Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
remember the spaces are compressed, they're only a few pixels wide and don't show up well on the ends. it's there on the end though.
I work for the Department of Redundancy Department
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
grelber is correct. The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom).
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
grelber is correct. The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom). Yep, that's exactly what I see under the 2 conditions I mentioned.
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 3
Moderator
|
Moderator
Joined: Aug 2009
Likes: 3 |
It's there in the page source, so it's obviously not a UBB.threads issue. FWIW, the space is there in Google Chrome as well. I suspect the folks at Mozilla have simply coded their browser to strip out apparently excess white space a little more aggressively than others.
dkmarsh—member, FineTunedMac Co-op Board of Directors
|
|
Re: Damned MacKeeper
|
Administrator
|
Administrator
Joined: Aug 2009
|
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in.
FineTunedMac Forums Admin
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in. The discussion was useful and many points made therein potentially valuable to avoid future interpretive problems vis-à -vis advice proffered. It should have been relegated (as suggested) to the Feedback forum rather than peremptorily deleted/censored — the latter not being an auspicious sign in these forums.
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
1. open a terminal window and type "cat " (notice the space after the "t", it's important, and don't type the quotes), DON'T hit return yet 2. drag and drop the file into the terminal window so it will enter its path for you 3. type " | openssl base64 -d" and hit return This step returned: Dads-iMac:~ myname$ ...close the terminal window and open a new one, and repeat above but for the second part, add this instead: 3. type " | openssl base64 -d | xxd -c 32" and hit return and see what that gets you Although there was no output in the first step I gave the above a try anyway. The result continued to be: Dads-iMac:~ myname$ If that doesn't work, try this step three instead: 3. " | while read x ; do echo "$x" | sed 's/.\{64,64\}/& /g' | tr ' ' '\n' | openssl base64 -d ; done | xxd -c 32" This time I got: 0000000: 7c91 eb42 735d 9849 47d9 b5c5 1615 38e9 9196 c230 e07e 957a b046 b7d6 f971 a6cf |..Bs].IG.....8....0.~.z.F...q.. 0000020: a6f9 054a b5d2 1525 283f 55d1 84e8 69bf 9610 332b d2fb 1221 5928 feb0 6614 b841 ...J...%(?U...i...3+...!Y(..f..A 0000040: 0e68 6515 af55 b818 1b5c 33cd af65 ffc9 fada a3af dd69 34e5 55d7 560d 6883 6b66 .he..U...\3..e.......i4.U.V.h.kf 0000060: 1823 ee21 ad89 fa7e 6893 029a fce3 b2d7 f50e 0d6c 0f01 33e5 156e c95d d075 6fe8 .#.!...~h..........l..3..n.].uo. 0000080: 1b55 63a7 6c45 5454 2d1d 896a c8ad fee2 0c5e c199 f61d 466b 61ae 9a30 a8be 5cd1 .Uc.lETT-..j.....^....Fka..0..\. 00000a0: a795 fd0c a0c9 d169 7e85 32b1 d9e2 dfba 839a 6054 3d6f 02bb 1f8f 8547 f316 d20e .......i~.2.......`T=o.....G.... 00000c0: 46ea 9eae a44f e4f4 9b37 1ac1 4b1a 6543 d297 8d20 b187 41e4 dcc2 3b33 4f86 6231 F....O...7..K.eC... ..A...;3O.b1 00000e0: 134d 2a5a e97e e1af dd3e 62b1 30ac a3fe 1619 a5d6 0944 030d 05fc 62d5 1009 993c .M*Z.~...>b.0........D....b....< Dads-iMac:~ myname$
Last edited by ryck; 07/18/15 03:00 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
It sounds to me like you might have a format error in your attempts to use SUDO RM - RF from the Terminal command line.
...just to clarify the terminal command for removing a file permanently while using ROOT permissions temporarily (as SUDO):
to get the file auto inserted behind the command you need to type the following -
sudo rm -rf
(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)
when you are in the Terminal this will leave your text entry cursor at the exact spot that the path to your file in question needs to be entered in order to complete the command.
NOW is when you use the Finder to drag and drop the file in question onto the Terminal window where it will write the rest of your command and complete it with proper syntax and format.
When you hit return, you will be prompted to enter your admin password (which will NOT display as you type it), then hit return again.....that file should now be gone.
