You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
For 2 weeks now, search alpha has started to appear every time I open safari. I have tried to follow in the steps of some websites with the intention of solving this and nothing changes.
I hope someone can help me with this and maybe give me some advice so that it doesn't happen to me anymore.
[Re-Titled by Moderator]
MacBook Air (M2, 2022)
First make sure you have a backup, then startup in Safe Mode.
How to use safe mode on your Mac - Apple Support
In your LaunchAgents folder delete:
I don't see anything that needs deleting in the LaunchDaemons folder, but I defer to John Galt, he is the master of installed Malware in the system files. The files I listed are known Malware that should be deleted.
Also refer to John's article that you replied to and follow his excellent advice.
lks9, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Second screenshot:
Nothing needs to be deleted from the folders in the other two screenshots for now, but I have a comment regarding the "mjrecorder" file in your first screenshot that I will address later.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: Regarding the "mjrecorder" file in your first screenshot, you may find the following Discussion of interest: How do I remove MJAudioRecorder from my Mac - Apple Community. I would not mention it if not for the fact that so many people appeared interested in removing it, and well-designed software should not be difficult to remove. I doubt it is related to the problem at hand; it's just something that stood out as unusual.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
hsnmalik, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Third screenshot:
Fourth screenshot:
Nothing needs to be deleted from the folders in the other screenshots for now, but please read my comments regarding certain other files later.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: Are you aware of having installed some "nursing exam prep" software, and are you certain you need it? I am suspicious of that file because its presence has been a common factor affecting others experiencing identical problems. Example: why is there a random plist file on my mac?? please help!! If you know you need that software, leave that file alone. Otherwise, restart your Mac in "Safe Mode" again, and drag it to the Trash.
Next: That Mac is hosting a torrent client. Presumably, you are aware of the risks that entails. The fact that you were affected by the "Search Alpha" malware suggests that you may need to be more circumspect regarding such risks though.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
patrickyu28, please follow the instructions below. This is Part 1 of 2 replies so please be sure to read the one that follows next.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Nothing needs to be deleted from the folder in the second screenshot.
A screenshot of the third folder is missing. That folder may be empty, in which case there is no need to provide a screenshot of it. If you forgot to include it though, please review Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community again and post the missing one.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
Reply Part 2 of 2 follows next.
masitudor, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Second screenshot:
Nothing needs to be deleted from the folders in the other two screenshots for now, but please read my comments regarding "CleanMyMac" later.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: Like all similarly categorized "cleaning" products, "CleanMyMac" is garbage that should never be installed on any Mac. Uninstall it in strict accordance with its instructions.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
liron288, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
LysbethKoster, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Third screenshot:
Nothing needs to be deleted from the folders in the other two screenshots.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
dianasyrko, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Nothing needs to be deleted from the folders in the other two screenshots.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
dr.jb, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
com.gregorian.gettime.plist
com.mac.booster.agent.plist
com.pcv.hlprnmcp.plist
com.readerupdate.plist
com.systemmond.plist
com.techyutil.Utility.plist
com.update.updService.plist
Nothing needs to be deleted from the other two folders for now.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: You can see for yourself that "Malwarebytes" did nothing to prevent you from installing adware, and from what you describe it was equally ineffective at removing it. It's your decision whether to keep it installed or not, but there is nothing any product can do to prevent you from installing junk. Recognition and avoidance is the only effective defense. For more regarding that subject, read How to install adware - Apple Community.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
jklee1132, there is one folder missing from the screenshots you posted. It is either
/Library/LaunchAgents
or
~/Library/LaunchAgents
The contents of that missing folder may or may not be required though. For now please follow the instructions below. If they do not solve the problem please write back and post the missing screenshot.
This is Part 1 of 2 replies so please read the next one regarding Application Support.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Last screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Part 2 of 2 replies appears next.
egvinson, there is one folder missing from the screenshots you posted. It is either
/Library/LaunchAgents
or
~/Library/LaunchAgents
The contents of that missing folder may or may not be required though. For now please follow the instructions below. If they do not solve the problem please write back and post the missing screenshot.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Second screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
teeeee4 there is one folder missing from the screenshots you posted. It is either
/Library/LaunchAgents
or
~/Library/LaunchAgents
The contents of that missing folder may or may not be required though. For now please follow the instructions below. If they do not solve the problem please write back and post the missing screenshot.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
Second screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now. Please read my comments regarding "Disk Drill" later.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Launch Safari, evaluate its operation and ensure everything is working as you expect it should.
Next: Regarding "Disk Drill" please refer to the following: Am trying to remove DiskDrill … - Apple Community
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
Antho-21 wrote:
I have the same problem, I tried so many ways to get rid of it but it is still there, even i just bought my mac few months ago
Antho-21 you really should post your own question. This one is old and has grown far too lengthy and confusing for anyone to navigate.
When you post that question, please follow the instructions I posted for everyone else: Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community.
The fact you were unable to find those instructions in this overly long and convoluted thread illustrates how it's not a good idea to post "me too" replies. Posting your own question is by far the best way to get timely and accurate replies on this site, and the most effective way to get the personal attention you need.
Post those three screenshots from the User Tip in Mac Jim ID's reply and I (or anyone willing to help) will help you get rid of it, if you need help.
Preventing it from happening again is even easier. Effective defenses against malware and other threats - Apple Community describes the fundamental principles. That longwinded document can be summarized in the few words think before you click.
F.A. Assad wrote:
Hello,
I have the same problem as described. I would be grateful if experts on here could take a look.
F.A. Assad I addressed your question here: Safari on my Mac, has been affected by th… - Apple Community. Clicking that link should take you directly to the post with the instructions you need to follow.
You have got several problems there along with the Malware denoted by the fsefosian, readerupdate, and systemmond files. The AntiVirus and CleanMyMac installation should be removed using their uninstallers. I recommend you review the excellent article by John Galt along with the information in this thread and post a new thread after removing the 3 files noted using the steps in the article. You should have a backup and start up in Safe Mode as described there.
Removing "Search Marquis" / "Search Baron… - Apple Community
How can I remove Search Alpha from Safari?
