A separate thread asked for these screenshots to be uploaded in order to determine the issue with Chrome redirecting to bing.com or ask.com etc.
Any help to remove this malware would be helpful.
MacBook Pro (M1, 2020)
JWHansen, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Nothing needs to be removed from the folders in the other two screenshots.
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in those folders. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Settings > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Settings > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Settings, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
Confirm Safari's chosen Search Engine:
Review Customize searching in Safari on Mac - Apple Support, under Choose a search engine.
Those instructions are for Safari, so be sure to perform the equivalent action for Google Chrome if you use it.
When I woke up and opened Chrome this morning, Search Marquis was back.
I reset the settings as you described, which eliminated Search Marquis again when I opened a new tab, but the bing redirect still happens. I have no extensions and have deleted all other search options in the settings tab for Chrome.
Do any of these apps looks suspicious? I was questioning whether Aspera or Microsoft Edge was relevant, for example.
Resetting the browser settings (chrome in my case; safari has no issues) makes the searchmarquis issue go away. So, instead of getting "searchmarquis" when I create a new tab in my browser, I get the actual homepage I want.
But, when I type something other than a specific site into the URL/Search bar, the bing redirect still occurs.
Pictures attached.
Addendum: If the problems are affecting Google Chrome, you will also need to reset it to its defaults:
https://support.google.com/chrome/answer/3296214?hl=en
This is in addition to the above instructions, and can be carried out subsequent to them.
After these steps, I see that when I open a new tab, it doesn't redirect to a new search engine now. It stays on google.com, which is correct.
However, if I type something directly into the URL bar to search, the bing redirect still occurs. Nothing is in /library/launchdaemons or /library/launchagents. There are two files in ~/library/launchagents (com.google.keystone.xpcservice and com.google.keystone.agent.plist)
WyattA15 wrote:
I'm dealing with the same issue but it doesn't occur on safari
Which browser is being affected?
For Google, it is my understanding that you need to reset it to its defaults, as described here:
I understand you reset Google Chrome to its defaults, but entering search terms in the Chrome search field results in a Bing search.
Instead of Microsoft Bing, which search engine would you like to use instead? And, did you choose that search engine in Chrome's Preferences or Settings?
The fact that Safari works normally indicates the redirect is not being caused by anything at the macOS system level. I do not use Google so I'm at a bit of a disadvantage providing more specific guidance regarding their products.
Some of those folders are associated with adware but deleting them won't accomplish anything if Google Chrome is still redirecting your search queries.
Does that occur if you use Safari?
I'm dealing with the same issue but it doesn't occur on safari
Removal of Bing Redirect or SearchMarquis etc
