Skip to main content
How to remove Safari Redirect Virus on Mac

How to remove Safari Redirect Virus on Mac


With the Safari Redirect Virus running rampant in the macOS environment these days, the tips in this article will point affected users in the right direction.

Threat Profile
Name Mac Safari Redirect Virus
Category Mac browser hijacker, Mac adware
Related Domains search.safefinder.com, search.tapufind.com, search.anysearch.net, search.chill-tab.com, search.searchpulse.net, search.landslidesearch.com, searchmine.net, qsearch.pw, searchmarquis.com, searchbaron.com, searchsnow.com, searchitnow.info, mybrowser-search.com, onclickbright.com
Symptoms Redirects Safari to Bing, Yahoo or fake search engines via intermediate sites (ad networks), injects ads into search results, slows down the system
Distribution Techniques Freeware bundles, fake software updates, torrents, misleading popup ads
Severity Level Medium
Damage Privacy issues due to Internet activity tracking, search redirects, unauthorized modification of browsing preferences, unwanted ads
Removal Scan your Mac with Combo Cleaner to detect all files related to the browser hijacker. Use the tool to remove the infection if found.

Choosing the most suitable web browser to use on a Mac is a matter of personal taste. While Mozilla Firefox and especially Google Chrome are growingly popular among Apple fans, Safari continues to be the app conveying the true Apple-style experience. It’s also going to get a privacy boost via the Intelligent Tracking Prevention feature, a more streamlined tab design, customizable homepage, and quite a few more perks that will debut with the upcoming macOS 11 Big Sur release. These enhancements will likely contribute to a dynamic further increase in the Safari user base. What is cybercriminals’ response to this hype? Predictably, it comes down to a steady growth in attacks honing in on this browser. Out of all adware threats circulating in this area, the Safari Redirect Virus has been dominant for years, and this trend will probably persevere.

Safari being redirected due to adware activity

The generic name of this nasty speaks volumes about its behavior and adverse effects. It reroutes Safari to websites the user never intended to visit. To set this foul play in motion, the infection sneaks its way into a Mac as part of a freeware bundle and harnesses a dodgy extension that crops up in the browser without clear permission requests. This rogue helper object redefines custom settings, including the start page, preferred search engine, and new tab page. Additionally, the potentially unwanted application (PUA) at the heart of this interference often creates a configuration profile that specifies the way Safari works while causing an overarching system impact.

Bing redirect virus in Safari

The Safari Redirect Virus can manifest on contaminated Macs in several different ways. One of the things that distinguishes some scenarios from others is the landing page, that is to say, the site the victim keeps hitting because of the tampering. A good deal of culprits from this pool forward the traffic to bing.com. The screen capture below demonstrates the former type in action. The intercepted web traffic goes through a rabbit hole of interstitial URLs. The most frequently encountered ones are as follows:

  • searchbaron.com;
  • searchmarquis.com;
  • searchitnow.com;
  • searchsnow.com;
  • api.lisumanagerine.club;
  • search.surfharvest.xyz.

Bing redirect virus doing its thing in Safari

The role of these domains is to manage the hijacked web traffic according to adware operators’ current monetization strategy that’s subject to regular transformations down the road. Although the auxiliary URLs can only be seen in the address bar for a split second, they are critical elements in the infection chain utilized by this spinoff of the Mac Safari Virus. The resulting service, bing.com, is used to smokescreen the dubious activity and has nothing to do with the evil plan of malicious actors who simply piggyback on its trustworthiness.

Safari Redirect leading to Yahoo

One more mainstream persona of this unruly code follows a similar logic, except that it forces hits to search.yahoo.com. The underlying PUA surreptitiously installs a Safari extension that runs with elevated privileges and replaces the user-specified web surfing settings with a sketchy address. This way, the victim incessantly visits a knockoff search engine which, in turn, resolves Yahoo. There are quite a few junk services from this cluster in active rotation. Below is a list of pseudo-providers that fit the mold of this stratagem:

  • search.safefinder.com (see screenshot below);
  • search.tapufind.com;
  • search.anysearch.net;
  • search.chill-tab.com;
  • search.searchpulse.net;
  • search.landslidesearch.com;
  • searchmine.net.

