Blog Archives

scan for malware on the command line

Screen Shot 2017-12-20 at 19.23.50


DetectX Swift now has the ability to do command line searches for issues on your mac like malware, keyloggers, browser hijacks and potentially dangerous software, and there’s a number of extra options that are not available when using the user interface. In this post, I’m going to give you a quick tour of the CLI (Command Line Interface) tool with some examples of how to use it (if you haven’t yet grabbed a free copy of DetectX Swift you might want to do that first to play along).

1. Basic scan
Let’s start with a basic scan. To use the CLI search, you need to specify the full path to the app executable. In this example, let’s suppose that the app is in /Applications folder. In that case, you’d need to execute this on the command line:

/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift search

Since that’s a bit of a handful, even using tab completion, you might want to edit your .bash_profile to include a shortcut alias. Here’s mine:

sphil@sphils-iMac-5:~$ cat .bash_profile

alias sudo='sudo '

alias detectx='/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift'

Note the sudo line (and note the extra space in the value). We’re going to need that so that we can pass the alias to sudo when we want to pass certain options to the search. Like…

2. Scan other users
Probably the most important benefit you gain with scanning on the command line rather than from the app’s interface is the ability to scan all, or selected, other users. You can search all users by using sudo and the -a option:

sudo detectx search -a

If you want to restrict the search to one or more users, the -u option allows you to specify a list of shortuser names (comma-delimited):

sudo detectx search -u alice,bob

3. Go deep
If you’d like more verbose output, including how long the search took, try either the vsearch or vvvv commands:

sudo detectx vvvv -a

4. Save the results
You can specify a path to output the results, either in regular text:

sudo detectx vvvv -a ~/Desktop/searchtest.txt

or, by passing the extra -j option, in JSON format:

sudo detectx search -aj ~/Desktop/searchtest.json

Here’s an example of what the formatted JSON file looks like:

Screen Shot 2017-12-20 at 18.05.26

5. Anything else?
There’s a help command that will output the documentation to the command line, and also if you get into the habit of regularly running command line checks, don’t forget to launch the app from time to time in the Finder. Like its predecessor, DetectX, DetectX Swift does a lot of other stuff besides searching that can help track down and remediate problems with your mac, and a large part of that revolves around the way it tracks changes to your system every time you launch it. The CLI tool runs independently of that and won’t give you that kind of feedback or record those changes.

Finally, note that in the release version of DetectX Swift, the CLI tool is only available for a limited period to Home and Unregistered users. Unlimited acccess to the CLI tool requires a Pro or Management license.

Enjoy! 🙂


how to keep the iDoctor away

DetectX console log
DetectX has been updated today to v2.37, and amongst other changes now detects and removes iDoctor.app. This piece of software appears to be another MacKeeper clone, with both sharing a common interface, code and file structures.

In the screenshot above, you can see DetectX doing its work – note the parallel file detections as DetectX hunts down both MacKeeper and iDoctor.

Below is a sidebar shot of MacKeeper on the left and iDoctor on the right. Underneath that are shots showing how the two interfaces are almost direct mirrors of each other. It’s hard to believe these are not both being built from the same base code, and we strongly suspect that the developers of iDoctor are very likely the same developers of MacKeeper, or at least real close friends!

MK vs iDoctor

screen-shot-2016-11-20-at-12-09-10

screen-shot-2016-11-20-at-12-08-24

news: DetectX v2.14 released

Screen Shot 2016-02-14 at 23.03.29

Yes, two in two days! We’ve added a Preference Pane since yesterday, and improved the performance of the search function. Note that the new Sparkle Vulnerability check we introduced in v2.13 is now off by default. It can be turned on from the Preference Pane (see above).

Other changes are listed in the release notes.

DetectX is still free, fully-functional, and without time-limit for home users. Available for download from here.

🙂

 

news: FastTasks v2.4 update released

FT2 v2.4 is now available from sqwarq.com.

This update includes a new ‘delete’ button in the Analyser and an auto-kill feature which searches for and kills MacKeeper processes running in the background when the Analyser is run.

The release notes are here.

how to uninstall MacBooster

Screen Shot 2015-11-08 at 19.23.15

We are decidedly not impressed with MacBooster. Ok, we’ll put aside the general complaint that apps like this do very little if anything to improve performance (in fact, in our tests, we find almost always quite the opposite). We have a bigger beef with MacBooster.

