An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 2 of 2 < 1 2
Topic Options
#35079 - 07/15/15 11:24 AM Re: Damned MacKeeper [Re: grelber]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
remember the spaces are compressed, they're only a few pixels wide and don't show up well on the ends. it's there on the end though.
_________________________
I work for the Department of Redundancy Department

Top
#35080 - 07/15/15 01:17 PM Re: Damned MacKeeper [Re: Virtual1]
artie505 Online


Registered: 08/04/09
grelber is correct.

The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom).
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35081 - 07/15/15 02:56 PM Re: Damned MacKeeper [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: artie505
grelber is correct.
The space appears in Safari 5.1.10 (top), but it's missing in Firefox 39.0 (bottom).

Yep, that's exactly what I see under the 2 conditions I mentioned.

Top
#35082 - 07/15/15 03:23 PM Re: Damned MacKeeper [Re: grelber]
dkmarsh Offline

Moderator

Registered: 08/04/09

It's there in the page source, so it's obviously not a UBB.threads issue.

FWIW, the space is there in Google Chrome as well. I suspect the folks at Mozilla have simply coded their browser to strip out apparently excess white space a little more aggressively than others.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#35089 - 07/16/15 02:23 AM Re: Damned MacKeeper [Re: artie505]
cyn Online

Administrator

Registered: 08/03/09
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in.
_________________________
FineTunedMac Forums Admin

Top
#35091 - 07/16/15 02:52 AM Re: Damned MacKeeper [Re: cyn]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: cyn
I've removed several posts from this thread. Next time, start a new thread in Feedback to experiment in.

The discussion was useful and many points made therein potentially valuable to avoid future interpretive problems vis-à-vis advice proffered.
It should have been relegated (as suggested) to the Feedback forum rather than peremptorily deleted/censored — the latter not being an auspicious sign in these forums.

Top
#35111 - 07/18/15 07:57 AM Re: Damned MacKeeper [Re: Virtual1]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
1. open a terminal window and type "cat " (notice the space after the "t", it's important, and don't type the quotes), DON'T hit return yet
2. drag and drop the file into the terminal window so it will enter its path for you
3. type " | openssl base64 -d" and hit return

This step returned: Dads-iMac:~ myname$


Originally Posted By: Virtual1
...close the terminal window and open a new one, and repeat above but for the second part, add this instead:
3. type " | openssl base64 -d | xxd -c 32" and hit return
and see what that gets you

Although there was no output in the first step I gave the above a try anyway. The result continued to be: Dads-iMac:~ myname$

Originally Posted By: Virtual1
If that doesn't work, try this step three instead:
3. " | while read x ; do echo "$x" | sed 's/.\{64,64\}/& /g' | tr ' ' '\n' | openssl base64 -d ; done | xxd -c 32"

This time I got:

0000000: 7c91 eb42 735d 9849 47d9 b5c5 1615 38e9 9196 c230 e07e 957a b046 b7d6 f971 a6cf |..Bs].IG.....8....0.~.z.F...q..
0000020: a6f9 054a b5d2 1525 283f 55d1 84e8 69bf 9610 332b d2fb 1221 5928 feb0 6614 b841 ...J...%(?U...i...3+...!Y(..f..A
0000040: 0e68 6515 af55 b818 1b5c 33cd af65 ffc9 fada a3af dd69 34e5 55d7 560d 6883 6b66 .he..U...\3..e.......i4.U.V.h.kf
0000060: 1823 ee21 ad89 fa7e 6893 029a fce3 b2d7 f50e 0d6c 0f01 33e5 156e c95d d075 6fe8 .#.!...~h..........l..3..n.].uo.
0000080: 1b55 63a7 6c45 5454 2d1d 896a c8ad fee2 0c5e c199 f61d 466b 61ae 9a30 a8be 5cd1 .Uc.lETT-..j.....^....Fka..0..\.
00000a0: a795 fd0c a0c9 d169 7e85 32b1 d9e2 dfba 839a 6054 3d6f 02bb 1f8f 8547 f316 d20e .......i~.2.......`T=o.....G....
00000c0: 46ea 9eae a44f e4f4 9b37 1ac1 4b1a 6543 d297 8d20 b187 41e4 dcc2 3b33 4f86 6231 F....O...7..K.eC... ..A...;3O.b1
00000e0: 134d 2a5a e97e e1af dd3e 62b1 30ac a3fe 1619 a5d6 0944 030d 05fc 62d5 1009 993c .M*Z.~...>b.0........D....b....<
Dads-iMac:~ myname$


