UltraSearch Engine complete removal

I am loathe to use third party cleaning software that promises the early, but is not branded or endorsed by Apple.

Getting rid of adware is simple and you need nothing more than the tools you already have.

To ascertain the cause so that you can eliminate it, start by inspecting the contents of the following folder:

~/Library/LaunchAgents

To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:

... and click the Go button.

A Finder window will open. Make sure all its file names are readable by selecting View > as List or other selection that shows that folder's complete contents. Then, take a screenshot of that Finder window.

• To learn how to capture a screenshot please read the Appendix in the following User Tip: Writing an effective Apple Support Communities question. It also includes instructions for posting a screenshot in a reply to this Discussion, so keep that Safari window open for now.

Often, there is nothing in that Launch Agents folder so don't be surprised to find it empty.

In the same manner as the above, navigate to this next folder:

/Library/LaunchDaemons

The Finder's Go menu > Go to Folder... field should look like this:

... and click the Go button once again.

Once again ensure all its files and their names are readable and capture a screenshot.

Then, repeat that exercise with the following folder:

/Library/LaunchAgents

Notice its pathname is different than the other two. The Finder's Go menu > Go to Folder... field should look like this:

In the end, you will have captured the contents of the following three separate folders:

~/Library/LaunchAgents

/Library/LaunchDaemons

/Library/LaunchAgents

All three will be saved to your Mac's Desktop with names "Screen Shot... " followed by the date and time they were captured. Please be sure to include or otherwise indicate the name of the folder that corresponds to each screenshot, so that you and I can keep track of which ones they are.

Post the entire contents of all three windows, one at a time, using the "picture" icon that appears below your reply text:

Thanks. This is part 1 of 2 replies so be sure to read the one that follows.

Late last year you installed adware. Whether or not you were aware of it, your Mac has not been operating properly since then. macOS's improved malware detection algorithms are only now making you aware of its presence.

Getting rid of adware is easy and doesn't require installing anything else. To fix it follow the instructions below. To learn how not to make that mistake again, please read How to install adware.

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.

• A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.

Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".

The following files and / or folders need to be deleted while using your Mac in "Safe Mode":

First screenshot:

Second screenshot:

Nothing needs to be deleted from the third screenshot.

Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.

Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).

There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.

Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.

Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:

If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.

Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.

You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.

Additional information appears in my next reply.

Hello Dornfield,

It sounds like you have some malware on your Mac which shows as UltraSearch Engine. It sounds like you have taken some good steps to try and remove this malware. Let's start here:

About pop-up ads and windows in Safari

If you're still seeing evidence of the UltraSearch Engine, check out Malwarebytes to clear out unknown malware files. Once you run Malwarebytes be sure you also delete any unknown profiles and restart your Mac.

Malwarebytes - Free Download

Cheers!

You can adapt my instructions for Google Chrome, or find a way to reset it to defaults.

A flashing amber LED means the Time Capsule needs attention: If the status light flashes amber. Open AirPort Utility and click it. Just find a way to back up that Mac, unless you are willing to lose all the information on it.

1. By default Time Machine backs up everything, so if you were to restore an entire system, that restored system will resemble the exact state as it was at the time of that backup. If you were to restore a system containing "UltraSearch Engine" you would simply eradicate it in the same manner as you did. It's not difficult, besides, the backup containing that malware will eventually be erased in the normal course of events. Also, bear in mind restoring an entire system is very different than using TM as a means of transferring content to a replacement Mac, which is what you would most likely do if you needed to replace your Mac with a new one.
2. Time Machine does that automatically. Upon each automatic or manual backup, it will back up to the next available disk in its sequence. In other words if you have three backup disks A, B, C it will back up to A; the next backup will use B, the next one will use C, and the one after that will use A again. If one of them is not available TM looks for the next one, and so forth. If for whatever reason you want to preserve a backup, just disconnect it. After ten days of not backing up to a particular disk, TM will begin to complain. Or you can tell it to simply stop using that disk, and when you want to start using it again TM will pick up where it left off.

You can have as many backup disks as you want. Since any disk can fail at any time, consider having more than just one. I don't consider redundant backups a luxury. If your one and only one backup fails catastrophically, you have none, and no backups is tempting fate.

Some of my Time Capsules are really, really old. None of them have ever failed. If I had only one though it would have failed a long time ago, right?

Reply part 2 of 2 follows:

Next: that Mac appears to have had a useless "cleaning" product installed, or was installed at one time and was not completely uninstalled. Those things are toxic scams. Uninstall "CleanMyMac" in strict accordance with its instructions. After uninstalling it, repeat the instructions to examine the two folders above in which its files appear, and drag them to the Trash. It will no longer affect that Mac, but the effects of actually having used it are another story altogether. In general, completely erasing the affected Macs and rebuilding them from the ground up is often the most expedient solution.

Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:

~/Library/Application Support

It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.

Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.