Safari hijacked by Safe Finder, a variant of Yahoo redirect virus

Again, this treacherous scheme parasitizes a legitimate search engine to feign trust. To take the hoax further, the crooks have created a network of online resources hinging on the Yahoo Hosted Search (YHS) service. It’s hard to say how exactly the felons have established this controversial “partnership”, but it has reached unsettling heights over the years. A mix of stubborn adware, dirty redistribution of Internet traffic, and questionable ties between malicious and regular entities makes this wave a major spot on the heat map of contemporary Mac menaces.

Other hijackers plaguing Safari

Whereas the vast majority of the Safari Mac Virus embodiments forward one’s web traffic to Yahoo or Bing, some stand out from the crowd. There are strains that promote various worthless applications or outright dangerous ones. A common trick is to drag a victim into a vicious circle of rerouting to sites that push fake updates of popular software such as Adobe Flash Player. In many scenarios, the landing page recommends the user to install an app which is supposedly required to watch streaming content. Obviously, these entities are malware in disguise that can range from browser hijackers and info-stealers to Mac ransomware and scareware.

Safari rerouted to a rogue app installation page

Another notorious ruse involves non-stop redirects to a YouTube copycat. The malicious page tells the visitor to click on the embedded “Allow” button to watch some allegedly viral video. This way, the malefactors cloak the process of enabling web push notifications in Safari. Once turned on, this feature will result in obnoxious pop-up ads deluging the right-hand part of the desktop.

No matter which abominable incarnation of the Safari Virus Redirect you may encounter on your Mac, it will make your computing experience go down the drain. If this is already happening due to a slip-up such as the installation of a dubious app bundle, the following instructions will help purge the infection. Be advised that most of these pests are cross-browser and so you may need to additionally tidy up Chrome and Firefox if these are installed on your Mac.


Safari Redirect Virus manual removal for Mac

The steps listed below will walk you through the removal of this malicious application. Be sure to follow the instructions in the specified order.

  1. Expand the Go menu in your Mac’s Finder bar and select Utilities as shown below.

    Go to Utilities

  2. Locate the Activity Monitor icon on the Utilities screen and double-click on it.

    Select the Activity Monitor

  3. In the Activity Monitor app, look for a process that appears suspicious. To narrow down your search, focus on unfamiliar resource-intensive entries on the list. Keep in mind that its name isn’t necessarily related to the way the threat is manifesting itself, so you’ll need to trust your own judgement. If you pinpoint the culprit, select it and click on the Stop icon in the upper left-hand corner of the screen.

    Stop malicious process

  4. When a follow-up dialog pops up asking if you are sure you want to quit the troublemaking process, select the Force Quit option.

    Select the Force Quit option

  5. Click on the Go menu icon in the Finder again and select Go to Folder. You can as well use the Command-Shift-G keyboard shortcut.

    Use the Go to Folder feature

  6. Type /Library/LaunchAgents in the folder search dialog and click on the Go button.

    Open /Library/LaunchAgents folder

  7. Examine the contents of the LaunchAgents folder for dubious-looking items. Be advised that the names of files spawned by malware may give no clear clues that they are malicious, so you should look for recently added entities that appear to deviate from the norm.

    As an illustration, here are several examples of LaunchAgents related to mainstream Mac infections: com.pcv.hlpramc.plist, com.updater.mcy.plist, com.avickUpd.plist, and com.msp.agent.plist. If you spot files that don’t belong on the list, go ahead and drag them to the Trash.

    Root-level LaunchAgents folder contents

  8. Use the Go to Folder lookup feature again to navigate to the folder named ~/Library/Application Support (note the tilde symbol prepended to the path).

    Open ~/Library/Application Support folder

  9. When the Application Support directory is opened, identify recently generated suspicious folders in it and send them to the Trash. A quick tip is to look for items whose names have nothing to do with Apple products or apps you knowingly installed. A few examples of known-malicious folder names are Quick Mac Booster, IdeaShared, and ProgressMatch.