Edited by ryck (07/18/15 08:00 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35112 - 07/18/15 08:42 AM Re: Damned MacKeeper [Re: MacManiac]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: MacManiac
It sounds to me like you might have a format error in your attempts to use SUDO RM - RF from the Terminal command line.

...just to clarify the terminal command for removing a file permanently while using ROOT permissions temporarily (as SUDO):

to get the file auto inserted behind the command you need to type the following -

sudo rm -rf

(if you drag your cursor over the above command you will note that there is ONE space between the "rm" and the "-rf" followed by another SINGLE space...)

when you are in the Terminal this will leave your text entry cursor at the exact spot that the path to your file in question needs to be entered in order to complete the command.

NOW is when you use the Finder to drag and drop the file in question onto the Terminal window where it will write the rest of your command and complete it with proper syntax and format.

When you hit return, you will be prompted to enter your admin password (which will NOT display as you type it), then hit return again.....that file should now be gone.

(If you enter an additional sudo command before the internal timer releases your password, the Terminal will execute it without requesting you to type your admin password a second time.....once the internal timer expires, you will be prompted for your password again.)

This may be one of those "old dog/new trick" things but I can't get to the point where it asks for my password...although I am certain I have followed the above 'to the letter'. Instead, the result just says I can't do this. This is what I got:

Dads-iMac:~ myname$ sudo rm -rf /Volumes/Time\ Machine/Backups.backupdb/Dad’s\ iMac/2015-07-04-090902/Macintosh\ HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm: /Volumes/Time Machine/Backups.backupdb/Dad’s iMac/2015-07-04-090902/Macintosh HD/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78: Operation not permitted
Dads-iMac:~ myname$
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35115 - 07/18/15 01:01 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
Maybe time to boot into another volume, make your invisibles visible, and see if you can delete from there?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35117 - 07/18/15 03:08 PM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
I took a little different approach and used Automator. Here's what I did:

1. Used Finder to make Invisible files visible.

2. Opened "Automator"
3. Chose "Application"
4. Under "Actions-Library", chose Files & Folders
5. Under "Variables", chose Move Finder Items to Trash
6. Selected all documents named ".3FAD0F65-FC6E-4889-B975-B96CBF807B78"
7. Dragged them to the Automator window
8. Instructed Automator to "Remove" (which needed to be done a document at a time)

Automator appeared to have removed them all, as they disappeared from the Finder list.

9. Restarted the Mac
10. Ran DetectX (V1.28), which gave a 'thumbs up'
11. Used Finder to make invisible files visible.

And, yup, the 'suspect' documents were all back. So now I am wondering if they are, in fact, 'suspect'. Is there anything to date that might suggest DetectX is correct ? i.e. they are not MacKeeper



Edited by ryck (07/18/15 03:10 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35119 - 07/18/15 03:29 PM Re: Damned MacKeeper [Re: ryck]
artie505 Online


Registered: 08/04/09
There may be something about those files that prevents their being trashed from your boot volume but not from a different volume, so I still suggest your rebooting (as per Douglas).

I don't know what those files are, but they're certainly something I wouldn't want on my deuced Mac(hina).
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35154 - 07/21/15 02:57 AM Re: Damned MacKeeper [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Okay, we have some good news, some bad news, and a "Well, duh" moment.

Good news - the issue is resolved and the offending document has been banished along with a bunch of others. Along the way I also learned that the items could not be removed by booting from a different volume.

Bad news - I appear to have burned up a lot of peoples' time for naught.

