Yahoo is many Mac users’ favorite search service, but some are literally forced to join the army of its fans without ever agreeing to it. How come? Over the years, cybercriminals who hate to play by the rules have been busy building an intricate web traffic redistribution campaign that promotes this provider in a highly intrusive way. This scheme is primarily focused on Apple laptops and desktops. If a user gets on the hook, their online activities become mostly restricted to visiting search.yahoo.com. This redirect happens whenever the victim enters keywords in the URL bar on Google Chrome, Safari, and Mozilla Firefox, even if the default search engine specified in the browser’s customizations is different (Google, DuckDuckGo, etc.)

The situation is as clear as crystal when bad actors drive traffic to a malicious site. But, it seems odd why they may want to promote a legitimate service like Yahoo. There are several theories in this regard. One of them is that crooks are involved in an affiliate scheme and get rewarded for unique leads, especially ones originating from Mac machines. If this is the case, it’s more than strange that the security teams at Yahoo have failed to rein in on that type of exploitation. Hopefully, this isn’t about the search engine turning a blind eye to the foul play.

Another theory seems more plausible. The operators of the Yahoo Search redirect virus could be mishandling the trusted resource to hide a cesspool of their shady pages in plain sight. Some evidence is the fact that the traffic rerouting workflow spans a series of interstitial URLs that only show up in the browser status area for a split second. The examples are as follows:

• Safe Finder (search.safefinderformac.com)
• Chill Tab (search.chill-tab.com)
• TapuFind (search.tapufind.com)
• SearchMine (searchmine.net)
• SearchPulse (search.searchpulse.net)
• Any Search (search.anysearchmanager.com)

These sites are in cahoots with dubious ad networks that pay for new hits, which explains the malefactors’ key motivation to take over web browsers on Macs and reorganize their defaults. Ultimately, Yahoo may be a curtain that distracts victims from the monetization fraud going on in the background.

This redirect virus strain isn’t a super-complex, fileless infection that leaves a zero footprint in the system. Instead, it is always manifested as a potentially unwanted application (PUA) that settles down on a Mac with the user’s permission. It’s not an informed decision, though. The infiltration takes place when several apps are installed in one go. There are software bundles on numerous unofficial marketplaces that may push adware alongside regular apps. The problem is that users are clueless about the extra components of the package and unknowingly authorize the attack. That said, the mantra about caution with freeware installers gets a whole lot more sense.

The Yahoo redirect virus clings to Macs firmly enough to prevent easy removal. A configuration profile trick is one of the pillars of its persistence. The underlying PUA misuses the command line utility right after contamination to create a device profile that coerces web browsers to repeatedly resolve one of the junk sites listed above. When visited, the page forwards the traffic further via associated ad platforms, with the whole process winding up at search.yahoo.com. Therefore, defeating the shifty pest is a no-go unless the profile is deleted first. To eschew the likes of this threat, the rule of thumb is to avoid application bundles that might disseminate unwelcome code.

Yahoo Search redirect Mac virus removal: manual how-to

Reining in on this infection could be a challenge, but it’s doable as long as you follow a tried-and-tested Mac adware removal procedure. Here’s how you do it.

1. Open the Go menu from the Finder area and click Utilities.

2. Open the Activity Monitor.

3. Take a close look at the running processes and try to identify the malicious one. The common
   giveaways of Mac malware are eye-catching icons or high CPU and RAM usage.
4. If you spot the potentially unwanted process, use the X button in the Activity Monitor’s top
   toolbar to force quit it. Confirm as illustrated below.

5. Open the Go menu again and select the option called Go to Folder. It provides a quick and easy
   way to navigate to specific folders.

6. Type ~/Library/Application Support/ in the “Go to Folder” popup dialog and click Go.

7. Check the Application Support folder for bad items that have been added recently. Delete
   everything suspicious you can find.

8. Now, browse to the ~/Library/LaunchAgents/ folder as shown below.

9. Look for dubious *.plist files inside the LaunchAgents folder and move them all to the Trash.

10. Open the /Library/LaunchDaemons/ directory using the same workflow.

11. Examine the LaunchDaemons folder’s contents for shady files and remove them once found.

12. Click the Finder icon in your Dock.

13. Select Applications in the sidebar. Look for the dodgy app and move it to the Trash.

14. Open up the System Preferences screen and select Users & Groups.

15. Click the Login Items tab and find the intrusive entry in the list. Before you proceed, click the
    padlock sign and type your administrator password. Select the shady app and click the “minus”
    symbol to keep it from being executed at boot time.

16. Select Profiles in the System Preferences interface.

17. Locate the unwanted user profile and click the “minus” symbol to eliminate it.

18. Empty the Trash folder.

How to prevent your browser from being redirected to Yahoo on Mac

Uninstalling the bothersome application may not be enough to stop Yahoo redirect activity in its tracks. You will probably also need to remove breadcrumbs of the infection from your web browser.

1. Remove Yahoo redirect from Safari

• Launch Safari, expand the Safari menu and select Preferences.

• Click Advanced and enable the option at the bottom saying Show Develop menu in menu bar.

• Open the just-added Develop menu and select Empty Caches.

• Now open the History menu, select Clear History, keep the pre-selected “all history” option,and click the Clear History button on the dialog.

• Return to the Safari Preferences, select Privacy, and click the Manage Website Data button.

• Click the Remove All option to obliterate all data stored by websites.

• Restart Safari.

2. Remove Yahoo redirect virus from Google Chrome

• Open Chrome, head to Settings, click Advanced, and select Reset settings.
• Select the option saying Restore settings to their original defaults and follow further prompts
  to reset the browser’s settings.

• Restart Chrome.

3. Remove Yahoo redirect virus from Mozilla Firefox

• Run Firefox, go to the Firefox menu, click Help, and pick Troubleshooting Information.
• Click Refresh Firefox and confirm the action on a popup dialog that will appear.

• Restart Firefox.

Take care

The lesson to learn from the long-running Yahoo redirect quagmire is that software installation
hygiene won’t go amiss, to put it mildly. This attack always starts with a bundle in which one
benign app works as a distraction for the infiltration of one or several malicious extras.
Also, Mac malware attacks are growingly hybrid, as they intertwine legitimate services like Yahoo with browser hijackers. So, stay vigilant and don’t put off system remediation in a scenario like this.

Enjoy! 🙂