Blog Archives

how to remove “Plugins Button” from Chrome





Update: DetectX v2.75+ now deals correctly with the Plugins Button adware and the instructions below are now redundant.  Just ‘Search’ and ‘Trash All…’ should be sufficient.



 

If you’re having trouble trying to remove the “Plugins Button” from Chrome because its ‘managed and cannot be removed or disabled’, then follow this procedure.

1. Launch DetectX and do a search. You should see at least 5 items. Do NOT click the Trash button yet.

2. Quit Chrome

3. In Terminal, execute this command* (you’ll need admin privileges)

sudo /usr/bin/profiles -P; sudo -K

If you see a single configuration profile installed with the profileIdentifier ‘org.superduper.extension’, then execute

sudo /usr/bin/profiles -D; sudo -K

to remove it.

Type ‘y’ when prompted.

4. Read the caveats below, and then if appropriate, in DetectX, now click the ‘Trash All…’ button.

5. Relaunch Chrome and check that all is well.

Caveats
* If you or the machine’s administrator are using ‘Managed Preferences’ and have profiles other than the one mentioned above installed, then do NOT use the ‘-D’ switch in step 3. You’ll need to identify the correct profiles. Use the -P switch to list the installed profiles and only delete the one with ‘org.superduper.extension’ identifier. Likewise, do NOT use the Trash All… feature in DetectX, which will remove the Managed Preferences folder***. Instead, double-click the items in DetectX’s window to open them in Finder and remove them manually that way.

** You’ll need to authorise the deletions when macOS asks you as DetectX doesn’t have the permissions to do that (a safety feature).

*** Note that the ‘Managed Preferences’ folder is a perfectly legitimate folder for server admins that have knowingly installed managed preferences for their users, or for those using Parental Controls. An application update for DetectX will be released shortly to more accurately target this issue rather than flagging the entire Managed Preferences folder.

how to remove adware from your mac




Despite removing MacKeeper, I occasionally get reports from DetectX users who find that when they open their browser, MacKeeper is still haunting them. If your browser is popping open with images like the ones above, then like those users, you’ve got an adware infection.

It sounds nasty, but it’s more annoying and intrusive. It also may signal that your mac has been compromised in other ways by malware such as Pirrit, which has the capability to do more than just harrass you through your browser.

The easy solution to adware is to run my free app DetectX. If you find the problem isn’t solved, you can also send me the DetectX report and I’ll solve it for you, for free.

If you like rolling your sleeves up yourself, then follow this procedure:



1. Preparation
As you should always be running with a recent backup anyway (right, folks?) be sure to do a TM backup or clone before you start in case anything goes wrong. Do not ignore the necessity for a backup. If you don’t have one, stop now and get one.

You’re going to want to hunt down the adware in a few places. Be careful not to delete anything, but instead move suspicious items to a folder on your Desktop so that you can return them to where they came from if they are innocent. Create a new folder on your Desktop called ‘Quarantine’ for this purpose.

You’re going to want to keep a note of what you find and where you found it, so have a text editor like BBEdit or TextEdit open while you work. Save this file in your Quarantine folder, too.

When you find a suspicious item, an easy trick is to drag the suspect first into the editor to copy its path, and then drag it into your makeshift ‘Quarantine’ folder to move it. To copy the path in this way, use a plain text format in TextEdit. If you’re using BBEdit, command-drag the item. For moving to your Quarantine folder, you’re going to need to use ‘Command’-drag and supply an Admin password for the move if the item is outside of your Home folder.



2. Local and User Domain Libraries
Note these are two different libraries, but I’m assuming that if you’ve elected to follow this “roll your sleeves up” procedure, you already knew that. If you didn’t, I strongly suggest you reconsider trying to do this yourself. Messing under the hood requires a certain minimum level of experience and knowledge to avoid borking your entire system.