"Well, duh" moment - I booted from my backup, made invisibles visible, and tried unsuccessfully to remove the documents. Thinking they may be locked I used 'Get Info' to unlock. Then I noticed that 'Get Info' included this pertinent datum: "/Volumes/Time Machine/Backups.backupdb/Dad’s iMac/".

The offending documents weren't even on my main drive.

Anyway, long story short, I erased my Time Machine drive, recorded it anew, and all the bad stuff is now gone.

Well, duh.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35155 - 07/21/15 03:52 AM Re: Damned MacKeeper [Re: ryck]
dkmarsh Offline

Moderator

Registered: 08/04/09

I think the fact that you couldn't delete the items in question has nothing to do with having been booted from a different volume; I believe it's because these items were part of a Time Machine backup. Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons. (There is a Terminal workaround, but it's a bit more involved than a simple rm.)
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#35156 - 07/21/15 05:26 AM Re: Damned MacKeeper [Re: dkmarsh]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I'm pretty sure time machine is using hard links. The gist of that is you save the file in one folder, and then hard-link to it from another folder. The file now appears to exist in both places at once. For all practical purposes, a hard link is functionally identical to the real file. If it's a document and you edit it, the change shows up regardless of how you "get to" the document. Also, if you delete (trash or rm) the document, you remove only ONE of the hard links to the file, so the file remains on the hard drive and completely accessible via any of its other existing hard links. (in reality, whenever you save a document, it gets one hard link to itself, the file you see IS a hard link, it's just the ONLY one for that file, so when that link gets removed, the file gets deleted)

Files can have a (virtually) unlimited number of hard links to them, and the file's disk space is only freed when the hard link count to the file drops to zero.

This allows time machine to have a hundred backups of the same file or folder of files, without taking up much additional disk space. Just more space for more directory entries - the hard links in the directory all point to the same file. (it only makes an actual new copy of an existing file if it has changed) Finder has been "specially educated" about time machine folders, and takes several special steps when doing a drag-and-drop copy. Permissions must be enabled on both ends for example. But it's the best way to copy a time machine backup. If you try to use DITTO from terminal, it won't reconstruct the hard-linking, and you'll quickly run out of disk space on the destination, as each hard link to the same file on the source will produce completely unique files on the destination. (been there, done that, much head-scratching ensued)

One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct. (two different hard links to the same file can have different file names, in addition to being in different folders - they must however be on the same volume)

The other two types of "file aliases" are symbolic links and Finder Aliases, and all three have very different properties and behaviors.
_________________________
I work for the Department of Redundancy Department

Top
#35159 - 07/22/15 06:21 AM Re: Damned MacKeeper [Re: dkmarsh]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: dkmarsh
Removing items from a Time Machine backup is designed to be done only from within Time Machine, presumably for safety reasons.

Originally Posted By: Virtual1
One thing I don't know however is whether or not time machine is savvy enough to deal with files and folders that are renamed and/or moved. Theoretically, this doesn't have to interrupt the linking process. In practice however, it greatly complicates making backups, as time machine attempts to identify what was moved or renamed since the last backup, so it can get the linking correct.

And now we may have the cause (which would be me blush ). A few weeks back I watched a conference on-line and, rather than take notes, recorded the event, which was saved in iMovie. As it turned out, I didn't need the recording after all and deleted it from my hard drive.

However, it was recorded in Time Machine and caused TM to stop making backups (which were now too large) even though the original had been deleted. So I thought I'd remove the recording from Time Machine. I went to Time Machine>Backups.backupb>Dad's iMac and found a series of dated folders.

I "drag and drop" moved to Trash the folders that had dates which I thought would contain a backup of the original recording.


Edited by ryck (07/22/15 06:24 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#35161 - 07/22/15 06:44 AM Re: Damned MacKeeper [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
the "recommended' method for removing items from backup is to enter time machine and find the item (which may require going back some days if it has since been deleted from your main hard drive), right click on it, and select the "delete from all backups" option. This will go into the TM drive and remove all hard links to the file made at each backup run it was present at, as well as removing it from time machine's search database.

Directly browsing the time machine backup using Finder will find the files, but if you trash them and empty the trash, you're unlikely to see an increase in available disk space since you most likely removed only one of the hard links to the file. With other hard links remaining (from other older backups) the file will continue to hold space on the drive. Such an action may also make it more difficult to locate and remove the file using the time machine interface, since the DB will expect the link to be there but it's not since you have directly deleted it. (you may have to dig back farther in time to find one that's still there to select for removal)
_________________________
I work for the Department of Redundancy Department

Top
#35162 - 07/22/15 06:56 AM Re: Damned MacKeeper [Re: Virtual1]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Duly noted. Thanks.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#36356 - 10/08/15 06:06 PM Re: Damned MacKeeper [Re: ryck]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Ok, so my friend just emailed me a screen shot of the dreaded MacKeeper window. Is there some kind of simple thing to advise her to do?
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top
#36373 - 10/09/15 07:00 AM Re: Damned MacKeeper [Re: slolerner]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
mackeeper has been updated (?) several times since it hit the scene, so it's difficult to say with any certainty which variation your friend has.

My general procedure for malware removal is to reboot into safe mode, and browse:
/Library/StartupItems/
/Library/LaunchAgents/
/Library/LaunchDaemons/
~/Library/LaunchAgents/
/Applications/

and also check system prefs, accounts, my account, login items

and remove everything that does not belong. I also look at what I am removing, to see what IT is trying to hook, and I go and throw that away too. Then restart.

MacKeeper is often known under "zeobit". You are very likely to encounter that prefix in the launch daemons and agents. ("com.zeobit.MacKeeper.plugin...") While there will be at least a FEW things that are not "com.apple....", those are the ones you should pay close attention to. Check another known ok mac when in doubt. Oracle, Microsoft, and Adobe are the top three normally found that belong there.
_________________________
I work for the Department of Redundancy Department

Top
#36382 - 10/09/15 09:47 AM Re: Damned MacKeeper [Re: slolerner]
Ira L Online


Registered: 08/13/09
Loc: California
Not really that simple, but here is an article with a complete listing of steps and a very detailed listing of where to look.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#36414 - 10/12/15 11:46 AM Re: Damned MacKeeper [Re: Ira L]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Thanks, was ready to nuke and pave. (Apparently it came with a Pinterest download that was not from the Pinterest site.) The article is very clear, although she will not be able to do it herself, she just started using a Mac. Someone ought to write a MacKeeper Removal script.

Top
#36422 - 10/13/15 06:22 AM Re: Damned MacKeeper [Re: slolerner]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
install mackeeper, get pwned: http://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

script adapted from https://jamfnation.jamfsoftware.com/discussion.html?id=11659

Code:
#!/bin/bash

# delete MacKeeper files

# must run as root
if [ $EUID != 0 ] ; then
  sudo "$0" $USER
  exit 0
fi

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*
rm -rf /private/tmp/MacKeeper*

# Files inside home folder
rm -rf /Users/$1/Library/Application\ Support/MacKeeper\ Helper
rm -rf /Users/$1/Library/Launch\ Agents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Logs/MacKeeper.log
rm -rf /Users/$1/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$1/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$1/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$1/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$1/Library/Saved\ Application\ State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$1/Downloads/MacKeeper*
rm -rf /Users/$1/Documents/MacKeeper*

untested, shake well before using
_________________________
I work for the Department of Redundancy Department

Top
#36424 - 10/13/15 01:40 PM Re: Damned MacKeeper [Re: Virtual1]
slolerner Offline


Registered: 08/25/09
Loc: New York City

Top
#37858 - 12/16/15 02:04 AM Re: Damned MacKeeper [Re: slolerner]
jchuzi Online


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.4, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#37861 - 12/16/15 08:38 AM Re: Damned MacKeeper [Re: jchuzi]
joemikeb Offline
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
_________________________
joemikeb • moderator

Top
Page 2 of 2 < 1 2

Moderator:  alternaut, dianne, dkmarsh