How to get rid of Yahoo search on Mac

When it comes to web search biases, beauty is in the eye of the beholder. Most people prefer using Google, some like Bing, and some are more accustomed to looking up information on Yahoo. Everyone is free to specify these preferences in their browser’s settings. But what if something prevents this decision from taking effect? That’s precisely what happens when Mac malware spares its ugly fangs. One of the most common species of this nasty code overrides a user’s Internet defaults by limiting all searches to Yahoo, even if the favorite provider is completely different.

Yahoo search redirect is one of the top Mac malware schemes

To set this exploitation in motion, cybercriminals contrived a multi-pronged malware distribution scheme that may ensnare even the most vigilant Mac owners. A classic technique for spreading these shadowy applications involves tech support scams in which a specially tailored web page reports imaginary threats on the computer and urges the user to install pseudo-protection, which is a browser redirect virus in disguise. Another vector relies on pop-ups displayed on malicious or hacked sites that say critical software updates are missing and instruct the visitor to install the latest version. One more tactic is to inject a dubious app into seemingly harmless freeware installers that quietly promote bundles instead of a single program.

These different tricks have a common denominator – they all result in the installation of malware that reorganizes browser settings without permission. Counterintuitively, it doesn’t hard-code search.yahoo.com URL in the default configuration of Safari, Google Chrome, or Mozilla Firefox. Instead, it embeds an auxiliary value that ultimately forwards all hits to Yahoo search. These “helper” sites include search.safefinderformac.com, searchlee.com, searchmine.net, search.searchpulse.net, search.anysearchmanager.com, search.tapufind.com, and search.anysearchmanager.com.

The campaign is backed by a network of affiliated junk services such as Safe Finder

A particularly off-putting thing about this unwelcome tweak is that it can’t be undone by re-entering the correct settings manually. That’s because Mac malware, in general, and adware, in particular, have developed significant persistence mechanisms in the course of their evolution. The abuse of macOS configuration profiles is the pillar of this tampering. Normally, this feature allows network admins to enforce corporate policies by implementing a set of restrictions on company-issued computers. Crooks have learned to turn this usefulness upside down.

At an early infection stage, the malicious program that underlies Yahoo search redirects accesses the command line utility and uses it to create an evil device profile. This entity outlines system behavior that fits the attacker’s objectives, including the search engine, homepage, and new tab preferences in web browsers spotted on the target Mac. Therefore, any changes on the victim’s end are completely disallowed or reversed after the next system login.

How do malware makers benefit from this condition? It’s mostly about affiliate revenue. As mentioned above, the plagued web browser queries transitory domains before resolving search.yahoo.com. Their role is to intertwine the scheme with ad network APIs, which brings revenue to malware operators. This is a well-trodden path that proved to be highly lucrative. If you have found yourself in this adverse situation, the only way to disrupt the bad guys’ plan is to get rid of the malicious application and its traces left across the system. The following tips will help you out.

Remove Yahoo search redirect from your Mac

When a browser hijacking plight is ruining your online experience, there is always a malicious app to blame. It can be sneaky and obstinate, but a thorough cleanup is doable as long as you follow anti-malware best practices specified below.

  1. Click Go in the menu bar, pick Utilities in the list, and select Activity Monitor.
  1. Scroll down the active processes and pinpoint the one (or ones) that may be causing issues. A rogue executable typically has a strange icon next to it, uses more CPU than others, or has a gibberish-looking name.
  1. Hopefully you have found the culprit. If so, select it and click the X (Stop) button in the Activity Monitor’s toolbar. Proceed by hitting Quit or Force Quit in the pop-up that has appeared, as illustrated in the following screen capture.
Quit process
  1. Go to the Finder and select Applications in the sidebar. Look for an iffy program and remove it.
Move to Trash
  1. Reopen the Go menu and select Go to Folder.
Go to Folder
  1. Type or paste ~/Library/LaunchAgents as shown below and click Go.
Go to Library/LaunchAgents
  1. Sift through the list of your LaunchAgents to spot recent objects that look sketchy. Send them to the Trash.
Move to Trash LaunchAgents
  1. Stick to the same procedure to open the folders named /Library/LaunchAgents (no tilde prepended), /Library/LaunchDaemons, and ~/Library/Application Support. Likewise, root out all the malicious objects you can find in these directories.
  1. Launch the System Preferences app and select Users & Groups.
Users & Groups
  1. Select Login Items. Click the padlock symbol and type your admin password to make changes. Then, pick the application you don’t want to open as you log in and click the minus icon to delete it from the list.
Login Items
  1. Open Profiles from the System Preferences interface.
Profiles
  1. Select the unwanted item in the left-hand sidebar and use the minus button to get rid of it. You may need to provide your admin password to complete this action.
Delete malicious profile
  1. Click Finder in the Apple menu bar and select Empty Trash.
Empty Trash

Uninstalling malware that pulls the strings in the Yahoo search redirect situation is paramount. This eliminates the source of interference and foils further progress of the attack. However, your web browsers will most likely keep acting up until you tidy them up. That’s a whole separate remediation stage. Use the following steps to add the finishing touches to your anti-malware adventure.

Remove crud from your web browser

  1. Stop Yahoo search redirect on Safari
  • Open the Safari menu and pick Preferences (see image below).
Safari Preferences
  • Select Extensions and uninstall all suspicious items listed there.
Safari Extensions
  • Now head to the Privacy tab and click the Manage Website Data button.
Privacy tab
  • Use the Remove All option to wipe data stored by websites. Then, click Done.
Remove all website data
  • While on Safari’s Preferences screen, select Advanced and enable the Show Develop menu in menu bar option.
Show Develop menu
  • Open the Develop menu and click Empty Caches as shown below.
Empty Caches
  • Expand History in the Safari menu bar and select Clear History. Use on-screen prompts to delete all web surfing history.
Clear History
  • Restart Safari.
  1. Get rid of Yahoo search on Google Chrome
  • Click Customize and control Google Chrome and pick Settings.
Chrome settings
  • Expand the Advanced menu in the sidebar, click Reset settings, and select Restore settings to their original defaults. Confirm by clicking Reset settings in the dialog.
Reset Chrome settings
  • Restart Chrome.
  1. Remove Yahoo search from Mozilla Firefox
  • Click Open Application Menu at the top right, go to Help, and select More Troubleshooting Information.
More Troubleshooting Information
  • Click the Refresh Firefox button and confirm that you want to revert to the browser’s original settings.
Refresh Firefox
  • Restart Mozilla.

How to avoid Yahoo redirects on your Mac down the line

The short answer is, you have to be careful with software installers. This is especially true of applications promoted by pop-ups on suspicious websites. Also, stay away from free versions of programs that are supposed to stick with a paid subscription model. These cracked copies have gained notoriety for spreading dangerous code. If a piece of software or an online ad looks too good to be true, you’d be better off ignoring it.

Leave a Reply

Your email address will not be published.