Category Archives: DetectX
Despite removing MacKeeper, I occasionally get reports from DetectX users who find that when they open their browser, MacKeeper is still haunting them. If your browser is popping open with images like the ones above, then like those users, you’ve got an adware infection.
It sounds nasty, but it’s more annoying and intrusive. It also may signal that your mac has been compromised in other ways by malware such as Pirrit, which has the capability to do more than just harrass you through your browser.
The easy solution to adware is to run my free app DetectX. If you find the problem isn’t solved, you can also send me the DetectX report and I’ll solve it for you, for free.
If you like rolling your sleeves up yourself, then follow this procedure:
As you should always be running with a recent backup anyway (right, folks?) be sure to do a TM backup or clone before you start in case anything goes wrong. Do not ignore the necessity for a backup. If you don’t have one, stop now and get one.
You’re going to want to hunt down the adware in a few places. Be careful not to delete anything, but instead move suspicious items to a folder on your Desktop so that you can return them to where they came from if they are innocent. Create a new folder on your Desktop called ‘Quarantine’ for this purpose.
You’re going to want to keep a note of what you find and where you found it, so have a text editor like BBEdit or TextEdit open while you work. Save this file in your Quarantine folder, too.
When you find a suspicious item, an easy trick is to drag the suspect first into the editor to copy its path, and then drag it into your makeshift ‘Quarantine’ folder to move it. To copy the path in this way, use a plain text format in TextEdit. If you’re using BBEdit, command-drag the item. For moving to your Quarantine folder, you’re going to need to use ‘Command’-drag and supply an Admin password for the move if the item is outside of your Home folder.
2. Local and User Domain Libraries
Note these are two different libraries, but I’m assuming that if you’ve elected to follow this “roll your sleeves up” procedure, you already knew that. If you didn’t, I strongly suggest you reconsider trying to do this yourself. Messing under the hood requires a certain minimum level of experience and knowledge to avoid borking your entire system.
Assuming that all warnings and caveats so far have been heeded, you’re ready to inspect the /Library and ~/Library folders. Treat as suspicious anything at the root of /Library that begins with a lower case letter, particularly if it is an executable. Aside from the hidden .localized file, Apple don’t put anything at the root of /Library that begins with a lower case letter, and responsible 3rd party developers don’t either. If you find anything like that and you don’t know what it is, make a note of it (don’t move it yet).
At this point I’d love to be able to give you a list of file names to look out for, but I’m afraid we’re talking in the thousands if not more. A lot of this adware creates its own unique names on install by randomly choosing words from the
/usr/share/dict/words file. Some of them disguise themselves as Apple files, like
com.apple.morkim.plist and others disguise themselves by hiding themselves from the Finder (so ideally you want to be doing this on the command line, or at the very least use the Finder with invisible files showing).
The good news is that a lot of this adware is fairly obvious when you look at it. Move into the local (not user) Library’s LaunchAgents and LaunchDaemons folders and inspect the items in there. Move items that have random dictionary word names like ‘Bolshevik-remindful’ or gibberish concatenations of consonants and vowels like ‘com.xpbbptejonfy.plist’. If you’re not sure, open the plist (you can
sudo cat it if you’re in the Terminal) and see what executable it refers to. If that refers to a path to some similarly named binary you’ve never heard of, go check it out and see what it is. If in doubt, use
After that, you’ll want to move on to your ~/Library/LaunchAgents folder, and follow the same procedure. Any items in here should refer to an app that you recognize and regularly use. Items with names that mispell words like ‘update’ and ‘download’ are dead giveaways as adware.
Adware plist files in here will typically refer to something funny sounding in your ~/Library/Application Support/ folder. Any apps found in the Application Support folder or subfolders should be treated as suspicious. Again, check the name through an internet search if you’re in any doubt, but since this is stuff in your user domain, really anything you don’t recognize shouldn’t be there anyway.
3. Browser Extensions
While you’re in the user Library, go check on what is in Safari/Extensions folder. You should see an Extensions.plist and only the safariextz files that refer to Extensions you use, if any. Fire up Safari, and check in the Preferences’ Extensions tab to uninstall any that you don’t use. If you use other browsers, use the Tools menu to inspect Extension or Add-ons, again removing any that you don’t use.
4. Restart and test
It’s time to restart your mac. After restarting, you’ll need to reset your browser to its default state. First, hold down the shift key while launching the browser from the Dock.
If you get redirected to an adware page or still get a pop up, clear your browser’s default settings. Although adware can no longer easily alter Safari’s defaults, you can check that your home page is correct in Safari’s Preferences. You can empty history and caches from the Safari menu and the Develop menu, respectively. For the latter, click ‘Advanced’ in Safari’s Preferences and check the ‘Show Develop menu in menu bar’ box at the bottom to enable the menu.
To reset Chrome and chromium based browsers to default settings, see:
For Firefox, see
Fixed it or not?
