MacKeeper Uninstaller

Uninstallers from indexed packages can be inconsistent. I've run into similar issue as far back as Casper Suite 7.x.
I'm not certain on this, but my theory has been that if the original files get updated in any way outside of what was deployed in the package, for example, if the app was updated either through some automated process, or by the end user, then those particular pieces no longer match what was in the BOM index, and the uninstall process leaves them in place.
I've never been able to prove that is the cause, mostly because I've never spent the cycles on trying to fully figure it out.

I think your best bet would be to create and use a custom script to rm the above files. You can drop them all into an array in a bash script and have the script look for each one and if found, delete it.

I was snooping for something similar when I found your post. I think I might try a restricted software approach to keep MacKeeper from getting installed in the first place. This won't address the situation after the fact but may prevent some headaches.

Cheers

Tim

You could always run a script after the "uninstaller" that cleans up those files that you know are going to be left behind from your testing.

rm -Rf /Applications/MacKeeper.app

etc.

Hmm, maybe I should revisit my plan to create a "Nuke MacKeeper" program. When Tom Reed shipped Adware Medic back in September, it solved almost all of my Adware-cleanup needs and I let this project fall to the back. Currently, I block MacKeeper with a Restricted Software process set to detect, pop-up message, delete, and email. This has been working for quite awhile and I can easily do educational follow-up with any user who shows up in my email box as having installed MacKeeper.

Everything else--Geneio, Vidx, Downlite, etc. is handled by Adware Medic. I have a few EA's in place to look for the most common Adware and can pull students in or email them if JSS shows they have installed Adware.

This is what I came up with:

#!/bin/sh # delete needed files to remove MacKeeper # Files Outside Home Folder rm -rf /Applications/MacKeeper.app rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78 #!/bin/sh currUser=$( who | awk '/console/{ print $1 }' ) rm -rf /Users/$currUser/Library/Application Support/MacKeeper Helper rm -rf /Users/$currUser/Library/Launch Agents/com.zeobit.MacKeeper.Helper.plist rm -rf /Users/$currUser/Library/Logs/MacKeeper.log rm -rf /Users/$currUser/Library/Logs/MacKeeper.log.signed rm -rf /Users/$currUser/Library/Logs/SparkleUpdateLog.log rm -rf /Users/$currUser/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.Helper.plist rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.plist rm -rf /Users/$currUser/Library/Saved Application State/com.zeobit.MacKeeper.savedState done

So far the names of the two invisible preference files on all the tests I've done have matched the two in this script I captured in Composer. Kinda surprised they haven't changed yet. Upon first glance they seem to be randomly generated, but it doesn't seem so.

Are you guys running Adware Medic via some kind of script so it runs and does it's thing without the enduser's interaction?

I use policies & scripts, and Restricted Software entries. Although I have used Adware Medic on a few one-off occasions. I make a donation to him for every client that I do use it for.

I have an entry for MacKeeper in Restricted software, which others can be managed here?

Thanks for posting the script!

I ended up using Restricted Software to manage MacKeeper, but also leveraged your script with a few changes...

One thing I really wanted to do with this script was to use this after Restricted Software removed the application. However, I wasn't able to create a smart group for MacKeeper.app b/c Restricted Software was so fast at removing this app it wasn't able to register the inventory back to casper. It appears I'll just have this run once a month.

Here are the changes I made..

#!/bin/sh

# delete MacKeeper files

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*
rm -rf /private/tmp/MacKeeper*

# Files inside home folder
rm -rf /Users/$3/Library/Application Support/MacKeeper Helper
rm -rf /Users/$3/Library/Launch Agents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$3/Library/Logs/MacKeeper.log
rm -rf /Users/$3/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$3/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$3/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$3/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$3/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$3/Library/Saved Application State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$3/Downloads/MacKeeper*
rm -rf /Users/$3/Documents/MacKeeper*

done

Cool Kamal. I'll integrate your changes into my script.

You posted at the perfect time. I was just now going through all my JSSs updating & pruning scripts, extension attributes, smart groups etc.

Is $3 is a "set variable" of some kind could you elaborate on that for me a bit, a positional variable? I see you used sh vs. bash any reason?

Thanks for the time you have spent on this script and figuring out all the file locations.

@TheMacGuys, see: https://jamfnation.jamfsoftware.com/article.html?id=146

Thanks ! Just want the Doctor ordered.

@gskibum][/url and @damienbarrett][/url could you share the specifics of your scripts, or the names of the most common adware/their path locations? I'm figuring there's no reason not to have restricted policies setup for these apps.

*sigh*

http://everything-pr.com/mackeeper-pr-agency/256547

MacKeeper is funny to install on a VM, the MacKeeper "Senior Support Engineer" is half automated and half human.

Technically it doesn't do much to the Mac, it tells you when you have updates pending or a trash to empty. It just scares you by making it look like critical problems.

This is MacKeeper's argument now, that the software doesn't do anything bad to your computer. They say the popup ads are because of bad network affiliates. I don't really argue that I just argue that it's not needed and a waste of CPU.

You always get the same avatar when you chat with someone, and you can click on their Apple certified record but it's blank.

external image link

@adamcodega, http://everything-pr.com/mackeeper-pr-agency/256547/

Haha

"MK Haters — users who dislike our software, label it as malware and aggressively advocate against it."

That's me! Don't hate the player, hate the game.

For some lulz last summer I installed MacKeeper on a just-imaged Mac and let it run its scam *ahem* scan. Of course the Mac was in was in critical condition with sirens and alarms going off.

So I decided to kick off a chat with their support engineer and asked how it is possible how an unused Mac that had nothing else but MacKeeper installed could be in such a dire condition. I asked him to explain how each of these alerts were such cause for alarm.

Oh how I wish I had saved those screen shots of that chat conversation.

I did save screen shots of a bogus clamxav.org review site they once had. A few years ago MacKeeper had the clamxav.com domain and had a glowing review of ClamXAV. However the download link would download and install MacKeeper.

external image link

They do still have a bogus onyxmac dot com review site that tricks people into installing MacKeeper.

The ship may have said on MK getting a good wrap. Over all we have never been happy with it, clients are still getting tricked into installing it. When we manage systems we don't we don't want EU's installing anything we don't know about...MK or other.

We are also not big fans of Norton...we don't want clients to install that either but Norton isn't on every site our clients visit trying to get them to install it so it doesn't get the hate mail MK gets.

I think they got a new PR firm, if I was them I would change the Name and interface and start over....to many bad things to over come.

Cheers...

My biggest gripe with MacKeeper is with the damage it has caused to so many client systems. Several times I have received calls from people with very slow running Macs and spinning beach balls, only to discover it was caused by MacKeeper. Several times I've had to restore large amounts of data from backup because the cleaner tools deleted vast amounts of user data, including Apple Mail databases and documents in ~/Documents. A few times it had deleted system data require a reinstall.

And seriously, there's no point in deleting language files, with using their backup tool instead of Time Machine, using their secure delete, and so many other things that are built right into OS X.

And with only a couple of exceptions (who actually sought it out), the users had no idea how MacKeeper even got on their systems.

If they make the product not delete user data, not use deceit, trickery and slime to get installed on systems, and tout bullet point features that are already built into OS X, I might give it a pass. Until then it's high on my search and destroy list. :-)

I've said it before, but it's worth repeating:

If your business plan for expansion requires tricking an end-user into installing your software on their computers, then it's not software I will tolerate on my managed systems.

There are many other OS X "cleaner" programs out there (Cocktail, OnyX, Tinkertool, CacheCleaner, etc.) managing to exist without the wholesale trickery of the end-user that MacKeeper relies upon for its existence. Never mind that it's also not very good or functional software. Until they change their MO for expansion/installation, I will continue to block its execution on my systems and educate my users about MacKeeper's worthlessness and untrustworthy nature. It remains categorized with other Adware scourges like Geneio, VidX, and Buca.

Yeah, agreed all around. The only possible way MacKeeper can change around their image is to scrap everything they have done to this point, and start over with a legitimate product. But that takes work; a lot of work actually, to build a good reputation. it doesn't take much to garner a bad reputation and they've got enough of a bad rep to go around the block several times over. They've chosen the easy and sleazy road and they will have to sleep in the bed they laid.
If they think for a minute that hiring a PR firm is going to somehow magically erase all the deceit, trickery and scare tactics they've done so far, they've got another thing coming. If anything, the mere notion that they want to somehow convince everyone they are legitimate without actually becoming legitimate, makes me want to campaign even harder against them. Their plan will only backfire if you ask me.
As Mac admins its our job to do what we can to keep the fire at the feet of these clowns until they either shut down and fade away, or change around their operation.

Interesting turn of events.

http://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

I've had to look into this having discovered a few lingering instances.
Did my investigation and came up with this modified script that can kill the processes and remove the file, a lot of the names have changed.

#!/bin/sh

currUser=$( who | awk '/console/{ print $1 }' )
# delete needed files to remove MacKeeper

rm -rf /Users/$currUser/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

launchctl unload /Users/$currUser/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist 

sleep 5
# Kill mackeeper processes
killall "MacKeeper Helper"
killall MKCleanService
killall MacKeeper

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm -rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78

# Files inside Home Folder

rm -rf /Users/$currUser/Library/Application Support/MacKeeper Helper
rm -rf /Users/$currUser/Library/Logs/MacKeeper.log
rm -rf /Users/$currUser/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$currUser/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$currUser/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$currUser/Library/Saved Application State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$currUser/Library/Application Support/MacKeeper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper.Helper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper.MKCleanService
rm -rf /Users/$currUser/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /Users/$currUser/Library/Preferences/com.mackeeper.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/Preferences/com.mackeeper.MacKeeper.plist
rm -rf /Users/$currUser/Library/Saved Application State/com.mackeeper.MacKeeper.savedState