Indeed, we rate it even more pesky than it’s obvious inspiration: MacKeeper… 😳

Aside from the fact that MacBooster’s uninstaller leaves a number of executables and other binary files hidden on the user’s system, there’s also the rather cheeky use of ‘com.apple.UninstallerAD” as a bundle identifier in their uninstaller app.

I really don’t think the folks at Cupertino are going to appreciate that, but more importantly the use of a misleading bundle identifier reveals a lot about the developers’ intentions.

We’ve added MacBooster to DetectX (v.2.06) and it will be included in the next update to FastTasks 2.

Meanwhile, whether you use our apps or not, steer clear of MacBooster.

If you’d rather dig it out yourself than use DetectX, here’s the list of paths we have so far:

/Applications/MacBooster 3.app

/Users/Shared/MacBooster/FileData3

/Users/Shared/MacBooster/Boost3.plist

/Users/Shared/MacBooster

/Library/Caches/AMCExtractByte

/Library/Caches/AMCInstallTemp.txt

/Library/Application Support/AMC

/Library/LaunchDaemons/com.iobit.AMCDaemon.plist

~/Library/LaunchAgents/com.iobit.MacBoosterMini.plist

~/Library/Application Support/ErrorReporter

~/Library/Application Support/MacBooster

~/Library/Application Support/MacBooster 3.0

~/Library/Preferences/cryptFile3

~/Library/Preferences/com.iobit.Boost3.plist

~/Library/Preferences/com.iobit.MacBooster-3.plist

~/Library/Preferences/com.iobit.MacBooster-mini.plist

news: DetectX 2 is available now

DetectX 2


We’ve spent pretty much the whole of the summer working on this upgrade, so we’re both delighted (and not a little relieved!) to finally be able to announce the release of DetectX 2.

If you were a user of earlier versions of DetectX the most obvious change you’ll notice is the new Selector bar, and the additional functions it offers. Now, DetectX is far more than just a dedicated search tool and offers comprehensive logging, browsing and analytical tools to make troubleshooting new problems on your mac a whole lot easier.

If you’ve used the Analyser in our app FastTasks 2, you’ll recognize the new functions added to DetectX. But we’ve not just taken the Analyser straight out of FT2 and plumped it into DetectX, we’ve also made it more powerful and more convenient to use.

There’s a whole bunch of changes you can find out about from the DetectX page and from the included user guide (improved documentation is another one of the changes!). One thing that hasn’t changed: DetectX remains free for home users, so there’s nothing to stop you from trying it out. Commercial and institutional users should note that a Commercial Use licence is required. Details are in the app.

Well, now that the app is out you’d think we’d be taking a break, but we’re already working on a special release of DetectX for Snow Leopard users. We know you 10.6’ers have been left out in the cold since release 1.29, but hold tight. Some Leopardy love is coming your way real soon!

On top of that, we’re already working on new definitions to be added to the next update to make sure DetectX keeps finding all those new annoyances that keep popping up and keeping your Mac happy and responsive.

If you haven’t already, go check out the DetectX page for more info.

protect your mac from malware, viruses and other threats

Nessus Vulnerability Software

If you’re new to Mac, you’re probably thinking that it’s a no-brainer that you need some kind of anti-virus app. Once you start looking around the web for reviews, it’s inevitable that you’re going to come across the Great Mac AntiVirus Debate: in the one corner, those who say Mac users who forego antivirus protection are arrogant and just setting themselves up for a fall, and in the other those who’ve used Macs for umpteen years, never had or heard of any real threat, and consequently say AV software is a waste of time.

You can read round this debate for years and never come to a satisfying conclusion, largely because its as much about what you ‘ought’ to do as it is about what is the case. Just because you’ve never had any viruses, doesn’t mean you won’t get one tomorrow. And yet, there are NO viruses in the wild known to affect macs, and so when one does arrive, it will be unknown to your AV scanner. Hence, an AV Scanner is just a waste of system resources (and possibly money, if you paid for it). Yikes! What do I do!!

What you do is sidestep the whole debate and stop thinking only about virus scanners, which after all deal with only a small subset of all the possible attack vectors in the internet age, and start thinking in terms of vulnerability scanners. Unlike a simple virus scanner, a vulnerability scanner examines your system not only for malware but also for any vulnerabilities in commercial software, plug ins, your system setup (including network and other sharing settings) and other installed items. The scanner will not only explain the threat and its severity but also tell you what, if anything, you need to do, recommend patches and guide you to links for more info where available.