If you correctly identified and moved the adware, you should be all good. Depending on what you moved and from where, you might want to hang on to the items in your ‘Quarantine’ folder until you’re sure everything is working correctly. If you accidentally moved something you shouldn’t have, you’ll likely soon notice something isn’t working like it used to. Use your notes or your backup to undo the damage. When you’re sufficiently confident that everything in your Quarantine folder is definitely badware, move your notes to somewhere else if you wish to keep them for reference (I’d appreciate a copy of them, too :)) and delete your Quarantine folder.
If things didn’t work out, don’t despair or feel bad. Adware is complex, and the simple DIY guide above won’t cover all the cases. There are other places adware can hide, but it takes a lot of experience to track it all down. If you can’t solve the problem yourself, you can always check your mac with DetectX or contact me through DetectX’s Help menu item ‘Report a Problem to Sqwarq’ and have me do it for you (and no, I don’t charge for this service).
Good luck! 🙂
Related posts: Terminal tricks for defeating adware
We’re now up to v2.22 of DetectX.
The major change is that we’ve moved to a generous 60-day trial period for non-license holders. Prices for home use and commercial use remain at $15 & $79.99, respectively, as promised for the remainder of v2 releases.
Heads up though, folks. DetectX 3 is nudging over the horizon (we’ve been working on it since late last year and only need to get the next FastTasks update out of the way first!) and the price of both home and commercial license keys is expected to rise for unregistered users. DetectX 3 will bring a modern UI interface and a whole new suite of tools intended to make it the most powerful tool on the market for analysing and troubleshooting you mac. If you hold a license key for any version of DetectX 2 prior to the release of version 3, you’ll get a free upgrade to DetectX 3.
The release notes for DetectX 2.22 can be found here.
It all started with 2.16, which introduced some changes to the licensing and user interface. All well and good, until we noticed a serious security issue with Microsoft Silverlight had recently surfaced, and we didn’t want to wait to address it.
That resulted in 2.17, which added a Silverlight check to the detector Search function. If you have a version of MS Silverlight that is not the currently patched version, you’ll see a warning in the log drawer when you run a search. In 2.17 we also fixed a false positive in the Keylogger detector and updated some search definitions.
Alas, we’d inadvertantly let a bug slip in with v2.16 that prevented DetectX from quitting in certain situations. Luckily that report came in pretty quick (many thanks to Al), and we were able to address the bug with a simple code tweak (if you got bit by that bug, please open and then close the Licensing window before attempting to update to v2.18).
So, here we are at version 2.18 … we’re a bit breathless, so it’s time for a sit-down and a nice cup of tea!
Yes, two in two days! We’ve added a Preference Pane since yesterday, and improved the performance of the search function. Note that the new Sparkle Vulnerability check we introduced in v2.13 is now off by default. It can be turned on from the Preference Pane (see above).
Other changes are listed in the release notes.
DetectX is still free, fully-functional, and without time-limit for home users. Available for download from here.
We’ve just released DetectX for Snow Leopard v2.1 (DetectXSL), a long-awaited update that fixes, among other things, the bug in the updater mechanism.
If you have problems either downloading or installing the update from within DetectXSL*, please delete the DetectXSL.app (v2.0) from your mac and download and install v2.1 directly from here (direct download).
Now that we’ve got a working install of 10.6.8 again in the Sqwarq office, we’re planning on updating DetectXSL a bit more frequently, though working in Xcode 3 again is proving to be a bit of a memory challenge!
(and for you more up-to-date folks, don’t forget DetectX runs on everything from OSX 10.7 thru 10.11).
*requires 10.6.8, Intel, 64-bit architecture
We’ve spent pretty much the whole of the summer working on this upgrade, so we’re both delighted (and not a little relieved!) to finally be able to announce the release of DetectX 2.
If you were a user of earlier versions of DetectX the most obvious change you’ll notice is the new Selector bar, and the additional functions it offers. Now, DetectX is far more than just a dedicated search tool and offers comprehensive logging, browsing and analytical tools to make troubleshooting new problems on your mac a whole lot easier.
If you’ve used the Analyser in our app FastTasks 2, you’ll recognize the new functions added to DetectX. But we’ve not just taken the Analyser straight out of FT2 and plumped it into DetectX, we’ve also made it more powerful and more convenient to use.
There’s a whole bunch of changes you can find out about from the DetectX page and from the included user guide (improved documentation is another one of the changes!). One thing that hasn’t changed: DetectX remains free for home users, so there’s nothing to stop you from trying it out. Commercial and institutional users should note that a Commercial Use licence is required. Details are in the app.
Well, now that the app is out you’d think we’d be taking a break, but we’re already working on a special release of DetectX for Snow Leopard users. We know you 10.6’ers have been left out in the cold since release 1.29, but hold tight. Some Leopardy love is coming your way real soon!
On top of that, we’re already working on new definitions to be added to the next update to make sure DetectX keeps finding all those new annoyances that keep popping up and keeping your Mac happy and responsive.
If you haven’t already, go check out the DetectX page for more info.