Assuming that all warnings and caveats so far have been heeded, you’re ready to inspect the /Library and ~/Library folders. Treat as suspicious anything at the root of /Library that begins with a lower case letter, particularly if it is an executable. Aside from the hidden .localized file, Apple don’t put anything at the root of /Library that begins with a lower case letter, and responsible 3rd party developers don’t either. If you find anything like that and you don’t know what it is, make a note of it (don’t move it yet).

At this point I’d love to be able to give you a list of file names to look out for, but I’m afraid we’re talking in the thousands if not more. A lot of this adware creates its own unique names on install by randomly choosing words from the /usr/share/dict/words file. Some of them disguise themselves as Apple files, like com.apple.morkim.plist and others disguise themselves by hiding themselves from the Finder (so ideally you want to be doing this on the command line, or at the very least use the Finder with invisible files showing).

The good news is that a lot of this adware is fairly obvious when you look at it. Move into the local (not user) Library’s LaunchAgents and LaunchDaemons folders and inspect the items in there. Move items that have random dictionary word names like ‘Bolshevik-remindful’ or gibberish concatenations of consonants and vowels like ‘com.xpbbptejonfy.plist’. If you’re not sure, open the plist (you can cat or sudo cat it if you’re in the Terminal) and see what executable it refers to. If that refers to a path to some similarly named binary you’ve never heard of, go check it out and see what it is. If in doubt, use Google your favourite search engine to search for that name on the web and see if its legit. Anything legitimate will be easy to find a reference to on the web. Anything that fails these tests should be moved to your Quarantine folder. If you find anything that refers to a folder or file you made a note of earlier in the root of /Library, then move both to your Quarantine folder.

After that, you’ll want to move on to your ~/Library/LaunchAgents folder, and follow the same procedure. Any items in here should refer to an app that you recognize and regularly use. Items with names that mispell words like ‘update’ and ‘download’ are dead giveaways as adware.

Adware plist files in here will typically refer to something funny sounding in your ~/Library/Application Support/ folder. Any apps found in the Application Support folder or subfolders should be treated as suspicious. Again, check the name through an internet search if you’re in any doubt, but since this is stuff in your user domain, really anything you don’t recognize shouldn’t be there anyway.



3. Browser Extensions
While you’re in the user Library, go check on what is in Safari/Extensions folder. You should see an Extensions.plist and only the safariextz files that refer to Extensions you use, if any. Fire up Safari, and check in the Preferences’ Extensions tab to uninstall any that you don’t use. If you use other browsers, use the Tools menu to inspect Extension or Add-ons, again removing any that you don’t use.



4. Restart and test
It’s time to restart your mac. After restarting, you’ll need to reset your browser to its default state. First, hold down the shift key while launching the browser from the Dock.

If you get redirected to an adware page or still get a pop up, clear your browser’s default settings. Although adware can no longer easily alter Safari’s defaults, you can check that your home page is correct in Safari’s Preferences. You can empty history and caches from the Safari menu and the Develop menu, respectively. For the latter, click ‘Advanced’ in Safari’s Preferences and check the ‘Show Develop menu in menu bar’ box at the bottom to enable the menu.

To reset Chrome and chromium based browsers to default settings, see:

https://support.google.com/chrome/answer/3296214

For Firefox, see

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings



Fixed it or not?
If you correctly identified and moved the adware, you should be all good. Depending on what you moved and from where, you might want to hang on to the items in your ‘Quarantine’ folder until you’re sure everything is working correctly. If you accidentally moved something you shouldn’t have, you’ll likely soon notice something isn’t working like it used to. Use your notes or your backup to undo the damage. When you’re sufficiently confident that everything in your Quarantine folder is definitely badware, move your notes to somewhere else if you wish to keep them for reference (I’d appreciate a copy of them, too :)) and delete your Quarantine folder.

If things didn’t work out, don’t despair or feel bad. Adware is complex, and the simple DIY guide above won’t cover all the cases. There are other places adware can hide, but it takes a lot of experience to track it all down. If you can’t solve the problem yourself, you can always check your mac with DetectX or contact me through DetectX’s Help menu item ‘Report a Problem to Sqwarq’ and have me do it for you (and no, I don’t charge for this service).



Good luck! 🙂

Related posts: Terminal tricks for defeating adware


FastTasks – a utility for ten common terminal tasks

FastTasks

Update: I’ve since written a nice GUI version in AppleScript-ObjectiveC which you can download for free here»

If you find you only ever go into Terminal to perform a small number of tasks that can’t be done (easily or at all) in the OS X graphical user interface, this little utility could be for you. It allows you to run a number of common tasks such as

reveal and hide hidden folders
batch change the extension on multiple files
purge system free memory
flush the DNS cache
restore system preferences to defaults

without having to bother looking up the commands. You will, however, have to do a little Terminal ‘dirty work’ to initially get the utility up and running (it’s a shell script which you need to turn into an executable file), but step by step instructions are all provided. 😉

Here’s what you do:

1. Copy or download the entire script from here FastTasks code and paste it into a text editor (TextEdit or Tincta, my favourite, will do).

2. Save the file as plain text onto your desktop with the name ‘FastTasks’

3. Open Terminal.app and paste this command:

sudo chmod 755 ~/Desktop/FastTasks

and press ‘return’ on your keyboard. You’ll be asked for you Admin password which will be invisible when you type it. If you’re wondering what you’ve just done, you’ve just changed that plain text file into an executable program.

4. Paste the next line into Terminal.app

cp ~/Desktop/FastTasks /etc/bin/FastTasks

then press ‘return’ on your keyboard.

As a result of that last command, you can now use the script by typing ‘FastTasks’ in a Terminal window or by double-clicking ‘FastTasks’ in Finder or on the Desktop.

5. By the way, if the Terminal window remains open after FastTasks has completed, change the following settings in Terminal’s Preferences:

Preferences > Settings > Shell > When the shell exits…

and change the dropdown menu from ‘Don’t close the window’ to ‘Close if the shell exited cleanly’.

And that’s it. You can now run any of the tasks in the menu without having to know the commands! 🙂

Fast tips for using FastTasks

1. FastTasks is actually quickest to run by using Spotlight and Terminal.
If you have the Spotlight hotkey set up (usually cmd-space by default), simply open Spotlight, and type ‘Term’ and hit ‘return’ on the keyboard. At the Terminal prompt type ‘fasttasks’ and hit ‘return’.

2. Running it this way has another benefit. If you want to run FastTasks again after performing one task, just hit the ‘up’ arrow on the keyboard (hitting the ‘up’ arrow repeatedly will take you through previous commands entered at the Terminal prompt. Use the ‘down’ arrow to go forward), then ‘return’ when you see ‘fasttasks’ on the command line.

how to empty caches in Safari 6

Since the old ‘Empty Cache…’ item has gone missing in the main menu in Safari 6.0, you might be thinking this function has been removed. Actually, its still there, but is somewhat hidden.

Go to

Safari > Preferences > Advanced

and check the Show Develop menu in menubar button at the bottom.

In Safari’s menu bar, choose Develop > Empty Caches.

Alternatively, you can just use the keyboard shortcut

option-command-E

Don’t forget you also have quite a lot of flexibility by unchecking or checking different options in

Safari > Reset Safari

For example, you can clear just the cookie cache by unselecting everything except ‘Remove website data’ (this can also be achieved in the Privacy tab in Safari Preferences, too). 🙂

Related Posts
FastTasks – a free utility from Applehelpwriter

uninstall flashback trojan

Among all the confusing posts and scare stories on offer this week about the flashback trojan, a lot of people seem to have missed the instructions for dealing with it.

Here’s F-Secure’s removal procedure:

uninstall trojan downloader

Here’s Rich Mogull’s general advice for securing your mac in light of this new threat:

What you need to know about the flashback trojan

It’s also worth emphasizing that, for technical reasons, if your mac has Microsoft Office 2008 or 2011 or Apple’s XCode installed, this particular trojan will not have been able to infect your computer.

how to remove ‘Top Sites’ in Safari


If you are fed up with the ‘Top Sites’ feature in Safari 5, here’s how to remove it.

