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
What I don't get is why the file replicated itself; have you opened it to see what's in it?

The Terminal command is rm -rf  (Don't forget the two [2] spaces.); then drag a file into Terminal, and its path will appear in the command, after which you hit "return". (I've never tried dragging multiple files.)


Edited by artie505 (07/12/15 02:04 PM)
Edit Reason: Clarify command
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35043 - 07/12/15 03:57 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
What I don't get is why the file replicated itself….

To make it more curious, it appears that other files are also replicating themselves.

Originally Posted By: artie505
...have you opened it to see what's in it?

I opened one with TextEdit and it said:


fJHrQnNdmElH2bXFFhU46ZGWwjDgfpV6sEa31vlxps
+m
+QVKtdIVJSg/VdGE6Gm/lhAzK9L7EiFZKP6wZhS4QQ5oZRWvVbgYG1wzza9l/8n62qOv3Wk05VXXVg1og2tmGCPuIa2J
+n5okwKa/OOy1/UODWwPATPlFW7JXdB1b
+gbVWOnbEVUVC0diWrIrf7iDF7BmfYdRmthrpowqL5c0aeV/QygydFpfoUysdni37qDmmBUPW8Cux
+PhUfzFtIORuqerqRP5PSbNxrBSxplQ9KXjSCxh0Hk3MI7M0+GYjETTSpa6X7hr90
+YrEwrKP+Fhml1glEAw0F/GLVEAmZPA==

NOTE: I put the carriage returns in the above information from TextEdit because it pasted as one long line headed somewhere out the right side of the FTM screen.

Originally Posted By: artie505
...then drag a file into Terminal, and its path will appear in the command, after which you hit "return"

The path does appear but, as soon as I hit 'return' Terminal adds: Permission Denied, and the delete does not occur.


Edited by ryck (07/12/15 04:05 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35045 - 07/12/15 04:25 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
What other files?

Have you done a command-I to see if they're locked?

You can to try the same rm command but preceded by sudo(space): sudo rm -rf(space).

Maybe they are MacKeeper and you ought to follow the link I posted.

(Looks like you moved...pretty country; good luck! smile )
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35046 - 07/12/15 04:26 PM Re: Damned MacKeeper [Re: ryck]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Try the command sudo rm -rf. Be sure to leave a space after -rf After you drag the file into Terminal and press Return, enter your administrator password and press Return again. (Nothing will appear to happen while you're typing the password.)
_________________________
Jon

OS 10.14.4, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#35048 - 07/12/15 04:46 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
(Looks like you moved...pretty country; good luck! smile )

Ya, one of our daughters advised we are going to have our first grandchild so we decided we should be where the child is. That decision took about a millisecond.

I'm just heading out to get someone from the airport, and will have a busy evening, so I'll get back to you and Jon tomorrow.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35051 - 07/14/15 10:02 AM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
What other files?

There's a whole range of them, some of which are folders with Unix Executable Files inside them. In all cases the duplicates, when examined using Get Info, appear to be exactly the same...dates created, modified, et cetera.

Some names are:
.3lbxjVRJ8r
.AutoBindDone
.background (which is a Folder with a Unix Executable File)
.38 Special (which is a MacPaint Image)
.3246584E-0CF8-4153-835D-C7D952862F9D
.AccessibilityAPIEnabled

Originally Posted By: artie505
Have you done a command-I to see if they're locked?

Yes but, even after unlocking them, they won't allow themselves to be removed to trash. Also, unlocking one also unlocks every duplicate.

Originally Posted By: artie505
You can to try the same rm command but preceded by sudo(space): sudo rm -rf(space).

Originally Posted By: jchuzi
Try the command sudo rm -rf. Be sure to leave a space after -rf After you drag the file into Terminal and press Return, enter your administrator password and press Return again.

It still rejects the attempt to remove and advises "Permission Denied"


Unless it's just coincidental, I do notice that I am seeing the spinning beachball periodically when in regular use of the computer. Prior to this, I almost never saw it.

Is this one of those times when you just scratch your head and keep on walking?


Edited by ryck (07/14/15 10:04 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35052 - 07/14/15 12:34 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
This is starting to sound like something that came up a looong time ago, so just maybe... Try booting into another volume and running Disk Utility > Repair Disk on your disagreeable volume, and then reboot and see if your recalcitrant files are any more agreeable.


Edited by artie505 (07/14/15 12:39 PM)
Edit Reason: Clarify
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35053 - 07/14/15 12:42 PM Re: Damned MacKeeper [Re: artie505]
Douglas Offline


Registered: 08/04/09
Loc: Seattle, WA
Just my 2 cents worth. If you can boot into another volume, do that and then navigate back to the original volume and delete the files. That should work if you get all of them.

IMHO MacKeeper should be banned.

Top
#35054 - 07/14/15 12:48 PM Re: Damned MacKeeper [Re: ryck]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: ryck
Originally Posted By: artie505
(Looks like you moved...pretty country; good luck! smile )

Ya, one of our daughters advised we are going to have our first grandchild so we decided we should be where the child is. That decision took about a millisecond.

'Tis indeed a lovely area ... for the moment. But just as living on the island is dangerous, so is the Lower Mainland right up to the Rockies: When the tectonic plates shift — any time now, according to the pundits ... hold your breath or don't — Golden will be beachfront property. tongue smirk

Top
#35055 - 07/14/15 02:31 PM Re: Damned MacKeeper [Re: grelber]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: grelber
'Tis indeed a lovely area ... for the moment. But just as living on the island is dangerous, so is the Lower Mainland right up to the Rockies: When the tectonic plates shift….

Except that I am in the spot deemed the lowest earthquake risk in the province. When the insurance person tried to sell me the same earthquake insurance I had on the island, I pointed out that the insurance company's back-up servers were here for that very reason - lowest risk of earthquake.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35056 - 07/14/15 02:46 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
Try booting into another volume and running Disk Utility > Repair Disk on your disagreeable volume, and then reboot and see if your recalcitrant files are any more agreeable.

Nope….didn't work. However, I did take the opportunity to do a Directory Rebuild - which I haven't done for a while - using DiskWarrior.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35057 - 07/14/15 02:48 PM Re: Damned MacKeeper [Re: Douglas]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Douglas
If you can boot into another volume, do that and then navigate back to the original volume and delete the files.

Good thought….except the files are invisible and I believe they can only be made visible on the booted volume.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35059 - 07/14/15 03:29 PM Re: Damned MacKeeper [Re: ryck]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Since you were denied permission to do this, try repairing permissions. True, permission repair is not as necessary as it once was, but it won't hurt to try.
_________________________
Jon

OS 10.14.4, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#35061 - 07/14/15 04:11 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
Quote:
I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter(*) for how to uninstall MacKeeper properly."

I posted that a while back; have you tried it?

(*) how to uninstall MacKeeper – updated | (The instructions specifically mention the file you originally referenced, i.e. /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35063 - 07/14/15 04:55 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
Originally Posted By: ryck
Originally Posted By: Douglas
If you can boot into another volume, do that and then navigate back to the original volume and delete the files.

Good thought….except the files are invisible and I believe they can only be made visible on the booted volume.

When I make my invisibles visible (with XtraFinder) they show in all of my volumes...boot, bootable, and non-bootable.


Edited by artie505 (07/14/15 05:41 PM)
Edit Reason: Clarify, add link
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35064 - 07/14/15 06:04 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
Quote:
I just looked at the DetectX home page and found "For MacKeeper, it is important to follow the instructions on Applehelpwriter(*) for how to uninstall MacKeeper properly."

I posted that a while back; have you tried it?

Yes, and I couldn't find any method that would work for me.

Originally Posted By: artie505
The instructions specifically mention the file you originally referenced, i.e. /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78)

That's correct and it also mentions that this is one requiring removal in Terminal….which we have tried but no go.

I note that the site mentions that DetectX has been updated to search for the items in their list, including .3FAD0F….., but that isn't the case with me. DetectX found the file once but, in any search since then, it does not. I am using the latest version of DetectX.


Edited by ryck (07/14/15 06:04 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35065 - 07/14/15 06:06 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
When I make my invisibles visible (with XtraFinder) they show in all of my volumes...boot, bootable, and non-bootable.

I'll give that a try tomorrow.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35066 - 07/15/15 06:40 AM Re: Damned MacKeeper [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: ryck
[quote=artie505]
I opened one with TextEdit and it said:


fJHrQnNdmElH2bXFFhU46ZGWwjDgfpV6sEa31vlxps
+m
+QVKtdIVJSg/VdGE6Gm/lhAzK9L7EiFZKP6wZhS4QQ5oZRWvVbgYG1wzza9l/8n62qOv3Wk05VXXVg1og2tmGCPuIa2J
+n5okwKa/OOy1/UODWwPATPlFW7JXdB1b
+gbVWOnbEVUVC0diWrIrf7iDF7BmfYdRmthrpowqL5c0aeV/QygydFpfoUysdni37qDmmBUPW8Cux
+PhUfzFtIORuqerqRP5PSbNxrBSxplQ9KXjSCxh0Hk3MI7M0+GYjETTSpa6X7hr90
+YrEwrKP+Fhml1glEAw0F/GLVEAmZPA==

NOTE: I put the carriage returns in the above information from TextEdit because it pasted as one long line headed somewhere out the right side of the FTM screen.


unfortunately that mauled it good. those pluses indicate truncation. (data loss) that's base64 encoded text and is normally readable but is easier to deal with when it's complete.

1. open a terminal window and type "cat " (notice the space after the "t", it's important, and don't type the quotes), DON'T hit return yet
2. drag and drop the file into the terminal window so it will enter its path for you
3. type " | openssl base64 -d" and hit return
if the file is legal base64, it will decode it for you. the output may be binary, and unreadable. if it is, close the terminal window and open a new one, and repeat above but for the second part, add this instead:
3. type " | openssl base64 -d | xxd -c 32" and hit return
and see what that gets you

I took a look at a chunk of it though and it looks like binary data

If that doesn't work, try this step three instead:
3. " | while read x ; do echo "$x" | sed 's/.\{64,64\}/& /g' | tr ' ' '\n' | openssl base64 -d ; done | xxd -c 32"


_________________________
I work for the Department of Redundancy Department

Top
#35070 - 07/15/15 07:24 AM Re: Damned MacKeeper [Re: ryck]
MacManiac Offline
Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
It sounds to me like you might have a format error in your attempts to use SUDO RM - RF from the Terminal command line.

...just to clarify the terminal command for removing a file permanently while using ROOT permissions temporarily (as SUDO):

to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

when you are in the Terminal this will leave your text entry cursor at the exact spot that the path to your file in question needs to be entered in order to complete the command.

NOW is when you use the Finder to drag and drop the file in question onto the Terminal window where it will write the rest of your command and complete it with proper syntax and format.

When you hit return, you will be prompted to enter your admin password (which will NOT display as you type it), then hit return again.....that file should now be gone.

(If you enter an additional sudo command before the internal timer releases your password, the Terminal will execute it without requesting you to type your admin password a second time.....once the internal timer expires, you will be prompted for your password again.)
_________________________
Freedom is never free....thank a Service member today.

Top
#35075 - 07/15/15 09:54 AM Re: Damned MacKeeper [Re: MacManiac]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: MacManiac
to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

Au contraire: There is no space after the -rf in its presentation in your response; but it does show up when I use the "Quote" option to respond. Obviously a formatting issue within UBB.threads.
The fact that you pointed out the issue should be sufficient.

Top
#35076 - 07/15/15 10:34 AM Re: Damned MacKeeper [Re: grelber]
dkmarsh Offline

Moderator

Registered: 08/04/09

There is a single space after the -rf on my machine (OS X 10.10.3, Safari 8.0.6) when I select the command by dragging across it as instructed by MacManiac:

space.png
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#35077 - 07/15/15 10:44 AM Re: Damned MacKeeper [Re: dkmarsh]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: dkmarsh
There is a single space after the -rf on my machine (OS X 10.10.3, Safari 8.0.6) when I select the command by dragging across it as instructed by MacManiac:
space.png

Not mine: OS X 10.7.5, Firefox 39.0.

Top
Page 1 of 2 1 2 >

Moderator:  alternaut, dianne, dkmarsh