Search Baron / Search Marquis

To ascertain the cause so that you can eliminate it, start by inspecting the contents of the following folder:

~/Library/LaunchAgents

To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:

... and click the Go button.

A Finder window will open. Make sure all its file names are readable by selecting View > as List or other selection that shows that folder's complete contents. Then, take a screenshot of that Finder window.

• To learn how to capture a screenshot please read the Appendix in the following User Tip: Writing an effective Apple Support Communities question. It also includes instructions for posting a screenshot in a reply to this Discussion, so keep that Safari window open for now.

Often, there is nothing in that Launch Agents folder so don't be surprised to find it empty.

In the same manner as the above, navigate to this next folder:

/Library/LaunchDaemons

The Finder's Go menu > Go to Folder... field should look like this:

... and click the Go button once again.

Once again ensure all its files and their names are readable and capture a screenshot.

Then, repeat that exercise with the following folder:

/Library/LaunchAgents

Notice its pathname is different than the other two. The Finder's Go menu > Go to Folder... field should look like this:

In the end, you will have captured the contents of the following three separate folders:

~/Library/LaunchAgents

/Library/LaunchDaemons

/Library/LaunchAgents

All three will be saved to your Mac's Desktop with names "Screen Shot... " followed by the date and time they were captured. Please be sure to include or otherwise indicate the name of the folder that corresponds to each screenshot, so that you and I can keep track of which ones they are.

Post the entire contents of all three windows, one at a time, using the "picture" icon that appears below your reply text:

Late last year you installed adware. Whether or not you were aware of it, your Mac has not been operating properly since then. macOS's improved malware detection algorithms are only now making you aware of its presence.

Getting rid of adware is easy and doesn't require installing anything else. To fix it follow the instructions below. To learn how not to make that mistake again, please read How to install adware.

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.

• A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.

Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".

The following files and / or folders need to be deleted while using your Mac in "Safe Mode":

Nothing needs to be deleted from the folders in the second and third screenshots.

Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.

Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).

There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.

Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.

Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:

If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.

Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.

You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.

Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:

~/Library/Application Support

It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.

Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.

Although this Discussion contains specific instructions, general instructions for getting rid of problems like it follow below.

The subject dialog always takes this form:

Move to Trash is the correct response. When that message becomes persistent though, the cause is always the same: one or more files that spawn the process resulting in its appearance.

General instructions applicable to all similarly categorized malware are as follows:

• Back up the affected Mac with Time Machine
• Boot Safe Mode
• While in Safe Mode, identify all the files that result in creating the process that causes the dialog above, and drag them to the Trash.

The folders to be examined are these three:

~/Library/LaunchAgents

/Library/LaunchDaemons

/Library/LaunchAgents

There should only be few files, if any, in each of the above folders. You should know what they are and why you need them. If you're unsure, ask.

Legitimate products that deposit system-altering components in those folders commonly include Adobe, Dropbox, Google and Microsoft, including its product Skype. Teamviewer also, assuming you really need it. Less common but equally legitimate products include Steam (games), various non-Apple "cloud backup" products that don't work very well, and device drivers for external hardware such as printers and non-Apple input devices. You should have at least a passing familiarity with the products you installed on your Mac, and the files they deposit in those folders should never come as a surprise.

Illegitimate products notorious for causing trouble include any non-Apple product that claims to "clean", "enhance", "optimize", "protect", or "scan" your Mac. Anything in that broad category of junk should be uninstalled according to their instructions and never reinstalled, ever again.

Everything else should be regarded as suspicious. Some malware will litter those folders with hundreds of randomly named files in a pathetic attempt to obscure itself. For a particular egregious example refer to notice unysgar.app, but if you have no explanation for any particular file in those folders you need to investigate.

Among the few examples in this Discussion are files containing the following in their names:

fixer

helper

hlpr

util

scan

search

calculator

mafntask

moniter 🙄

updService

confcloud

copypaste

pcv

systemExtr

spigot

techyutil

utilty

vlm

... among a few others, but deleting those is a good place to start.

Then, reset your desired Search Engine, uninstall any strange Extensions, remove any unwanted Login Items, delete any unwanted apps, examine System Preferences for the existence of any Profiles, and finally restart your Mac.

Then, evaluate its operation. If something still isn't right re-examine those three folders and determine if you overlooked anything. If something really gets messed up you have Time Machine to fall back on, so keep that important fact in mind.

That in a nutshell is how you get rid of adware, on your own, without having to even ask anyone for help. But if you would like individual attention tailored to your specific needs click the Post link at the top right of this page, and choose Discussion from its dropdown menu. You are welcome to post a link to it in this Discussion if you would like me to reply to you individually, because an email is sent whenever someone replies to a Discussion in which they've participated. Also, unanswered questions generally elicit more interest, and are more likely to result in timely replies.

This is the first of two replies so be sure to read the next one.

You installed adware. Whether or not you were aware of it, your Mac has not been operating properly since then. macOS's improved malware detection algorithms are only now making you aware of its presence.

Getting rid of adware is easy and doesn't require installing anything else. To fix it follow the instructions below. To learn how not to make that mistake again, please read How to install adware.

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.

• A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.

Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".

The following files and / or folders need to be deleted while using your Mac in "Safe Mode":

First screenshot:

Second screenshot:

Nothing needs to be deleted from the third screenshot, but read my comments regarding "Avast" in my next reply.

Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.

Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).

There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.

Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.

Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:

If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.

Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.

You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.

Additional instructions follow in my next reply.

I can't help with Google Chrome because I don't use it, but if Safari is similarly affected the instructions below remain applicable.

Getting rid of adware is easy and doesn't require installing anything else. To fix it follow these instructions. To learn how not to make that mistake again, please read How to install adware.

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.

• A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.

Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".

The following files and / or folders need to be deleted while using your Mac in "Safe Mode":

First screenshot:

Nothing needs to be deleted from your second or third screenshots.

Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.

Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use.

There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.

Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.

Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:

If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.

Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.

You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.

Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:

~/Library/Application Support

It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.

Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.

Remove anything related to "Avast", "calculator", "ChumSearch", "mafnw", anything with "search" or "cleaner" in their names, and "whinny.refuse". You might as well remove "Malwarebytes" also; as you can see it did not prevent you from installing adware.

Also, do you have any recommendations as to which antivirus/adware applications I should add to his computer to hopefully minimize the chances of this occurring again?

Add nothing. Read Effective defenses against malware and other threats.

Hi there - My MAC was also just (today?) infected with the Search Baron virus :(. I am running Mac OS Catalina 10.15.5. Any assistance on clean up would be much appreciated. Here are my 3 screenshots:

~/Library/LaunchAgents

/Library/LaunchDaemons

/Library/LaunchAgents

Thank you.

-AJ

I also have macOS High Sierra, version 10.13.6 and have been invaded with search Baron & Marquis. Enclosed are the contents of 3 of my folders based on your previous reply to another questioner. Following the screenshots:

1) Screenshot for "~/Library/LaunchAgents"

2) Screenshot for "/Library/LaunchDaemons"

3) Screenshot for "/Library/LaunchAgents"

Thank you beforehand for your kind input

Santo

Those are not the correct folders Santo. Compare your screenshots to those in my previous reply. Then, please create a new Discussion containing screenshots of those affected folders.

To create a new Discussion click the Post link above, then choose Discussion from the dropdown menu:

I went through the steps multiple times and was unsuccessful in removing search Baron & Marquis. Out of desperation I installed free Malwarebytes suggested by another supporter. It looks like it worked. Time will tell. Thanks for your help.

Reply 2 of 2:

Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:

~/Library/Application Support

It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.

Next: Like all non-Apple "anti-virus" products, "Avast" is worthless. You can see for yourself it did nothing to prevent you from installing adware. Uninstall it according to its instructions.

Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.

John,

Thank you very much for your help! This appears to have worked! I will attach my applicationsupport folder as well for your review. Also, do you have any recommendations as to which antivirus/adware applications I should add to his computer to hopefully minimize the chances of this occurring again? He's not technologically savvy by any means. Thank you!

Try what supportcommunities7 above did: download and run the free version of Malwarebytes. It was developed by a long time contributor to these forums and a highly respected member of the computer security community. 

I have macOS High Sierra, version 10.13.6 and have been invaded with search Baron & Marquis. Enclosed are the contents of 3 of my folders based on your previous reply to another questioner.

This is from my dad's macbook and I haven't been able to remove it. I have added the 3 screenshots below. Thank you!