1. In Safari > Preferences > General, change ‘New windows open with’ and ‘New tabs open with’ to either ‘Homepage’ or ‘Empty page’ (as you prefer).



2. In Safari > Preferences > Bookmarks, uncheck ‘Include Top Sites’.





Now you also need to get rid of the caches, and to stop Safari from continually storing images of your web page history (Tip: Safari will still track your History in the normal way, but here we are going to prevent it from downloading the image files that are used in Top Sites), so:

3. In Safari > Reset Safari…, check ‘Reset Top Sites’ and ‘Remove all webpage preview images’.



Click ‘Reset’.

4. Go to your home folder Library (~/Library) by clicking on the Folder icon in the dock, pressing ‘shift-command-g’, and typing ~/Library in the box.

Navigate to Caches > com.apple.Safari.

5. Click once on the Cache.db file. Hit ‘command-i’ on the keyboard. In the Get Info panel that opens, check the ‘Locked’ box. Close the panel.

6. Click on the Webpage Previews folder in com.apple.Safari and press ‘command-i’. Check the ‘Locked’ box. Close the panel.



7. Navigate back to Caches > Metadata > Safari> Bookmarks. Go into the Bookmarks folder, hit ‘command-a’ and then ‘command-delete’ to send all the selected files to the Trash.

8. With the Bookmarks folder selected in Finder, press ‘command-i’ and check the ‘Locked’ box. Close the panel.



That’s it. No more ‘Top Sites’, and no more wasted time or space downloading and storing webpage previews! :- )


And what about later versions of Safari? There’s no way to remove Top Sites in Safari 7 that I know of (if you know different, please leave a comment below). However, there’s no reason to suffer in silence! Let Apple’s Safari dev team know how much you dislike it:

http://www.apple.com/feedback/safari.html

Safari feedback

Related Posts
How to Troubleshoot Your Mac with FT2
how to clear Safari’s cookies on quit (Safari 7)
FastTasks – download the free OS X utility app from Applehelpwriter

how to remove Lion Recovery disk



If you have reverted your mac to Snow Leopard from Lion, its important that you also remove the Recovery HD, as it can compromise the security of your Snow Leopard installation (for security issues with Lion, see here). Reverting to SL via Time Machine or restoring from a clone will leave the Recovery partition in place, meaning anyone can boot into it and reset your Snow Leopard passwords merely by restarting your mac while holding down the ‘option’ key.

To remove the Recovery disk follow this procedure:

1. Revert back to Snow Leopard using Time Machine or a clone.

2. Once you’re up and running and have confirmed everything is good, go to Terminal (Applications > Utilities > Terminal) and paste/type this command to confirm the presence of the Recovery HD:

diskutil list

then press ‘Return’. If you see a partition labelled something like this

Apple_Boot Recovery HD (see image above)

then you will need to continue with the rest of the procedure. If the Recovery HD is not listed here, you do not have the Recovery partition and need not worry further.

3. If you find the Recovery HD in the list, paste the following command into Terminal:

defaults write com.apple.DiskUtility DUDebugMenuEnabled 1

Press ‘Return’.

Now open Disk Utility (Applications > Utilities > Disk Utility). In the menubar at the top, choose Debug > ‘Show every partition’

On the left in the main Disk Utility window, you’ll be able to see ‘Recovery HD’ (it’ll be greyed out). You can click ‘Mount’ in the taskbar to make it active, and you can now delete it using control-click/right click – erase or by using the ‘erase’ tab in DU’s window.

If you want to confirm that the Recovery disk is no longer present, go back to Terminal and type the command from step 2.


Related posts:
how to secure your mac (OS X Lion)

how to uninstall MacKeeper – updated

Screen Shot 2016-03-27 at 19.41.33

Lees dan dit artikel in het Nederlands Screen Shot 2016-05-02 at 18.17.41
Lire cet article en français French flag

Last updated: Dec 30, 2016

If you’re unfamiliar with the reputation of MacKeeper but have come here because you downloaded it – or it downloaded itself after you were inadvertantly redirected to some unwanted website – and are now wondering whether you made a mistake, let me present you with a few facts.

MacKeeper is one of the most infamous pieces of software on the macOS platform. This post itself was first published in September 2011, and has since received over 2 million hits from people wishing to uninstall MacKeeper from their computers.

When I ran MacKeeper’s free trial version on a brand new clean install of macOS, it told me that my system was in ‘serious’ condition and that I needed to buy MacKeeper in order to solve all my problems.

MacKeeper on Mavericks

It seems, then, that MacKeeper thinks macOS, freshly installed, is a poor piece of software engineering, but the feeling is mutual. macOS doesn’t like MacKeeper much either. macOS provides the following warning about MacKeeper:

MESSAGE FROM CONSOLE
12/05/2015 17:48:00.946 com.apple.xpc.launchd[1]: (com.mackeeper.MacKeeper.Helper) This service is defined to be constantly running and is inherently inefficient.

If you have installed MacKeeper and wish to remove it, read on.

Preparation:
i. If you have used MacKeeper’s encryption feature, be sure to unencrypt before you uninstall MacKeeper. You should also check whether any of your personal files are stored in /Documents/MacKeeper Backups.

Backups & other disks
ii. If you have any disks connected to your mac, including Time Machine, eject them before you start the uninstall procedure.

Trash
iii. If you have anything in the Trash, empty it now before you start.

You are now ready to uninstall MacKeeper.


The Easy Way

As I’ve been involved in helping people uninstall MacKeeper for over 5 years, I eventually got round to the task of automating the process so that folks who were not that technically proficient with computers could take advantage of the information on this page.

If that sounds like you, then the easiest way to uninstall MacKeeper is to use my app DetectX or FastTasks 2. Both are shareware and can be used for free. 😀 You do not need to sign up to anything, subscribe to anything or give anyone your email address. Just download the app, run it, remove MacKeeper and be on your way.

After several years of testing and refining my app’s removal procedure, I now recommend using them even for proficient users as it is simply faster, more reliable and less prone to error than doing it any other way. The only people who should really consider the manual option are those that are running versions of macOS that are too old to run DetectX. Currently, there are versions of DetectX available for macOS 10.6.8 (Intel only) thru to 10.12. FastTasks 2 requires 10.10.5 or higher.


The Manual Way

If you need to remove MacKeeper manually then follow these instrutions carefully. They’ve been refined over the years by many people who contributed in the hundreds of comments that follow this post and have been proven to work without exception. However, bear in mind that the onus is on you to follow the instructions to the letter. For that reason, go slow, read carefully and don’t do anything if you’re not sure what you’re doing. If you have any doubts, post a question in the comments.

Here we go!

1. If MacKeeper is running, quit it. From the sidebar in any Finder window, choose your hard disk icon and go to your Library folder. Look in the Application Support folder for the folder inside it called ‘MacKeeper’:

/Library/Application Support/MacKeeper

Drag this folder to the Trash.

2. Still in Library, look for and trash any of these you find in the same way:

/Library/LaunchDaemons/com.zeobit.MacKeeper.AntiVirus

/Library/LaunchDaemons/com.zeobit.MacKeeper.plugin.AntiTheft.daemon

3. If you are using OS X Lion 10.7 or later, use the ‘Go’ menu in Finder’s menubar and hold down the ‘option’ key. Choose ‘Library’ from the menu (yes, this is a different Library folder from the one you were just in). If you are using Snow Leopard or Leopard, just click on the little ‘Home‘ icon in the Finder sidebar and navigate to the Library. Then trash any and all of these that you find:

~/Library/Caches/com.zeobit.MacKeeper

~/Library/Caches/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.plugin.Backup.agent

~/Library/Preferences/com.zeobit.MacKeeper.plist

~/Library/Preferences/com.zeobit.MacKeeper.Helper.plist

Be careful not to delete the wrong files: only those that have got the words ‘zeobit’, ‘MacKeeper’, ‘911’ or ‘911bundle’ should be trashed.