    Application Support folder contents

  10. Enter ~/Library/LaunchAgents string (don’t forget to include the tilde character) in the Go to Folder search area.

    Open ~/Library/LaunchAgents directory

  11. The system will display LaunchAgents residing in the current user’s Home directory. Look for dodgy items related to Safari Redirect Virus (see logic highlighted in subsections above) and drag the suspects to the Trash.

    Contents of LaunchAgents folder in user’s home directory

  12. Type /Library/LaunchDaemons in the Go to Folder search field.

    Go to /Library/LaunchDaemons

  13. In the LaunchDaemons path, try to pinpoint the files the malware is using for persistence. Several examples of such items cropped by Mac infections are com.pplauncher.plist, com.startup.plist, and com.ExpertModuleSearchDaemon.plist. Delete the sketchy files immediately.

    LaunchDaemons folder contents

  14. Click on the Go menu icon in your Mac’s Finder and select Applications on the list.

    Go to Applications screen on Mac

  15. Find the entry for an app that clearly doesn’t belong there and move it to the Trash. If this action requires your admin password for confirmation, go ahead and enter it.

    Drag malicious app to the Trash

  16. Expand the Apple menu and select System Preferences.

    Select System Preferences

    Open System Preferences

  17. Proceed to Users & Groups and click on the Login Items tab.

    Proceed to Users & Groups

    The system will display the list of items launched when the computer is starting up. Locate the potentially unwanted app there and click on the “-” (minus) button.

    Delete unwanted login item

  18. Now select Profiles under System Preferences. Look for a malicious item in the left-hand sidebar. Several examples of configuration profiles created by Mac adware include TechSignalSearch, MainSearchPlatform, AdminPrefs, and Chrome Settings. Select the offending entity and click on the minus sign at the bottom to eliminate it.

    Select Profiles under System Preferences

    Remove malicious configuration profile from Mac

    If your Mac has been infiltrated by adware, the infection will most likely continue to hold sway over your default web browser even after you remove the underlying application along with its components sprinkled around the system. Use the browser cleanup instructions below to address the remaining consequences of this attack.

Get rid of redirect virus in Safari and other browsers on Mac

To begin with, the web browser settings taken over by Safari Redirect Virus should be restored to their default values. Although this will clear most of your customizations, web surfing history, and all temporary data stored by websites, the malicious interference should be terminated likewise. The overview of the steps for completing this procedure is as follows:

  1. Remove redirect virus in Safari
    • Open the browser and go to Safari menu. Select Preferences in the drop-down list

      Go to Preferences in Safari

    • Once the Preferences screen appears, click on the Advanced tab and enable the option saying “Show Develop menu in menu bar”.

      Advanced tab under Safari Preferences

    • Now that the Develop entry has been added to the Safari menu, expand it and click on Empty Caches.

      Empty Caches in Safari

    • Now select History in the Safari menu and click on Clear History in the drop-down list.

      Clear history in Safari

    • Safari will display a dialog asking you to specify the period of time this action will apply to. Select all history to ensure a maximum effect. Click on the Clear History button to confirm and exit.

      Select all history to clear

    • Go back to the Safari Preferences and hit the Privacy tab at the top. Find the option that says Manage Website Data and click on it.

      Manage Website Data option under Privacy tab

    • The browser will display a follow-up screen listing the websites that have stored data about your Internet activities. This dialog additionally includes a brief description of what the removal does: you may be logged out of some services and encounter other changes of website behavior after the procedure. If you’re okay with that, go ahead and click on the Remove All button.

      Confirmation dialog

    • Restart Safari
  2. Get rid of redirect virus in Google Chrome
    • Open Chrome, click the Customize and control Google Chrome (⁝) icon in the top right-hand part of the window, and select Settings in the drop-down

      Chrome Settings

    • When on the Settings pane, select Advanced
    • Scroll down to the Reset settings section.

      Reset settings in Chrome on Mac

    • Confirm the Chrome reset on a dialog that will pop up. When the procedure is completed, relaunch the browser and check it for malware activity.

      Here’s how to reset settings in Chrome on Mac

  3. Remove redirect virus from Mozilla Firefox
    • Open Firefox and go to Help – Troubleshooting Information (or type about:support in the URL bar and press Enter).

      Open Firefox and go to Help

      Select Troubleshooting Information

    • When on the Troubleshooting Information screen, click on the Refresh Firefox button.

      Refresh Firefox on Mac

    • Confirm the intended changes and restart Firefox.

Get rid of Mac Safari Virus using Combo Cleaner removal tool

The Mac maintenance and security app called Combo Cleaner is a one-stop tool to detect and remove Safari Redirect virus. This technique has substantial benefits over manual cleanup, because the utility gets hourly virus definition updates and can accurately spot even the newest Mac infections.

Furthermore, the automatic solution will find the core files of the malware deep down the system structure, which might otherwise be a challenge to locate. Here’s a walkthrough to sort out the Safari Redirect issue using Combo Cleaner:

  1. Download Combo Cleaner installer. When done, double-click the combocleaner.dmg file and follow the prompts to install the tool onto your Mac.

    Download Combo Cleaner

    By downloading any applications recommended on this website you agree to our Terms and Conditions and Privacy Policy. The free scanner checks whether your Mac is infected. To get rid of malware, you need to purchase the Premium version of Combo Cleaner.

  2. Open the app from your Launchpad and let it run the update of malware signature database to make sure it can identify the latest threats.
  3. Click the Start Combo Scan button to check your Mac for malicious activity as well as performance issues.

    Combo Cleaner Mac scan progress

  4. Examine the scan results. If the report says “No Threats”, then you are on the right track with the manual cleaning and can safely proceed to tidy up the web browser that may continue to act up due to the after-effects of the malware attack (see instructions above).

    Combo Cleaner scan report – no threats found

  5. In case Combo Cleaner has detected malicious code, click the Remove Selected Items button and have the utility remove Safari Redirect threat along with any other viruses, PUPs (potentially unwanted programs), or junk files that don’t belong on your Mac.

    Combo Cleaner – threats found

  6. Once you have made doubly sure that the malicious app is uninstalled, the browser-level troubleshooting might still be on your to-do list. If your preferred browser is affected, resort to the previous section of this tutorial to revert to hassle-free web surfing.

FAQ

As emphasized in the previous answer, this isn’t a Safari-only problem. Therefore, before getting down to the browser part of the repair, focus on the removal of adware that impacts the system far beyond wrecking the web surfing experience.

So, it’s recommended to scour the Activity Monitor, Profiles, Login Items, Applications, LaunchAgents, LaunchDaemons, and Application Support directory for items you don’t recognize. Because Mac browser hijackers tend to use random filenames, this is a shot in the dark to a big extent. It’s worth a try, though.

As soon as you have spotted and removed the core adware, open Safari and scrutinize the list of installed extensions. Anything that doesn’t look benign or familiar should be eradicated without a second thought. Do some testing browsing when done: if the issue is still there, you will need to clear Safari’s caches and delete all history. This will wipe all customizations and therefore cause some inconveniences, but you may have to give it a go if nothing else works.

Yes, they can. In fact, this is exactly what’s happening on a large scale these days. Safari is fairly handy and secure, but it has flaws that allow threat actors to bypass the defenses and deposit PUAs onto systems. With that said, it’s worth placing emphasis on the user’s role in this process. There are hardly any Mac viruses currently at large that exploit Safari in a zero-click way. Instead, these pests infiltrate systems after the users unwittingly allow them to.

The classic plot involves a bundle of several applications downloaded via Safari. The front app in this package is harmless or even useful but the extras can be malicious, let alone the fact that the user may not even know that something else is tailgating into the Mac. If this infection chain is going on via Safari, the browser won’t alert the user unless the source download page is blacklisted. This isn’t really a Safari loophole, after all. These attacks stem from a lack of vigilance on the user’s end.

1

Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in