MacKeeper Uninstaller

gskibum
Contributor III

I'm trying to make a policy to uninstall MacKeeper, but I'm not gaining full success.

I have a Smart Group for Criteria/Application Title/Is/MacKeeper.app. I use this as the scope for the policy.

Using Composer in Casper 9.4 I have created a .dmg, indexed it and checked the "Allow package to be uninstalled" box. I also checked "FEU."

I am leaving the following items in the package:

/Applications/MacKeeper.app.

/Library/Preferences/Invisible document"

~/Library/Application Support/MacKeeper Helper/NoticeEngine.plugin
~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
~/Library/Logs/MacKeeper.log
~/Library/Logs/MacKeeper.log.signed.
~/Library/Logs/SparkleUpdateLog.log
~/Library/Preferences/*another invisible document"
~/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
~/Library/Preferences/com.zeobit.MacKeeper.plist

However when the policy executes not all of the items are removed. I am left with:
1. Some items inside the MacKeeper.app bundle remain. Others are removed. I can elaborate if needed.
2. ~/Library/Application Support/MacKeeper Helper/NoticeEngine.plugin

So I am getting a partial removal of MacKeeper. Since part of the application bundle remains the devices never fall out of scope.

Has anyone had any luck creating such an uninstaller? What a I missing?

Thanks!

43 REPLIES 43

mm2270
Legendary Contributor II

Uninstallers from indexed packages can be inconsistent. I've run into similar issue as far back as Casper Suite 7.x.
I'm not certain on this, but my theory has been that if the original files get updated in any way outside of what was deployed in the package, for example, if the app was updated either through some automated process, or by the end user, then those particular pieces no longer match what was in the BOM index, and the uninstall process leaves them in place.
I've never been able to prove that is the cause, mostly because I've never spent the cycles on trying to fully figure it out.

I think your best bet would be to create and use a custom script to rm the above files. You can drop them all into an array in a bash script and have the script look for each one and if found, delete it.

TheMacGuys
New Contributor

I was snooping for something similar when I found your post. I think I might try a restricted software approach to keep MacKeeper from getting installed in the first place. This won't address the situation after the fact but may prevent some headaches.

Cheers

Tim

emily
Valued Contributor III
Valued Contributor III

You could always run a script after the "uninstaller" that cleans up those files that you know are going to be left behind from your testing.

rm -Rf /Applications/MacKeeper.app

etc.

damienbarrett
Valued Contributor

Hmm, maybe I should revisit my plan to create a "Nuke MacKeeper" program. When Tom Reed shipped Adware Medic back in September, it solved almost all of my Adware-cleanup needs and I let this project fall to the back. Currently, I block MacKeeper with a Restricted Software process set to detect, pop-up message, delete, and email. This has been working for quite awhile and I can easily do educational follow-up with any user who shows up in my email box as having installed MacKeeper.

Everything else--Geneio, Vidx, Downlite, etc. is handled by Adware Medic. I have a few EA's in place to look for the most common Adware and can pull students in or email them if JSS shows they have installed Adware.

gskibum
Contributor III

This is what I came up with:

#!/bin/sh # delete needed files to remove MacKeeper # Files Outside Home Folder rm -rf /Applications/MacKeeper.app rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78 #!/bin/sh currUser=$( who | awk '/console/{ print $1 }' ) rm -rf /Users/$currUser/Library/Application Support/MacKeeper Helper rm -rf /Users/$currUser/Library/Launch Agents/com.zeobit.MacKeeper.Helper.plist rm -rf /Users/$currUser/Library/Logs/MacKeeper.log rm -rf /Users/$currUser/Library/Logs/MacKeeper.log.signed rm -rf /Users/$currUser/Library/Logs/SparkleUpdateLog.log rm -rf /Users/$currUser/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.Helper.plist rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.plist rm -rf /Users/$currUser/Library/Saved Application State/com.zeobit.MacKeeper.savedState done

So far the names of the two invisible preference files on all the tests I've done have matched the two in this script I captured in Composer. Kinda surprised they haven't changed yet. Upon first glance they seem to be randomly generated, but it doesn't seem so.

TheMacGuys
New Contributor

Are you guys running Adware Medic via some kind of script so it runs and does it's thing without the enduser's interaction?

gskibum
Contributor III

I use policies & scripts, and Restricted Software entries. Although I have used Adware Medic on a few one-off occasions. I make a donation to him for every client that I do use it for.

TheMacGuys
New Contributor

I have an entry for MacKeeper in Restricted software, which others can be managed here?

kboparai1
New Contributor II

Thanks for posting the script!

I ended up using Restricted Software to manage MacKeeper, but also leveraged your script with a few changes...

One thing I really wanted to do with this script was to use this after Restricted Software removed the application. However, I wasn't able to create a smart group for MacKeeper.app b/c Restricted Software was so fast at removing this app it wasn't able to register the inventory back to casper. It appears I'll just have this run once a month.

Here are the changes I made..

#!/bin/sh

# delete MacKeeper files

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm- rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /private/var/folders/mh/yprf0vxs3mx_n2lg3tjgqddm0000gn/T/MacKeeper*
rm -rf /private/tmp/MacKeeper*

# Files inside home folder
rm -rf /Users/$3/Library/Application Support/MacKeeper Helper
rm -rf /Users/$3/Library/Launch Agents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$3/Library/Logs/MacKeeper.log
rm -rf /Users/$3/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$3/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$3/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$3/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$3/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$3/Library/Saved Application State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$3/Downloads/MacKeeper*
rm -rf /Users/$3/Documents/MacKeeper*

done

gskibum
Contributor III

Cool Kamal. I'll integrate your changes into my script.

You posted at the perfect time. I was just now going through all my JSSs updating & pruning scripts, extension attributes, smart groups etc.

TheMacGuys
New Contributor

Is $3 is a "set variable" of some kind could you elaborate on that for me a bit, a positional variable? I see you used sh vs. bash any reason?

Thanks for the time you have spent on this script and figuring out all the file locations.

bentoms
Honored Contributor III
Honored Contributor III

TheMacGuys
New Contributor

Thanks ! Just want the Doctor ordered.

adamcodega
Valued Contributor

@gskibum][/url and @damienbarrett][/url could you share the specifics of your scripts, or the names of the most common adware/their path locations? I'm figuring there's no reason not to have restricted policies setup for these apps.

gskibum
Contributor III

adamcodega
Valued Contributor

MacKeeper is funny to install on a VM, the MacKeeper "Senior Support Engineer" is half automated and half human.

Technically it doesn't do much to the Mac, it tells you when you have updates pending or a trash to empty. It just scares you by making it look like critical problems.

This is MacKeeper's argument now, that the software doesn't do anything bad to your computer. They say the popup ads are because of bad network affiliates. I don't really argue that I just argue that it's not needed and a waste of CPU.

You always get the same avatar when you chat with someone, and you can click on their Apple certified record but it's blank.

external image link

bentoms
Honored Contributor III
Honored Contributor III

adamcodega
Valued Contributor

"MK Haters — users who dislike our software, label it as malware and aggressively advocate against it."

That's me! Don't hate the player, hate the game.

gskibum
Contributor III

For some lulz last summer I installed MacKeeper on a just-imaged Mac and let it run its scam *ahem* scan. Of course the Mac was in was in critical condition with sirens and alarms going off.

So I decided to kick off a chat with their support engineer and asked how it is possible how an unused Mac that had nothing else but MacKeeper installed could be in such a dire condition. I asked him to explain how each of these alerts were such cause for alarm.

Oh how I wish I had saved those screen shots of that chat conversation.

I did save screen shots of a bogus clamxav.org review site they once had. A few years ago MacKeeper had the clamxav.com domain and had a glowing review of ClamXAV. However the download link would download and install MacKeeper.

external image link

They do still have a bogus onyxmac dot com review site that tricks people into installing MacKeeper.

TheMacGuys
New Contributor

The ship may have said on MK getting a good wrap. Over all we have never been happy with it, clients are still getting tricked into installing it. When we manage systems we don't we don't want EU's installing anything we don't know about...MK or other.

We are also not big fans of Norton...we don't want clients to install that either but Norton isn't on every site our clients visit trying to get them to install it so it doesn't get the hate mail MK gets.

I think they got a new PR firm, if I was them I would change the Name and interface and start over....to many bad things to over come.

Cheers...

gskibum
Contributor III

My biggest gripe with MacKeeper is with the damage it has caused to so many client systems. Several times I have received calls from people with very slow running Macs and spinning beach balls, only to discover it was caused by MacKeeper. Several times I've had to restore large amounts of data from backup because the cleaner tools deleted vast amounts of user data, including Apple Mail databases and documents in ~/Documents. A few times it had deleted system data require a reinstall.

And seriously, there's no point in deleting language files, with using their backup tool instead of Time Machine, using their secure delete, and so many other things that are built right into OS X.

And with only a couple of exceptions (who actually sought it out), the users had no idea how MacKeeper even got on their systems.

If they make the product not delete user data, not use deceit, trickery and slime to get installed on systems, and tout bullet point features that are already built into OS X, I might give it a pass. Until then it's high on my search and destroy list. :-)

damienbarrett
Valued Contributor

I've said it before, but it's worth repeating:

If your business plan for expansion requires tricking an end-user into installing your software on their computers, then it's not software I will tolerate on my managed systems.

There are many other OS X "cleaner" programs out there (Cocktail, OnyX, Tinkertool, CacheCleaner, etc.) managing to exist without the wholesale trickery of the end-user that MacKeeper relies upon for its existence. Never mind that it's also not very good or functional software. Until they change their MO for expansion/installation, I will continue to block its execution on my systems and educate my users about MacKeeper's worthlessness and untrustworthy nature. It remains categorized with other Adware scourges like Geneio, VidX, and Buca.

mm2270
Legendary Contributor II

Yeah, agreed all around. The only possible way MacKeeper can change around their image is to scrap everything they have done to this point, and start over with a legitimate product. But that takes work; a lot of work actually, to build a good reputation. it doesn't take much to garner a bad reputation and they've got enough of a bad rep to go around the block several times over. They've chosen the easy and sleazy road and they will have to sleep in the bed they laid.
If they think for a minute that hiring a PR firm is going to somehow magically erase all the deceit, trickery and scare tactics they've done so far, they've got another thing coming. If anything, the mere notion that they want to somehow convince everyone they are legitimate without actually becoming legitimate, makes me want to campaign even harder against them. Their plan will only backfire if you ask me.
As Mac admins its our job to do what we can to keep the fire at the feet of these clowns until they either shut down and fade away, or change around their operation.

gskibum
Contributor III

Interesting turn of events.

http://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html

marklamont
Contributor III

I've had to look into this having discovered a few lingering instances.
Did my investigation and came up with this modified script that can kill the processes and remove the file, a lot of the names have changed.

#!/bin/sh

currUser=$( who | awk '/console/{ print $1 }' )
# delete needed files to remove MacKeeper

rm -rf /Users/$currUser/Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

launchctl unload /Users/$currUser/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist 

sleep 5
# Kill mackeeper processes
killall "MacKeeper Helper"
killall MKCleanService
killall MacKeeper

# Files Outside Home Folder

rm -rf /Applications/MacKeeper.app
rm -rf /Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78

# Files inside Home Folder

rm -rf /Users/$currUser/Library/Application Support/MacKeeper Helper
rm -rf /Users/$currUser/Library/Logs/MacKeeper.log
rm -rf /Users/$currUser/Library/Logs/MacKeeper.log.signed
rm -rf /Users/$currUser/Library/Logs/SparkleUpdateLog.log
rm -rf /Users/$currUser/Library/Preferences/.3246584E-0CF8-4153-835D-C7D952862F9D
rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/Preferences/com.zeobit.MacKeeper.plist
rm -rf /Users/$currUser/Library/Saved Application State/com.zeobit.MacKeeper.savedState
rm -rf /Users/$currUser/Library/Application Support/MacKeeper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper.Helper
rm -rf /Users/$currUser/Library/Application Support/com.mackeeper.MacKeeper.MKCleanService
rm -rf /Users/$currUser/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78
rm -rf /Users/$currUser/Library/Preferences/com.mackeeper.MacKeeper.Helper.plist
rm -rf /Users/$currUser/Library/Preferences/com.mackeeper.MacKeeper.plist
rm -rf /Users/$currUser/Library/Saved Application State/com.mackeeper.MacKeeper.savedState

tferguson
New Contributor

Can anyone explain to me why that when I request support for various new issues (account creation hang ups, QuickAdd failures, reboot loops, and many other issues that are totally unrelated according to JAMF), I am asked why I restrict Mackeeper and clean only to find this in my logs? Why on earth do they need access to Mackeeper and MKCleanService to communicate with Casper?

2017-09-02 13:00:36,237 [ERROR] [duledPool-4] [VppCommService ] - Error managing licenses. ErrorNumber: 9628 , ErrorMessage:License not eligible for device assignment.
2017-09-02 13:00:36,238 [INFO ] [Tomcat-45 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 6184):
ID: 59
Process: clean
Owner: root
PID: 22773
2017-09-02 13:00:36,378 [INFO ] [Tomcat-51 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 8435):
ID: 59
Process: clean
Owner: root
PID: 61529
PID: 4918
2017-09-02 13:57:58,131 [INFO ] [Tomcat-25 ] [BlacklistNotification ] - The following blacklisted process was killed on device machinename (ID - 4949):
ID: 41
Process: MacKeeper
Owner: root
PID: 18376

Raven_D
New Contributor III

This is why it's on my blocked software list to save it going ON in the first place.

micah002
New Contributor

I cannot get any of these scripts to work. They all fail - I started with the most recent and worked backwards. Any suggestions on what I'm doing wrong?

Thank you.

adamcodega
Valued Contributor

What's the policy result in your JSS when it fails? What's failing?

Nowadays you can just run Malwarebytes for Mac but you have to be on the computer, not from the JSS, unless you bought the business edition which includes a command line remediation for malware.

marklamont
Contributor III

My script worked at the time I posted it however I had had to do some digging by installing it to see what changes they had made. Blocking prevents it being installed in the first place

micah002
New Contributor

It just says "Failed."

micah002
New Contributor

What processes do you block to keep it from installing? Blocked software has never worked like that for me - it's always allowed the software to install, just not run.

marklamont
Contributor III

you have to block the installer to stop it being installed. download it, find the installer name and block that

marklamont
Contributor III

@micah002 Look at the policy logs next to the failed button. a failed policy could just be one command failed and the rest worked which will happen with a catch all script because some bits will never work.

mschroder
Valued Contributor

I like to check whether a file or directory exists before I attempt to remove it. A long list of commands to remove files or directories without any prior checks for their existence always triggers a thumbs down in me.

jnice22
New Contributor II

I've had a look at the scripts listed above and noticed something that may have been missed. A lot of companies do not allow admin access but Mackeeper will still install.

./Users/$USER/Applications/MacKeeper.app

Might want to do a find / -iname mackeeper just to see what gets left behind by the script. You could also use this to generate the files to delete.

howie_isaacks
Valued Contributor

I downloaded MacKeeper and fired up Composer as I installed it on a Mac VM. I then looked at where it installed all of its crapware, and I wrote a script to remove it. I have had some success with it. Also, Malwarebytes will remove MacKeeper, and a lot of other crapware.

#!/bin/sh

currentuser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
echo $currentuser

killall "MacKeeper Helper";
rm -rf /Applications/MacKeeper.app;
rm /Library/LaunchDaemons/com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper.plist;
rm /Library/LaunchDaemons/com.mackeeper.MacKeeper.MacKeeperPrivilegedHelper.plist;
rm /Library/PrivilegedHelperTools/com.mackeeper.AdwareAnalyzer.AdwareAnalyzerPrivilegedHelper;
rm /Library/PrivilegedHelperTools/com.mackeeper.MacKeeper.MacKeeperPrivilegedHelper;
rm -rf $currentuser $HOME/Library/Application Support/com.mackeeper.AdwareAnalyzer;
rm -rf $currentuser $HOME/Library/Application Support/com.mackeeper.MacKeeper;
rm -rf $currentuser $HOME/Library/Application Support/com.mackeeper.MacKeeper.Helper;
rm -rf $currentuser $HOME/Library/Application Support/com.mackeeper.MacKeeper.MKCleanService;
rm -rf $currentuser $HOME/Library/Application Support/MacKeeper;
rm -rf $currentuser $HOME/Library/Application Support/MacKeeper 3;
rm -rf $currentuser $HOME/Library/LaunchAgents/com.mackeeper.AdwareAnalyzer.plist;
rm -rf $currentuser $HOME/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist;
rm -rf $currentuser $HOME/"MacKeeper Backups";

zimou13
New Contributor

I have tried everything you suggested to clean out my computer from MacKeeper but it keeps coming back the virus What should I do? Thanks ShowBox Lucky Patcher Kodi

jared_f
Valued Contributor

@zimou13 I ran Malware Bytes (free for 14 days) and it removed it. Also ran a free software called Maintenance.

https://www.titanium-software.fr/en/maintenance.html
https://www.malwarebytes.com