Update May 2015:

Due to recent changes in MacKeeper, the following files should also be searched for and removed:

~/Library/Application Support/MacKeeper Helper

~/Library/Caches/com.mackeeper.MacKeeper

~/Library/Caches/com.mackeeper.MacKeeper.Helper

~/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.plist

~/Documents/MacKeeper Backups

~/Library/Logs/MacKeeper.log

~/Library/Logs/MacKeeper.log.signed

/private/tmp/com.mackeeper.MacKeeper.Installer.config

/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78

The last item above will require removal in Terminal or turning on of invisible files in the GUI (various 3rd party apps can do this, including my own DetectX and FastTasks 2).

4. Go to Applications > Utilities > Keychain Access.app and double click on it. Notice the padlock in the window is up there on the left, rather than down the bottom. Click on it and enter your admin password. Now go through all the items in the ‘Keychains‘ list (such as Login, System, Root) with ‘All items’ selected in the ‘Category’ list. Anything you find related to ‘MacKeeper’ or ‘zeobit’, click on it, then choose Edit > Delete from the menu.
(Thanks to Al for also mentioning this point in the Comments below! 🙂 ).

5. Open the Activity Monitor utility (Applications>Utilities>Activity Monitor.app). In 10.10 Yosemite or later, select the View menu and choose ‘All Processes’. For earlier versions of macOS, select ‘All Processes from the drop down menu just over on the right of the dialogue box. Next, scroll down the list of items shown and see if any processes called ‘MacKeeper’, ‘zeobit’ or ‘911 bundle’ are still running. Older versions of MacKeeper may have a ‘WINE’ process running, so also look for ‘wine’. Anything you find, click on it and hit the ‘Quit Process’ or ‘X’ button (Yosemite) in the top left corner.

6. Go to your Applications folder from a Finder window and select MacKeeper. Then, hold down ‘command’ and press ‘delete’ once. If you assigned MacKeeper to be pinned in the Dock, be sure to also drag the icon off the Dock and release it anywhere over the desktop. It will, satisfyingly, disappear in the ‘poof’ of a cloud. 😀

7. When you’re done filling up your trash can with all this junk, click on the Finder> Empty Trash.

8. Go to

 > System Preferences > Users & Groups (or ‘Accounts’ for Snow Leopard) | Login Items

If you see anything to do with MacKeeper in the list of items there, highlight it, then click the little minus ‘-‘ button near the bottom of the list.

9. Restart your Mac. Everything should be back to normal, but check the Activity Monitor one last time to be sure.

Supplementary: If you have a problem with MacKeeper pop-ups while using your browser, try clearing out the caches, like this:

In Safari menubar, choose ‘Safari > Reset Safari’. Make sure all the options are checked.
This will not only clear out your caches, but everything else stored by the browser. Don’t worry, it won’t affect your bookmarks, but it will reset your ‘top sites’ and history.

In Firefox menubar, choose ‘Tools > Clear Recent History…’ and choose ‘Everything’. Again, it’ll clear everything out but won’t delete your bookmarks.

Obviously, if you use any other browsers like Opera or something you’ll have to find the same options for those too.

Related Posts
Terminal tricks for defeating adware
block MacKeeper and other browser ads
protect your mac from malware viruses and other threats
FastTasks 2 – get Applehelpwriter’s free utility app from Sqwarq.com

NOTES
1. If you have any problems carrying out the steps, try starting your Mac up in Safe mode, and then running the procedure.
2. You can safely ignore any MacKeeper files that are in the BOM or Receipts folders.
3. If you have only downloaded the MacKeeper package but not ran the installer, you only need to send the .pkg file in your Downloads folder to the Trash. That’s it!

4. If you are seeing ads on this site, we recommend that you use an adblocker!

Acknowledgements
This post has been refined and improved over time thanks to suggestions and replies made in the Comments and on Apple Support Communities. Thanks especially to Al, Lyndon and Jack.

how to stop Versions in its tracks

This post has been superceded by this one

%d bloggers like this: