Yahoo Search redirect Mac virus removal from Safari, Chrome and Mozilla

Yahoo redirect virus is an escalating threat in the macOS environment

Yahoo is many Mac users’ favorite search service, but some are literally forced to join the army of its fans without ever agreeing to it. How come? Over the years, cybercriminals who hate to play by the rules have been busy building an intricate web traffic redistribution campaign that promotes this provider in a highly intrusive way. This scheme is primarily focused on Apple laptops and desktops. If a user gets on the hook, their online activities become mostly restricted to visiting search.yahoo.com. This redirect happens whenever the victim enters keywords in the URL bar on Google Chrome, Safari, and Mozilla Firefox, even if the default search engine specified in the browser’s customizations is different (Google, DuckDuckGo, etc.)

The Safe Finder service is a common element of the Yahoo redirect chain

The situation is as clear as crystal when bad actors drive traffic to a malicious site. But, it seems odd why they may want to promote a legitimate service like Yahoo. There are several theories in this regard. One of them is that crooks are involved in an affiliate scheme and get rewarded for unique leads, especially ones originating from Mac machines. If this is the case, it’s more than strange that the security teams at Yahoo have failed to rein in on that type of exploitation. Hopefully, this isn’t about the search engine turning a blind eye to the foul play.

Another theory seems more plausible. The operators of the Yahoo Search redirect virus could be mishandling the trusted resource to hide a cesspool of their shady pages in plain sight. Some evidence is the fact that the traffic rerouting workflow spans a series of interstitial URLs that only show up in the browser status area for a split second. The examples are as follows:

  • Safe Finder (search.safefinderformac.com)
  • Chill Tab (search.chill-tab.com)
  • TapuFind (search.tapufind.com)
  • SearchMine (searchmine.net)
  • SearchPulse (search.searchpulse.net)
  • Any Search (search.anysearchmanager.com)

These sites are in cahoots with dubious ad networks that pay for new hits, which explains the malefactors’ key motivation to take over web browsers on Macs and reorganize their defaults. Ultimately, Yahoo may be a curtain that distracts victims from the monetization fraud going on in the background.

Rogue user profile complicates Yahoo redirect virus removal from Mac

This redirect virus strain isn’t a super-complex, fileless infection that leaves a zero footprint in the system. Instead, it is always manifested as a potentially unwanted application (PUA) that settles down on a Mac with the user’s permission. It’s not an informed decision, though. The infiltration takes place when several apps are installed in one go. There are software bundles on numerous unofficial marketplaces that may push adware alongside regular apps. The problem is that users are clueless about the extra components of the package and unknowingly authorize the attack. That said, the mantra about caution with freeware installers gets a whole lot more sense.

The Yahoo redirect virus clings to Macs firmly enough to prevent easy removal. A configuration profile trick is one of the pillars of its persistence. The underlying PUA misuses the command line utility right after contamination to create a device profile that coerces web browsers to repeatedly resolve one of the junk sites listed above. When visited, the page forwards the traffic further via associated ad platforms, with the whole process winding up at search.yahoo.com. Therefore, defeating the shifty pest is a no-go unless the profile is deleted first. To eschew the likes of this threat, the rule of thumb is to avoid application bundles that might disseminate unwelcome code.

Yahoo Search redirect Mac virus removal: manual how-to

Reining in on this infection could be a challenge, but it’s doable as long as you follow a tried-and-tested Mac adware removal procedure. Here’s how you do it.

  1. Open the Go menu from the Finder area and click Utilities.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.33.19.jpg
  1. Open the Activity Monitor.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.34.jpg
  1. Take a close look at the running processes and try to identify the malicious one. The common
    giveaways of Mac malware are eye-catching icons or high CPU and RAM usage.
  2. If you spot the potentially unwanted process, use the X button in the Activity Monitor’s top
    toolbar to force quit it. Confirm as illustrated below.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.36.jpg
  1. Open the Go menu again and select the option called Go to Folder. It provides a quick and easy
    way to navigate to specific folders.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.38.jpg
  1. Type ~/Library/Application Support/ in the “Go to Folder” popup dialog and click Go.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-7.44.jpg
  1. Check the Application Support folder for bad items that have been added recently. Delete
    everything suspicious you can find.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.43.jpg
  1. Now, browse to the ~/Library/LaunchAgents/ folder as shown below.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.44-27.jpg
  1. Look for dubious *.plist files inside the LaunchAgents folder and move them all to the Trash.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.46.jpg
  1. Open the /Library/LaunchDaemons/ directory using the same workflow.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.49.jpg
  1. Examine the LaunchDaemons folder’s contents for shady files and remove them once found.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.45.jpg
  1. Click the Finder icon in your Dock.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-7.50.jpg
  1. Select Applications in the sidebar. Look for the dodgy app and move it to the Trash.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-19.53.jpg
  1. Open up the System Preferences screen and select Users & Groups.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.00.jpg
  1. Click the Login Items tab and find the intrusive entry in the list. Before you proceed, click the
    padlock sign and type your administrator password. Select the shady app and click the “minus”
    symbol to keep it from being executed at boot time.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.01.jpg
  1. Select Profiles in the System Preferences interface.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.00.29.jpg
  1. Locate the unwanted user profile and click the “minus” symbol to eliminate it.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.01-57.jpg
  1. Empty the Trash folder.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.21.jpg

How to prevent your browser from being redirected to Yahoo on Mac

Uninstalling the bothersome application may not be enough to stop Yahoo redirect activity in its tracks. You will probably also need to remove breadcrumbs of the infection from your web browser.

  1. Remove Yahoo redirect from Safari
  • Launch Safari, expand the Safari menu and select Preferences.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.05.jpg
  • Click Advanced and enable the option at the bottom saying Show Develop menu in menu bar.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.07.jpg
  • Open the just-added Develop menu and select Empty Caches.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.07.31.jpg
  • Now open the History menu, select Clear History, keep the pre-selected “all history” option,and click the Clear History button on the dialog.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.08.jpg
  • Return to the Safari Preferences, select Privacy, and click the Manage Website Data button.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.09.jpg
  • Click the Remove All option to obliterate all data stored by websites.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.09.27.jpg
  • Restart Safari.
  1. Remove Yahoo redirect virus from Google Chrome
  • Open Chrome, head to Settings, click Advanced, and select Reset settings.
  • Select the option saying Restore settings to their original defaults and follow further prompts
    to reset the browser’s settings.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.10.jpg
  • Restart Chrome.
  1. Remove Yahoo redirect virus from Mozilla Firefox
  • Run Firefox, go to the Firefox menu, click Help, and pick Troubleshooting Information.
  • Click Refresh Firefox and confirm the action on a popup dialog that will appear.
This image has an empty alt attribute; its file name is screenshot-2021-03-29-at-20.11.jpg
  • Restart Firefox.

Take care

The lesson to learn from the long-running Yahoo redirect quagmire is that software installation
hygiene won’t go amiss, to put it mildly. This attack always starts with a bundle in which one
benign app works as a distraction for the infiltration of one or several malicious extras.
Also, Mac malware attacks are growingly hybrid, as they intertwine legitimate services like Yahoo with browser hijackers. So, stay vigilant and don’t put off system remediation in a scenario like this.

Enjoy! 🙂

%d bloggers like this: