Despite removing MacKeeper, I occasionally get reports from DetectX users who find that when they open their browser, MacKeeper is still haunting them. If your browser is popping open with images like the ones above, then like those users, you’ve got an adware infection.
It sounds nasty, but it’s more annoying and intrusive. It also may signal that your mac has been compromised in other ways by malware such as Pirrit, which has the capability to do more than just harrass you through your browser.
The easy solution to adware is to run my free app DetectX. If you find the problem isn’t solved, you can also send me the DetectX report and I’ll solve it for you, for free.
If you like rolling your sleeves up yourself, then follow this procedure:
As you should always be running with a recent backup anyway (right, folks?) be sure to do a TM backup or clone before you start in case anything goes wrong. Do not ignore the necessity for a backup. If you don’t have one, stop now and get one.
You’re going to want to hunt down the adware in a few places. Be careful not to delete anything, but instead move suspicious items to a folder on your Desktop so that you can return them to where they came from if they are innocent. Create a new folder on your Desktop called ‘Quarantine’ for this purpose.
You’re going to want to keep a note of what you find and where you found it, so have a text editor like BBEdit or TextEdit open while you work. Save this file in your Quarantine folder, too.
When you find a suspicious item, an easy trick is to drag the suspect first into the editor to copy its path, and then drag it into your makeshift ‘Quarantine’ folder to move it. To copy the path in this way, use a plain text format in TextEdit. If you’re using BBEdit, command-drag the item. For moving to your Quarantine folder, you’re going to need to use ‘Command’-drag and supply an Admin password for the move if the item is outside of your Home folder.
2. Local and User Domain Libraries
Note these are two different libraries, but I’m assuming that if you’ve elected to follow this “roll your sleeves up” procedure, you already knew that. If you didn’t, I strongly suggest you reconsider trying to do this yourself. Messing under the hood requires a certain minimum level of experience and knowledge to avoid borking your entire system.
Assuming that all warnings and caveats so far have been heeded, you’re ready to inspect the /Library and ~/Library folders. Treat as suspicious anything at the root of /Library that begins with a lower case letter, particularly if it is an executable. Aside from the hidden .localized file, Apple don’t put anything at the root of /Library that begins with a lower case letter, and responsible 3rd party developers don’t either. If you find anything like that and you don’t know what it is, make a note of it (don’t move it yet).
At this point I’d love to be able to give you a list of file names to look out for, but I’m afraid we’re talking in the thousands if not more. A lot of this adware creates its own unique names on install by randomly choosing words from the
/usr/share/dict/words file. Some of them disguise themselves as Apple files, like
com.apple.morkim.plist and others disguise themselves by hiding themselves from the Finder (so ideally you want to be doing this on the command line, or at the very least use the Finder with invisible files showing).
The good news is that a lot of this adware is fairly obvious when you look at it. Move into the local (not user) Library’s LaunchAgents and LaunchDaemons folders and inspect the items in there. Move items that have random dictionary word names like ‘Bolshevik-remindful’ or gibberish concatenations of consonants and vowels like ‘com.xpbbptejonfy.plist’. If you’re not sure, open the plist (you can
sudo cat it if you’re in the Terminal) and see what executable it refers to. If that refers to a path to some similarly named binary you’ve never heard of, go check it out and see what it is. If in doubt, use
After that, you’ll want to move on to your ~/Library/LaunchAgents folder, and follow the same procedure. Any items in here should refer to an app that you recognize and regularly use. Items with names that mispell words like ‘update’ and ‘download’ are dead giveaways as adware.
Adware plist files in here will typically refer to something funny sounding in your ~/Library/Application Support/ folder. Any apps found in the Application Support folder or subfolders should be treated as suspicious. Again, check the name through an internet search if you’re in any doubt, but since this is stuff in your user domain, really anything you don’t recognize shouldn’t be there anyway.
3. Browser Extensions
While you’re in the user Library, go check on what is in Safari/Extensions folder. You should see an Extensions.plist and only the safariextz files that refer to Extensions you use, if any. Fire up Safari, and check in the Preferences’ Extensions tab to uninstall any that you don’t use. If you use other browsers, use the Tools menu to inspect Extension or Add-ons, again removing any that you don’t use.
4. Restart and test
It’s time to restart your mac. After restarting, you’ll need to reset your browser to its default state. First, hold down the shift key while launching the browser from the Dock.
If you get redirected to an adware page or still get a pop up, clear your browser’s default settings. Although adware can no longer easily alter Safari’s defaults, you can check that your home page is correct in Safari’s Preferences. You can empty history and caches from the Safari menu and the Develop menu, respectively. For the latter, click ‘Advanced’ in Safari’s Preferences and check the ‘Show Develop menu in menu bar’ box at the bottom to enable the menu.
To reset Chrome and chromium based browsers to default settings, see:
For Firefox, see
Fixed it or not?
If you correctly identified and moved the adware, you should be all good. Depending on what you moved and from where, you might want to hang on to the items in your ‘Quarantine’ folder until you’re sure everything is working correctly. If you accidentally moved something you shouldn’t have, you’ll likely soon notice something isn’t working like it used to. Use your notes or your backup to undo the damage. When you’re sufficiently confident that everything in your Quarantine folder is definitely badware, move your notes to somewhere else if you wish to keep them for reference (I’d appreciate a copy of them, too :)) and delete your Quarantine folder.
If things didn’t work out, don’t despair or feel bad. Adware is complex, and the simple DIY guide above won’t cover all the cases. There are other places adware can hide, but it takes a lot of experience to track it all down. If you can’t solve the problem yourself, you can always check your mac with DetectX or contact me through DetectX’s Help menu item ‘Report a Problem to Sqwarq’ and have me do it for you (and no, I don’t charge for this service).
Good luck! 🙂
Related posts: Terminal tricks for defeating adware
Update: I’ve since written a nice GUI version in AppleScript-ObjectiveC which you can download for free here»
If you find you only ever go into Terminal to perform a small number of tasks that can’t be done (easily or at all) in the OS X graphical user interface, this little utility could be for you. It allows you to run a number of common tasks such as
reveal and hide hidden folders
batch change the extension on multiple files
purge system free memory
flush the DNS cache
restore system preferences to defaults
without having to bother looking up the commands. You will, however, have to do a little Terminal ‘dirty work’ to initially get the utility up and running (it’s a shell script which you need to turn into an executable file), but step by step instructions are all provided. 😉
Here’s what you do:
2. Save the file as plain text onto your desktop with the name ‘FastTasks’
3. Open Terminal.app and paste this command:
sudo chmod 755 ~/Desktop/FastTasks
and press ‘return’ on your keyboard. You’ll be asked for you Admin password which will be invisible when you type it. If you’re wondering what you’ve just done, you’ve just changed that plain text file into an executable program.
4. Paste the next line into Terminal.app
cp ~/Desktop/FastTasks /etc/bin/FastTasks
then press ‘return’ on your keyboard.
As a result of that last command, you can now use the script by typing ‘FastTasks’ in a Terminal window or by double-clicking ‘FastTasks’ in Finder or on the Desktop.
5. By the way, if the Terminal window remains open after FastTasks has completed, change the following settings in Terminal’s Preferences:
Preferences > Settings > Shell > When the shell exits…
and change the dropdown menu from ‘Don’t close the window’ to ‘Close if the shell exited cleanly’.
And that’s it. You can now run any of the tasks in the menu without having to know the commands! 🙂
Fast tips for using FastTasks
1. FastTasks is actually quickest to run by using Spotlight and Terminal.
If you have the Spotlight hotkey set up (usually cmd-space by default), simply open Spotlight, and type ‘Term’ and hit ‘return’ on the keyboard. At the Terminal prompt type ‘fasttasks’ and hit ‘return’.
2. Running it this way has another benefit. If you want to run FastTasks again after performing one task, just hit the ‘up’ arrow on the keyboard (hitting the ‘up’ arrow repeatedly will take you through previous commands entered at the Terminal prompt. Use the ‘down’ arrow to go forward), then ‘return’ when you see ‘fasttasks’ on the command line.
Among all the confusing posts and scare stories on offer this week about the flashback trojan, a lot of people seem to have missed the instructions for dealing with it.
Here’s F-Secure’s removal procedure:
Here’s Rich Mogull’s general advice for securing your mac in light of this new threat:
It’s also worth emphasizing that, for technical reasons, if your mac has Microsoft Office 2008 or 2011 or Apple’s XCode installed, this particular trojan will not have been able to infect your computer.
If you have reverted your mac to Snow Leopard from Lion, its important that you also remove the Recovery HD, as it can compromise the security of your Snow Leopard installation (for security issues with Lion, see here). Reverting to SL via Time Machine or restoring from a clone will leave the Recovery partition in place, meaning anyone can boot into it and reset your Snow Leopard passwords merely by restarting your mac while holding down the ‘option’ key.
To remove the Recovery disk follow this procedure:
1. Revert back to Snow Leopard using Time Machine or a clone.
2. Once you’re up and running and have confirmed everything is good, go to Terminal (Applications > Utilities > Terminal) and paste/type this command to confirm the presence of the Recovery HD:
then press ‘Return’. If you see a partition labelled something like this
Apple_Boot Recovery HD (see image above)
then you will need to continue with the rest of the procedure. If the Recovery HD is not listed here, you do not have the Recovery partition and need not worry further.
3. If you find the Recovery HD in the list, paste the following command into Terminal:
defaults write com.apple.DiskUtility DUDebugMenuEnabled 1
Now open Disk Utility (Applications > Utilities > Disk Utility). In the menubar at the top, choose Debug > ‘Show every partition’
On the left in the main Disk Utility window, you’ll be able to see ‘Recovery HD’ (it’ll be greyed out). You can click ‘Mount’ in the taskbar to make it active, and you can now delete it using control-click/right click – erase or by using the ‘erase’ tab in DU’s window.
If you want to confirm that the Recovery disk is no longer present, go back to Terminal and type the command from step 2.
how to secure your mac (OS X Lion)
Last updated: Dec 30, 2016
If you’re unfamiliar with the reputation of MacKeeper but have come here because you downloaded it – or it downloaded itself after you were inadvertantly redirected to some unwanted website – and are now wondering whether you made a mistake, let me present you with a few facts.
MacKeeper is one of the most infamous pieces of software on the macOS platform. This post itself was first published in September 2011, and has since received over 2 million hits from people wishing to uninstall MacKeeper from their computers.
When I ran MacKeeper’s free trial version on a brand new clean install of macOS, it told me that my system was in ‘serious’ condition and that I needed to buy MacKeeper in order to solve all my problems.
It seems, then, that MacKeeper thinks macOS, freshly installed, is a poor piece of software engineering, but the feeling is mutual. macOS doesn’t like MacKeeper much either. macOS provides the following warning about MacKeeper:
MESSAGE FROM CONSOLE
12/05/2015 17:48:00.946 com.apple.xpc.launchd: (com.mackeeper.MacKeeper.Helper) This service is defined to be constantly running and is inherently inefficient.
If you have installed MacKeeper and wish to remove it, read on.
i. If you have used MacKeeper’s encryption feature, be sure to unencrypt before you uninstall MacKeeper. You should also check whether any of your personal files are stored in /Documents/MacKeeper Backups.
Backups & other disks
ii. If you have any disks connected to your mac, including Time Machine, eject them before you start the uninstall procedure.
iii. If you have anything in the Trash, empty it now before you start.
You are now ready to uninstall MacKeeper.
The Easy Way
As I’ve been involved in helping people uninstall MacKeeper for over 5 years, I eventually got round to the task of automating the process so that folks who were not that technically proficient with computers could take advantage of the information on this page.
If that sounds like you, then the easiest way to uninstall MacKeeper is to use my app DetectX or FastTasks 2. Both are shareware and can be used for free. 😀 You do not need to sign up to anything, subscribe to anything or give anyone your email address. Just download the app, run it, remove MacKeeper and be on your way.
After several years of testing and refining my app’s removal procedure, I now recommend using them even for proficient users as it is simply faster, more reliable and less prone to error than doing it any other way. The only people who should really consider the manual option are those that are running versions of macOS that are too old to run DetectX. Currently, there are versions of DetectX available for macOS 10.6.8 (Intel only) thru to 10.12. FastTasks 2 requires 10.10.5 or higher.
The Manual Way
If you need to remove MacKeeper manually then follow these instrutions carefully. They’ve been refined over the years by many people who contributed in the hundreds of comments that follow this post and have been proven to work without exception. However, bear in mind that the onus is on you to follow the instructions to the letter. For that reason, go slow, read carefully and don’t do anything if you’re not sure what you’re doing. If you have any doubts, post a question in the comments.
Here we go!
1. If MacKeeper is running, quit it. From the sidebar in any Finder window, choose your hard disk icon and go to your Library folder. Look in the Application Support folder for the folder inside it called ‘MacKeeper’:
Drag this folder to the Trash.
2. Still in Library, look for and trash any of these you find in the same way:
3. If you are using OS X Lion 10.7 or later, use the ‘Go’ menu in Finder’s menubar and hold down the ‘option’ key. Choose ‘Library’ from the menu (yes, this is a different Library folder from the one you were just in). If you are using Snow Leopard or Leopard, just click on the little ‘Home‘ icon in the Finder sidebar and navigate to the Library. Then trash any and all of these that you find:
Be careful not to delete the wrong files: only those that have got the words ‘zeobit’, ‘MacKeeper’, ‘911’ or ‘911bundle’ should be trashed.
Update May 2015:
Due to recent changes in MacKeeper, the following files should also be searched for and removed:
~/Library/Application Support/MacKeeper Helper
The last item above will require removal in Terminal or turning on of invisible files in the GUI (various 3rd party apps can do this, including my own DetectX and FastTasks 2).
4. Go to Applications > Utilities > Keychain Access.app and double click on it. Notice the padlock in the window is up there on the left, rather than down the bottom. Click on it and enter your admin password. Now go through all the items in the ‘Keychains‘ list (such as Login, System, Root) with ‘All items’ selected in the ‘Category’ list. Anything you find related to ‘MacKeeper’ or ‘zeobit’, click on it, then choose Edit > Delete from the menu.
(Thanks to Al for also mentioning this point in the Comments below! 🙂 ).
5. Open the Activity Monitor utility (Applications>Utilities>Activity Monitor.app). In 10.10 Yosemite or later, select the View menu and choose ‘All Processes’. For earlier versions of macOS, select ‘All Processes from the drop down menu just over on the right of the dialogue box. Next, scroll down the list of items shown and see if any processes called ‘MacKeeper’, ‘zeobit’ or ‘911 bundle’ are still running. Older versions of MacKeeper may have a ‘WINE’ process running, so also look for ‘wine’. Anything you find, click on it and hit the ‘Quit Process’ or ‘X’ button (Yosemite) in the top left corner.
6. Go to your Applications folder from a Finder window and select MacKeeper. Then, hold down ‘command’ and press ‘delete’ once. If you assigned MacKeeper to be pinned in the Dock, be sure to also drag the icon off the Dock and release it anywhere over the desktop. It will, satisfyingly, disappear in the ‘poof’ of a cloud. 😀
7. When you’re done filling up your trash can with all this junk, click on the Finder> Empty Trash.
8. Go to
> System Preferences > Users & Groups (or ‘Accounts’ for Snow Leopard) | Login Items
If you see anything to do with MacKeeper in the list of items there, highlight it, then click the little minus ‘-‘ button near the bottom of the list.
9. Restart your Mac. Everything should be back to normal, but check the Activity Monitor one last time to be sure.
Supplementary: If you have a problem with MacKeeper pop-ups while using your browser, try clearing out the caches, like this:
In Safari menubar, choose ‘Safari > Reset Safari’. Make sure all the options are checked.
This will not only clear out your caches, but everything else stored by the browser. Don’t worry, it won’t affect your bookmarks, but it will reset your ‘top sites’ and history.
In Firefox menubar, choose ‘Tools > Clear Recent History…’ and choose ‘Everything’. Again, it’ll clear everything out but won’t delete your bookmarks.
Obviously, if you use any other browsers like Opera or something you’ll have to find the same options for those too.
Terminal tricks for defeating adware
block MacKeeper and other browser ads
protect your mac from malware viruses and other threats
FastTasks 2 – get Applehelpwriter’s free utility app from Sqwarq.com
1. If you have any problems carrying out the steps, try starting your Mac up in Safe mode, and then running the procedure.
2. You can safely ignore any MacKeeper files that are in the BOM or Receipts folders.
3. If you have only downloaded the MacKeeper package but not ran the installer, you only need to send the .pkg file in your Downloads folder to the Trash. That’s it!
4. If you are seeing ads on this site, we recommend that you use an adblocker!
This post has been refined and improved over time thanks to suggestions and replies made in the Comments and on Apple Support Communities. Thanks especially to Al, Lyndon and Jack.