You can use something like Nessus for free if you are a home user, which will give you a far better insight into the possible attacks someone could implement on your system (and it will check your system against almost all of the major virus scanner databases like Symantec, etc).

Even better, a vulnerability scanner like Nessus won’t just examine your machine, it’ll look at everything else (and all the installed apps) of anything on your home network including phones (any platform), other computer systems (any OS), and even your router.

block MacKeeper and other browser ads



Generally, I like to keep browser extensions down to a minimum, but here’s an essential one if you are tired of all those ‘Clean your mac’ / ‘Speed up your mac’ ads on every website you visit. Download and install the Safari adblock extension from here:

http://safariadblock.com/

What I like about this particular adblocker is that, if you go with the default filters, not only does it load your pages faster but it also reformats the page as if the ads were never even there, rather than leaving unsightly, blank placeholders in the page as some other ad filtering services do.

The extension is free, though you’re encouraged to donate if you appreciate the work done by the developer. 🙂

Related Posts
how to uninstall MacKeeper

why is my mac running so slow?

UPDATE: Please also see How To Troubleshoot Your Mac with FT2.

There can be various reasons why your Mac starts running slowly. Some of these can be app-related – especially if you are making multiple changes in programs that have autosave enabled. Other problems could be due to running processor-heavy apps that need more RAM than you’ve presently got. Before you dash off to Crucial to check out your RAM upgrade options, here’s a few basics to run through:

1. Applications > Utilities > Disk Utility.app
How old is your HDD drive? Click on the top-most hard disk icon in the left column and check the S.M.A.R.T status at the bottom right of the window. Does it say ‘verified’? If it says anything else, back up all your important data and start thinking about buying a new hard disk. If the S.M.A.R.T status is verified, have a look at how much space you’ve got left. A nearly-full disk will slow you down. Generally, it is recommended that you have at least 10% free, but I’d work on getting that closer to 25% for optimum performance. If you have less than that, think about what can be archived onto a backup disk (or two..), such as photos, movies, and even your songs.

2. Applications > Utilities > Activity Monitor.app
What’s using all the CPU time? Is it something you need to be running? Select any obviously unnecessary resource hogs and hit ‘Quit Process’.

3.  > System Preferences > Users & Groups
How many apps are in your ‘Login Items’? Remove anything that is not absolutely necessary at start up time.

4. Have you downloaded MacKeeper or other Anti-virus software?
If so, remove it.

5. How recently did you upgrade to Lion and are you using Time Machine?
If you’ve only recently upgraded in the last day or so, or turned your Mac off not long after upgrading, perhaps Spotlight is still indexing (indicated by a dot in the middle of the ‘spyglass’, top right of your screen) or TM is still updating (indicated by the TM indicator spinning in the menubar). Either or these will eventually finish and return your system to (about) normal, but you should let your system run (leaving it in ‘Sleep’ mode will do the trick) for at least 24 hours if you’ve only just upgraded.

6. Did you repair system permissions after upgrading?
Even though the Lion installer should fix system permissions after an upgrade, if you then added any other 3-rd party apps or restore something from Time Machine, repairing permissions is always a good idea. Doing so is harmless, and rules out permissions as a possible factor of poor performance. Do Step 4 here. Unless any are indicted in red type, don’t panic about the permissions errors that come up in the ‘details’ window – many of these can be safely ignored.

7. Clear out your caches
Caches, in general, help to speed your computer up. However, if you’re a heavy internet browser and you’ve never cleared your caches or your history (I mean like in several months), then this is worth doing from time to time. You can clean out Internet caches in Safari or Firefox by choosing Safari > Empty Cache or Firefox > Tools > Clear Recent History > Everything. Your computer has other caches that can usefully be cleared out periodically, too: use OnyX to do so.

8. Is the system slow with just one particular program or while trying to open some particular window?
A couple of things could be going on here. If its your browser, try killing some of those extensions/add-ons – every one of them slows you down just that little bit, and many slow you down a lot. Another possibility is a corrupt ‘plist’ or preference file associated with a particular app. Curing this is a bit more tricky and requires knowing your way around the hidden Library folder. If you think this is your problem, leave a comment below to get further instructions.


featured picture Speedo ©2011 Phil Stokes


Related Posts:
why is my mac running so hot?
FastTasks – download the free OS X utility app from Applehelpwriter

how to uninstall MacKeeper – updated

Screen Shot 2016-03-27 at 19.41.33

Lees dan dit artikel in het Nederlands Screen Shot 2016-05-02 at 18.17.41
Lire cet article en français French flag

Last updated: Nov 16, 2017

If you’re unfamiliar with the reputation of MacKeeper but have come here because you downloaded it – or it downloaded itself after you were inadvertantly redirected to some unwanted website – and are now wondering whether you made a mistake, let me present you with a few facts.

MacKeeper is one of the most infamous pieces of software on the macOS platform. This post itself was first published in September 2011, and has since received over 2 million hits from people wishing to uninstall MacKeeper from their computers.

When I ran MacKeeper’s free trial version on a brand new clean install of macOS, it told me that my system was in ‘serious’ condition and that I needed to buy MacKeeper in order to solve all my problems.

MacKeeper on Mavericks

It seems, then, that MacKeeper thinks macOS, freshly installed, is a poor piece of software engineering, but the feeling is mutual. macOS doesn’t like MacKeeper much either. macOS provides the following warning about MacKeeper:

MESSAGE FROM CONSOLE
12/05/2015 17:48:00.946 com.apple.xpc.launchd[1]: (com.mackeeper.MacKeeper.Helper) This service is defined to be constantly running and is inherently inefficient.

If you have installed MacKeeper and wish to remove it, read on.

Preparation:
i. If you have used MacKeeper’s encryption feature, be sure to unencrypt before you uninstall MacKeeper. You should also check whether any of your personal files are stored in /Documents/MacKeeper Backups.

Backups & other disks
ii. If you have any disks connected to your mac, including Time Machine, eject them before you start the uninstall procedure.

Trash
iii. If you have anything in the Trash, empty it now before you start.

You are now ready to uninstall MacKeeper.


The Easy Way

As I’ve been involved in helping people uninstall MacKeeper for over 5 years, I eventually got round to the task of automating the process so that folks who were not that technically proficient with computers could take advantage of the information on this page.

If that sounds like you, then the easiest way to uninstall MacKeeper is to use my app DetectX or FastTasks 2. Both are shareware and can be used for free (or you can try out the new, free, DetectX Swift Beta 😀). You do not need to sign up to anything, subscribe to anything or give anyone your email address. Just download the app, run it, remove MacKeeper and be on your way.

After several years of testing and refining my app’s removal procedure, I now recommend using them even for proficient users as it is simply faster, more reliable and less prone to error than doing it any other way. The only people who should really consider the manual option are those that are running versions of macOS that are too old to run DetectX. Currently, there are versions of DetectX available for macOS 10.6.8 (Intel only) thru to 10.12. FastTasks 2 requires 10.10.5 or higher. DetectX Swift beta runs on 10.11 or higher and is the best choice for 10.13, High Sierra and beyond.


The Manual Way

If you need to remove MacKeeper manually then follow these instrutions carefully. They’ve been refined over the years by many people who contributed in the hundreds of comments that follow this post and have been proven to work without exception. However, bear in mind that the onus is on you to follow the instructions to the letter. For that reason, go slow, read carefully and don’t do anything if you’re not sure what you’re doing. If you have any doubts, post a question in the comments.

Here we go!

1. If MacKeeper is running, quit it. From the sidebar in any Finder window, choose your hard disk icon and go to your Library folder. Look in the Application Support folder for the folder inside it called ‘MacKeeper’:

/Library/Application Support/MacKeeper

Drag this folder to the Trash.

2. Still in Library, look for and trash any of these you find in the same way:

/Library/LaunchDaemons/com.zeobit.MacKeeper.AntiVirus

/Library/LaunchDaemons/com.zeobit.MacKeeper.plugin.AntiTheft.daemon

3. If you are using OS X Lion 10.7 or later, use the ‘Go’ menu in Finder’s menubar and hold down the ‘option’ key. Choose ‘Library’ from the menu (yes, this is a different Library folder from the one you were just in). If you are using Snow Leopard or Leopard, just click on the little ‘Home‘ icon in the Finder sidebar and navigate to the Library. Then trash any and all of these that you find:

~/Library/Caches/com.zeobit.MacKeeper

~/Library/Caches/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.plugin.Backup.agent

~/Library/Preferences/com.zeobit.MacKeeper.plist

~/Library/Preferences/com.zeobit.MacKeeper.Helper.plist

Be careful not to delete the wrong files: only those that have got the words ‘zeobit’, ‘MacKeeper’, ‘911’ or ‘911bundle’ should be trashed.

