MacKeeper has hijacked my Safari Browser

MacKeeper (http:// mackeeperapp.zeobit.com) has hijacked my Safari browser. I have had to open Firefox, in order to get to the internet. I would rather use Safari, since that is where my bookmarks and favorite links are on the toolbar.

A MacKeeper ad was in the sidebar, of the page I was on. I clicked on a link, to go to a website (not MacKeeper), and the window opened for MacKeeper, with a pop-up to let MacKeeper clean my Mac.

The ONLY option is to click "OK", which I refuse to do, because I know almost all of these "cleaner" apps are malware, with hidden stroke counting codes.

The box says

> > > RECOMMENDED DOWNLOAD < < <

We recommend to clean your Mac with MacKeeper - award-winning system utility.

There is an "OK" button, but no way to close out of the box.

Now, there is no way to get out of the website either. When it first started, I panicked, and pushed the power button, because it froze all the tabs and Safari functions, and I didn’t want it to download to my hard drive. I thought if I shut down the computer, it would stop the app from running, which would prevent it from downloading on my hard drive.

I also thought when I turned my computer back on, The MacKeeper pop-up window would be gone, and then I could close the MacKeeper website. But it wasn't gone. I can't do anything in Safari now. I am guessing MacKeeper figures people will eventually get frustrated, and give in, clicking the button, allowing MacKeeper onto the hard drive.

All of my tabs have the rotating circle, indicating something is happening, but the websites, on those tabs, can’t be opened. I tried clicking on the black “x”, one the tabs, but there is no black “x”. I also can’t close the pop-up window, because there is no black “x” on it either.

I went to Finder, to see if MacKeeper had installed itself on my hard drive, and it is not in my /Applications folder. If I go to the application Library, it is not there either. So essentially, MacKeeper has hijacked my browser, but apparently hasn't installed itself on my hard drive.

I found a question, here on Super User, about essentially the same thing:

How can I safely close this window and forever avoid seeing similar pop-ups from Mackeeper Zeobit's malware and spyware?

That user had intentionally installed MacKeeper, and uninstalled it, but missed a file in the uninstall, and was able to delete it in the Library. That is not the case here. I did not want anything to do with MacKeeper. It came onto my browser without being invited.

On that discussion, a couple people said that clicking the “OK” button, won’t allow MacKeeper to be installed on my hard drive, but I don’t trust MacKeeper, to not do it behind the scenes. I have heard of other cleaner apps, that have done the same thing, so I don’t trust any of them.

Also on the same discussion, someone from MacKeeper answered, saying that it is totally safe, and clicking on “OK” wouldn’t do anything. How can I trust him, when others, have had problems with MacKeeper, and some experts have called it “malware”? I have a hard time trusting a company that has a reputation for selling malware.

Can anyone tell me how to get rid of the pop-up box, without clicking on the “OK” button? I can’t use my Safari, until it is gone. I really don’t want to recreate all the bookmarks and favorite links, that I have on Safari, to Firefox. I just did that last Fall, when my hard drive crashed, and it is a real pain!

Devonviolet

Posted 2012-03-02T09:46:53.747

Reputation: 101

@Claudia Vogel: It's just a standard Javascript alert that cannot do anything. It's simply trying to persuade you to buy the software and clicking the OK button is not going to make any difference. That's not to say that the site you're on won't make further attempts to persuade you to download the software. If you're really that worried then it should be possible to force quit Safari: http://www.itworld.com/software/210601/two-ways-force-quit-crashed-application-osx-lion

– James P – 2012-03-02T13:27:37.587

@slhck: Thank you for your comment. I am 100% positive I didn't click on the link, for MacKeeper and didnt click OK. My husband was standing next to my chair, when it happened. I was in Yahoo Mail, and had clicked on "sign out", so I could go to his yahoo email. As soon as I clicked on "sign out", the MacKeeper site opened with the pop-up box. I did try opening Safari, going to "Safari" -> Reset Safari. I used to be able to Force Quit for Safari, but now even that is locked up. I can't get the Safari drop down to go away and hence can't click on the black apple, to force quit. – Devonviolet – 2012-03-02T19:20:06.950

Can you look into /Library/Internet Plug-Ins or ~/Library/Internet Plug-Ins/ and see if there's anything suspicious? If Safari is crashing or behaving unexpectedly it's mostly due to third party stuff.

– slhck – 2012-03-02T19:45:19.993

@James. Thank you for your comment. I hear what you are saying about Javascripts, but am so worried about allowing my computer to be hacked. I have a lot of personal info on it, and can't afford to have anyone get at it. I know that %&!# hackers and producers of malware have gotten extremely sophisticated, and can do a lot of nasty things in the background, where you aren't even aware they are lurking. As I mentioned in my previous comment, all of my Safari functions are locked up, so doing a Force Quit isn't possible. – Devonviolet – 2012-03-02T20:49:33.093

Hi @slhck, Thanks for the suggestion. I did look in that location, and the most recent posting to the Plug-Ins is: JavaAppletPlugin.plugin on Feb 28, 2012, 80 Bytes Type: Alias. Since I don't know much about plugin's does this look suspicious? There are six others, but they go back to 2011, and they all seem to be legit. I finally was able to speak with my daughter, who designs websites and is my webmaster, for my Blog. She thought MacKeeper, probably already put codes on my computer. She said, if they can lock up your Safari, they had some kind of access to your computer. – Devonviolet – 2012-03-03T05:30:27.057

Cont.: She suggested I download AVAST, and run it to clean out any hidden codes, and protect my computer, from malware apps like MacKeeper. When my hard drive crashed last Nov. I lost all the antivirus/hacker, etc. software, that my SIL put on my computer before they moved out of state. Since I am not very computer literate, I didn't know what to install. AVAST tells me my computer is protected, so I clicked on OK, and closed the MacKeeper window. Then I went into Safari -> Preferences -> Privacy -> Remove all Website Data -> Details. – Devonviolet – 2012-03-03T05:42:45.420

Cont: I found about ten websites, that I didn't recognize, and that looked suspicious, so I removed them, only leaving ones that I know I use, like Yahoo, apple, superuser, etc. and made sure I had the highest security coverage in that box. I also emptied my cache and reset Safari. Is there anything else I should do to protect my computer from malware like MacKeeper and other apps that could hijack the computer or browser? One (?): B4 I could close MK, it put a weird web address up, like it was trying something bad. Shld I do anything about that? Once again, thank you so much for your help. – Devonviolet – 2012-03-03T05:45:03.247

JavaAppletPlugin.plugin is legit. I'm not aware of any major browser hijack for Mac OS X yet, so it's questionable whether MacKeeper came through one website or possibly with something else. In any case, JavaScript doesn't do any harm, and you will need it for 90% of all websites. Java on the contrary isn't used that much anymore and can cause security problems. If you want, you can disable it by going to Applications/Utilities/Java Preferences.app, and unchecking the boxes on the first tab. – slhck – 2012-03-03T08:50:02.513

So I take it your Safari works fine now? Maybe you can post your own answer below so it's easier for others with the same problem to try what you did. – slhck – 2012-03-03T08:51:19.387

Clearing your browser history and emptying your cache every day or two usually keeps MACKEEPER away. I wouldn't trust any company who force markets their product in the fashion that these guys do. – None – 2012-05-19T20:31:52.500

Answers

Per slhck's request, I will try to explain what I did.

As several people suggested, I tried to "Force Quit", to get out of Safari, and get the MacKeeper tab to close that way, but was not able to do that, because Force Quit was grayed out, and unclickable, while MacKeeper had the JavaScript requiring me to click OK was on the screen.

After asking questions on two forums, I decided to install an antivirus (AV) app on my computer. Prior to that I had not done so, because I had read that Apples were safe from viruses. Well, now I am not so sure, since MacKeeper was able to hijack my Safari browser, after it opened a tab, without my permission.

The AV that was recommended to me was AVAST. Once I had installed the most current version, of AVAST, there was a message, on the confirmation page, that my computer was now protected. Given my recent experience, I am not sure I can believe any of that type of app, but decided I had to take a chance, since my Safari was unusable, unless I went ahead and clicked on OK, in the JavaScript box.

I checked my app list in Finder, and there wasn't anything for MacKeeper listed. Someone had suggested to click on the hard drive in Finder, and then open the Library, to see if there were any MacKeeper files there. I checked and there were none.

I ran the virus scan. and it didn't appear to have found any viruses, so I finally clicked on OK, with the intention of closing the MacKeeper tab immediately. When I clicked OK, it was like it had a mind of it's own. It all happened so fast, it was a bit confusing. The appearance of the website page change, but I was so shocked by what I saw in the address box, I didn't really see what it looked like. What I saw in the address box, was that mackeeper. ziobit. com/ instantly changed to a long string of numbers and letters and symbols. I panicked and immediately tried to close the tab, by clicking on the black "x" in the left corner of the tab. It took three tries to finally get the tab to close the page.

Once I had calmed down, I went back to Finder and checked for MacKeeper again, both in my App folder and in the hard drive Library, but didn't find it.

After I had done all that, I was told that ClamXAV was better than AVAST. So, I did some research and decided it wouldn't hurt to double check AVAST by running another AV app. Well, ClamXAV actually found about 50 Trojan Horses and other viruses, that AVAST had not found. Since I am not well versed in the different types of viruses, I don't remember which ones now. Interestingly enough, a split second after ClamXAV found the Trojan Horses and other viruses, AVAST found them, and alerted with a pop-up. I figured if ClamXAV had found all those viruses, and AVAST didn't find them until ClamXAV had already found them, I didn't need AVAST. So, I uninstalled it.

I was finally able to spend some time on the phone with my daughter, who said she hasn't used Safari, for about eight months. And here I was using it, because she said she was using it and liked it better than Firefox. She said she changed because she found that Chrome worked better for her, with her web design other technical web applications. She said I probably didn't need Chrome, but that Opera might work better for me, and she thought it might be a bit more secure than Safari. She was thinking that since Safari is the official Apple browser, hackers might be working a little harder to crack that nut. So, I downloaded Opera, and have been learning all the ins and outs. It seems to be a good browser, and in some ways it is better. For instance: On Safari, I haven't been able to find a way to have sub-folders to folders in my bookmarks. Opera is a bit different in the way you set up your bookmarks, but I like the way you can set up sub-folders within sub-folders. That is important to me, since I do a lot of medical research, and need to be able to finely delineate modalities.

All in all this has been a nightmarish experience. I know Apple sells MacKeeper on their App Store, but for the life of me, I can't understand why they would sell an app, that has such a wide reputation for being malware. Given my experience with MacKeeper attaching itself to my browser, when I never wanted anything to do with "cleaner apps", and never clicked on anything, to even look at it, it is just devious. Besides, from what I have read it doesn't do anything that Apple hasn't already installed on the OSX.

Before I go, I would like to give a shout out to the IT geeks that tried to help me with my problem (especially slhck). I wouldn't have had the courage to go ahead and try to work through this without their help. Thanks Guys!!!

Devonviolet

Posted 2012-03-02T09:46:53.747

Reputation: 101

1Thank you for the writeup! I'm sure this helps others with the same problem! – slhck – 2012-03-07T09:26:29.043

You're welcome @slhck. I too hope it will help someone avoid what I had to go through. Thank you for your help. – Devonviolet – 2012-03-08T03:22:28.707

As the other sources (and comments here) have said, clicking OK isn't enough to cause trouble. Even if they get you to download the MacKeeper installer, you still cannot be forced to actually install the software. But if you really don't want to even click OK, there are a few ways out. Here's one:

Quit (or force quit if necessary) Safari
In the Finder, hold Option while pulling down the Go menu and select Library. (Note that the Library choice only appears while Option is held down.) This opens your user Library folder, which contains all sorts of settings and config files.
In the your Library folder, open the Saved Application State subfolder.
Inside Saved Application State, find the com.apple.Safari.savedState subfolder. This folder contains information about open windows and tabs, to allow Safari to reopen them automatically.
Move the com.apple.Safari.savedState folder (and only that folder) to the trash.
Reopen Safari. It should come up with a single window, showing your default start page (if any). Your bookmarks etc should be intact, just the open windows and tabs (including the obnoxious MacKeeper one) should be gone.

Gordon Davisson

Posted 2012-03-02T09:46:53.747

Reputation: 28 538

That makes sense – I thought the OP had already reset, but reopening the same site that could cause the problem again and again seems like a possible issue. – slhck – 2012-03-02T19:50:21.890

@Gordon Davisson. I'm sorry. Since I am so new to this site, I am having trouble singling out each comment (i.e. the box below this one talking about mini-Markdown formatting, confuses me.) So, I didn't see your comment above until just now. It sounds like what you suggested would have worked for me. I just hope MacKeeper didn't get a chance to imbed any codes, before I could close the tab. I believe it did try to install itself. – Devonviolet – 2012-03-03T07:54:32.060

Fun fact: when killing a com.apple.WebKit.WebContent process in Terminal, Safari reloads the abusive page on the fly possibly even making two popups show as a result...

– Arjan – 2014-02-08T11:20:19.383

After you Force Quit, when you reopen Safari hold down alt when clicking on Safari — this stops any previous sessions from loading up. You will start a brand new session.

Once back into safari you can go into your Preferences to ensure home pages etc. are all intact. I have contacted Apple about this and provided them with sites that are causing this, like MacKeeper etc.

Lee

Posted 2012-03-02T09:46:53.747

Reputation: 21

As the other sources (and comments here) have said, clicking OK isn't enough to cause trouble. Even if they get you to download the MacKeeper installer, you still cannot be forced to actually install the software.

This is potentialy false.

THe current revision of this particular peice of malware attempts to install itself, and only AFTER failing to do so automatically prompts the user for help, if you hava Java installed you can be automatically infected.

It sounds like the author is infected despite what they might think happen.

Ramhound

Posted 2012-03-02T09:46:53.747

Reputation: 28 517

… any idea on how to get rid of it or check how it's running? – slhck – 2012-03-02T20:34:03.427

I hadn't heard of MacKeeper doing this. Are you thinking of Flashback?

– Gordon Davisson – 2012-03-02T21:24:02.290

@Ramhound, Thanks for your input. If you read my previous comments, you will see I think I DID get infected, and would like any suggestions, other than the AVAST, that I installed, and the other actions, I took. I looked at my Apps and don't see Java, but typed Java into search bx, it showed up at JavaPreferences (App). When I clicked on it, it asked if I wanted to install it, so I declined. Is that good? – Devonviolet – 2012-03-03T05:55:39.897

Thanks for your suggestion, @Gordon Davisson, Yes, I am sure it was MacKeeper. I have never used or heard of Flashback, and it is not on my App List. This is the second time, I have had an app automatically run itself on my computer, w/out my permission. The last time was back in early 2000, when I was on AOL, and they charged by the minute. I closed AOL, but left my computer on, before I left the house. The time log showed that it turned itself back on about an hour after I left the house, and ran until I got home 3 hrs later. :( GRRR! AOL wouldn't take the charges ($123) off. Dbl GRRR! – Devonviolet – 2012-03-03T06:01:39.250

I was wrong about JavaScripts. A while ago, I was looking at Safari Preferences again, and realized "enable JavaScripts" was checked. So, I unchecked it, but then the first time I tried to open Yahoo mail, it told me I had to enable JavaScripts. I think there is a conspiracy going on her, between all these big web app companies. :( – Devonviolet – 2012-03-03T07:56:59.780

On another forum, I saw a suggestion for a program (Gissel? Shissel? Gellser? or something like that), that is good for stopping malware from getting it's hooks on your system. Since I had to clear my web history, I can't find it now, and don't remember which forum it was. Is anyone familiar with an app that does that? – Devonviolet – 2012-03-03T08:01:19.340

I think you are able to use a little workaround for this - simply deny any one (or all) of your applications access to the »mackeeperapp.zeobit.com« domain.

I've just made this rule myself and it seems to work though I can't be fully sure whether I've encountered the particular javascript that triggers the alert or not.

johan_ii

Posted 2012-03-02T09:46:53.747

Reputation: 11

The dialog that is shown is simply a JavaScript alert. This is not an answer on how to close an abusive page on Safari, but for Chrome there are some ways. As they're not obvious at all and might work in other browsers too, here goes:

Click the browser window to give it focus (rather than the popup dialog) and use Chrome's File menu. (One cannot close the tab using the mouse, nor using any keyboard shortcuts. But once the browser window has focus, its File menu does work. As long as the dialog has focus, all menu items are grayed-out.)
Or: type a different URL in the abusive tab to simply go to another page.
Or: focus the browser window and use the Chrome task manager (menu Window, Task Manager) to kill the tab. After that, the dialog will still be visible, but clicking OK won't do anything.

Try for yourself here.

(As an aside: Firefox shows that with an overlay on the source page only, and then shows that page with full control. Firefox itself does not take focus, nor makes its dock icon bounce though. Internet Explorer shows a close icon, which is effectively the same as clicking OK. And I very much agree that there's no security issue with such dialogs—anything that can be done after the dialog was shown, could be done without it as well. So: simply clicking OK might be easiest, maybe quickly followed by pressing Esc to stop loading whatever page is loaded next.)

Arjan

Posted 2012-03-02T09:46:53.747

Reputation: 29 084