(If you enter an additional sudo command before the internal timer releases your password, the Terminal will execute it without requesting you to type your admin password a second time.....once the internal timer expires, you will be prompted for your password again.) This may be one of those "old dog/new trick" things but I can't get to the point where it asks for my password...although I am certain I have followed the above 'to the letter'. Instead, the result just says I can't do this. This is what I got: Dads-iMac:~ myname$ sudo rm -rf /Volumes/Time\ Machine/Backups.backupdb/Dad’s\ iMac/2015-07-04-090902/Macintosh\ HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78 rm: /Volumes/Time Machine/Backups.backupdb/Dad’s iMac/2015-07-04-090902/Macintosh HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78: Operation not permitted Dads-iMac:~ myname$
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Maybe time to boot into another volume, make your invisibles visible, and see if you can delete from there?
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
I took a little different approach and used Automator. Here's what I did:
1. Used Finder to make Invisible files visible.
2. Opened "Automator" 3. Chose "Application" 4. Under "Actions-Library", chose Files & Folders 5. Under "Variables", chose Move Finder Items to Trash 6. Selected all documents named ".3FAD0F65-FC6E-4889-B975-B96CBF807B78" 7. Dragged them to the Automator window 8. Instructed Automator to "Remove" (which needed to be done a document at a time)
Automator appeared to have removed them all, as they disappeared from the Finder list.
9. Restarted the Mac 10. Ran DetectX (V1.28), which gave a 'thumbs up' 11. Used Finder to make invisible files visible.
And, yup, the 'suspect' documents were all back. So now I am wondering if they are, in fact, 'suspect'. Is there anything to date that might suggest DetectX is correct ? i.e. they are not MacKeeper
Last edited by ryck; 07/18/15 10:10 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
There may be something about those files that prevents their being trashed from your boot volume but not from a different volume, so I still suggest your rebooting (as per Douglas).
I don't know what those files are, but they're certainly something I wouldn't want on my deuced Mac(hina).
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
Okay, we have some good news, some bad news, and a "Well, duh" moment.
Good news - the issue is resolved and the offending document has been banished along with a bunch of others. Along the way I also learned that the items could not be removed by booting from a different volume.
Bad news - I appear to have burned up a lot of peoples' time for naught.
"Well, duh" moment - I booted from my backup, made invisibles visible, and tried unsuccessfully to remove the documents. Thinking they may be locked I used 'Get Info' to unlock. Then I noticed that 'Get Info' included this pertinent datum: "/Volumes/Time Machine/Backups.backupdb/Dad’s iMac/".
The offending documents weren't even on my main drive.
Anyway, long story short, I erased my Time Machine drive, recorded it anew, and all the bad stuff is now gone.
Well, duh.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 3
Moderator
|
Moderator
Joined: Aug 2009
Likes: 3 |
I think the fact that you couldn't delete the items in question has nothing to do with having been booted from a different volume; I believe it's because these items were part of a Time Machine backup. Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons. (There is a Terminal workaround, but it's a bit more involved than a simple rm.)
dkmarsh—member, FineTunedMac Co-op Board of Directors
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
I'm pretty sure time machine is using hard links. The gist of that is you save the file in one folder, and then hard-link to it from another folder. The file now appears to exist in both places at once. For all practical purposes, a hard link is functionally identical to the real file. If it's a document and you edit it, the change shows up regardless of how you "get to" the document. Also, if you delete (trash or rm) the document, you remove only ONE of the hard links to the file, so the file remains on the hard drive and completely accessible via any of its other existing hard links. (in reality, whenever you save a document, it gets one hard link to itself, the file you see IS a hard link, it's just the ONLY one for that file, so when that link gets removed, the file gets deleted)
Files can have a (virtually) unlimited number of hard links to them, and the file's disk space is only freed when the hard link count to the file drops to zero.
This allows time machine to have a hundred backups of the same file or folder of files, without taking up much additional disk space. Just more space for more directory entries - the hard links in the directory all point to the same file. (it only makes an actual new copy of an existing file if it has changed) Finder has been "specially educated" about time machine folders, and takes several special steps when doing a drag-and-drop copy. Permissions must be enabled on both ends for example. But it's the best way to copy a time machine backup. If you try to use DITTO from terminal, it won't reconstruct the hard-linking, and you'll quickly run out of disk space on the destination, as each hard link to the same file on the source will produce completely unique files on the destination. (been there, done that, much head-scratching ensued)
One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct. (two different hard links to the same file can have different file names, in addition to being in different folders - they must however be on the same volume)
The other two types of "file aliases" are symbolic links and Finder Aliases, and all three have very different properties and behaviors.
I work for the Department of Redundancy Department
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons. One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct. And now we may have the cause (which would be me ). A few weeks back I watched a conference on-line and, rather than take notes, recorded the event, which was saved in iMovie. As it turned out, I didn't need the recording after all and deleted it from my hard drive. However, it was recorded in Time Machine and caused TM to stop making backups (which were now too large) even though the original had been deleted. So I thought I'd remove the recording from Time Machine. I went to Time Machine>Backups.backupb>Dad's iMac and found a series of dated folders. I "drag and drop" moved to Trash the folders that had dates which I thought would contain a backup of the original recording.
Last edited by ryck; 07/22/15 01:24 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
the "recommended' method for removing items from backup is to enter time machine and find the item (which may require going back some days if it has since been deleted from your main hard drive), right click on it, and select the "delete from all backups" option. This will go into the TM drive and remove all hard links to the file made at each backup run it was present at, as well as removing it from time machine's search database.
Directly browsing the time machine backup using Finder will find the files, but if you trash them and empty the trash, you're unlikely to see an increase in available disk space since you most likely removed only one of the hard links to the file. With other hard links remaining (from other older backups) the file will continue to hold space on the drive. Such an action may also make it more difficult to locate and remove the file using the time machine interface, since the DB will expect the link to be there but it's not since you have directly deleted it. (you may have to dig back farther in time to find one that's still there to select for removal)
I work for the Department of Redundancy Department
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 14
|
OP
Joined: Aug 2009
Likes: 14 |
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
Ok, so my friend just emailed me a screen shot of the dreaded MacKeeper window. Is there some kind of simple thing to advise her to do?
Mid 2010 MacBook Pro 13" 2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5 1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD HP Laserjet 6MP printing postscript via 10/100 Intel print server Netgear WN2500RP Range Extender (Ira rocks!) Linksys WRT1900AC Wireless Router Brother MFC-9340CDW Color Laser iPad Air
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
mackeeper has been updated (?) several times since it hit the scene, so it's difficult to say with any certainty which variation your friend has.
My general procedure for malware removal is to reboot into safe mode, and browse: /Library/StartupItems/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ /Applications/
and also check system prefs, accounts, my account, login items
and remove everything that does not belong. I also look at what I am removing, to see what IT is trying to hook, and I go and throw that away too. Then restart.
MacKeeper is often known under "zeobit". You are very likely to encounter that prefix in the launch daemons and agents. ("com.zeobit.MacKeeper.plugin...") While there will be at least a FEW things that are not "com.apple....", those are the ones you should pay close attention to. Check another known ok mac when in doubt. Oracle, Microsoft, and Adobe are the top three normally found that belong there.
I work for the Department of Redundancy Department
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 8
|
Joined: Aug 2009
Likes: 8 |
Not really that simple, but here is an article with a complete listing of steps and a very detailed listing of where to look.
On a Mac since 1984. Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
Thanks, was ready to nuke and pave. (Apparently it came with a Pinterest download that was not from the Pinterest site.) The article is very clear, although she will not be able to do it herself, she just started using a Mac. Someone ought to write a MacKeeper Removal script.
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
install mackeeper, get pwned: http://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.htmlscript adapted from https://jamfnation.jamfsoftware.com/discussion.html?id=11659
#!/bin/bash
# delete MacKeeper files
# must run as root
if [ $EUID != 0 ] ; then
sudo "$0" $USER
exit 0
fi
# Files Outside Home Folder
rm -rf /Applications/MacKeeper.app
rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*
rm -rf /private/tmp/MacKeeper*
# Files inside home folder
rm -rf /Users/$1/Library/Application\ Support/MacKeeper\ Helper
rm -rf /Users/$1/Library/Launch\ Agents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Logs/MacKeeper.log
rm -rf /Users/$1/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$1/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$1/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$1/Library/Saved\ Application\ State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$1/Downloads/MacKeeper*
rm -rf /Users/$1/Documents/MacKeeper*
untested, shake well before using
I work for the Department of Redundancy Department
|
|
Re: Damned MacKeeper
|
|
Joined: Aug 2009
|
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: Damned MacKeeper
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
|
|