Update May 2015:

Due to recent changes in MacKeeper, the following files should also be searched for and removed:

~/Library/Application Support/MacKeeper Helper

~/Library/Caches/com.mackeeper.MacKeeper

~/Library/Caches/com.mackeeper.MacKeeper.Helper

~/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.plist

~/Documents/MacKeeper Backups

~/Library/Logs/MacKeeper.log

~/Library/Logs/MacKeeper.log.signed

/private/tmp/com.mackeeper.MacKeeper.Installer.config

/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78

The last item above will require removal in Terminal or turning on of invisible files in the GUI (various 3rd party apps can do this, including my own DetectX and FastTasks 2).

4. Go to Applications > Utilities > Keychain Access.app and double click on it. Notice the padlock in the window is up there on the left, rather than down the bottom. Click on it and enter your admin password. Now go through all the items in the ‘Keychains‘ list (such as Login, System, Root) with ‘All items’ selected in the ‘Category’ list. Anything you find related to ‘MacKeeper’ or ‘zeobit’, click on it, then choose Edit > Delete from the menu.
(Thanks to Al for also mentioning this point in the Comments below! 🙂 ).

5. Open the Activity Monitor utility (Applications>Utilities>Activity Monitor.app). In 10.10 Yosemite or later, select the View menu and choose ‘All Processes’. For earlier versions of macOS, select ‘All Processes from the drop down menu just over on the right of the dialogue box. Next, scroll down the list of items shown and see if any processes called ‘MacKeeper’, ‘zeobit’ or ‘911 bundle’ are still running. Older versions of MacKeeper may have a ‘WINE’ process running, so also look for ‘wine’. Anything you find, click on it and hit the ‘Quit Process’ or ‘X’ button (Yosemite) in the top left corner.

6. Go to your Applications folder from a Finder window and select MacKeeper. Then, hold down ‘command’ and press ‘delete’ once. If you assigned MacKeeper to be pinned in the Dock, be sure to also drag the icon off the Dock and release it anywhere over the desktop. It will, satisfyingly, disappear in the ‘poof’ of a cloud. 😀

7. When you’re done filling up your trash can with all this junk, click on the Finder> Empty Trash.

8. Go to

 > System Preferences > Users & Groups (or ‘Accounts’ for Snow Leopard) | Login Items

If you see anything to do with MacKeeper in the list of items there, highlight it, then click the little minus ‘-‘ button near the bottom of the list.

9. Restart your Mac. Everything should be back to normal, but check the Activity Monitor one last time to be sure.

Supplementary: If you have a problem with MacKeeper pop-ups while using your browser, try clearing out the caches, like this:

In Safari menubar, choose ‘Safari > Reset Safari’. Make sure all the options are checked.
This will not only clear out your caches, but everything else stored by the browser. Don’t worry, it won’t affect your bookmarks, but it will reset your ‘top sites’ and history.

In Firefox menubar, choose ‘Tools > Clear Recent History…’ and choose ‘Everything’. Again, it’ll clear everything out but won’t delete your bookmarks.

Obviously, if you use any other browsers like Opera or something you’ll have to find the same options for those too.

Related Posts
Terminal tricks for defeating adware
block MacKeeper and other browser ads
protect your mac from malware viruses and other threats
FastTasks 2 – get Applehelpwriter’s free utility app from Sqwarq.com

NOTES
1. If you have any problems carrying out the steps, try starting your Mac up in Safe mode, and then running the procedure.
2. You can safely ignore any MacKeeper files that are in the BOM or Receipts folders.
3. If you have only downloaded the MacKeeper package but not ran the installer, you only need to send the .pkg file in your Downloads folder to the Trash. That’s it!

4. If you are seeing ads on this site, we recommend that you use an adblocker!

Acknowledgements
This post has been refined and improved over time thanks to suggestions and replies made in the Comments and on Apple Support Communities. Thanks especially to Al, Lyndon and Jack.

%d bloggers like this: