Remove Yahoo Search virus from Mac

0
1873

What is Yahoo Search Mac virus?

Since web surfing is among the fundamentals of present-day computing regardless of the operating system, the user experience becomes half-baked if the browser doesn’t work the way it should. With people increasingly relying on the Internet, such a quandary can literally brick a Mac, too. The good news is, the modern web browsers are stable enough and properly supported to minimize the risk of malfunctions. The pitfall, though, is that the adverse impact may stem from malicious software such as a piece of adware or a browser hijacker. Macs aren’t in the safe place in this context as they are being shelled by such infections non-stop.

One the nastiest threats of that kind is a potentially unwanted application (PUA) that takes over the main web navigation preferences in Safari, Google Chrome, or Mozilla Firefox and causes an incessant rerouting to Yahoo Search. At first sight, the whys and wherefores of this tactic seem unclear, but in-depth scrutiny reveals that the adware operators’ motivation is ultimately clear-cut. The following paragraphs will dot the i’s and cross the t’s so that you can grasp the gist of this annoying campaign.

Safari redirected to custom Yahoo Search page imposed by Safe Finder virus

The landing page, search.yahoo.com, is the tip of the iceberg in this plot. The redirect scheme is constructed in such a way that the victim may mistake the virus attack for a trivial or accidental tweak of the browser settings. Yahoo is legitimate and trustworthy, so the impression could be generally okay, except that the forwarding takes place without the user’s consent. In fact, the relatively mild damage smokescreens a multi-pronged traffic reorganization hoax. Before the browser hits the destination page, it resolves several dubious URLs that bridge the gap between the attackers and attack monetization through poor-quality advertising networks. There are several “padding” services that show in the browser’s status bar for a very short time, usually a fraction of a second. These primarily include domains from the infamous a.akamaihd.net malware family. The common URL patterns are as follows:

  • search[random numbers]-a.akamaihd.net
  • default[random numbers]-a.akamaihd.net
  • lkysearchds[random numbers]-a.akamaihd.net
  • lkysearchex[random numbers]-a.akamaihd.net
  • lumiere-a.akamaihd.net
  • spoprod-a.akamaihd.net
  • fbcdn-dragon-a.akamaihd.net
  • fbcdn-external-a.akamaihd.net
  • fbcdn-gtvideo-a.akamaihd.net.
Safari preferences twisted by adware causing Yahoo redirects

The analysis of this malicious mechanism is incomplete unless the core adware is added to the mix. There are four mainstream PUAs that invoke fraudulent redirects to search.yahoo.com beyond the user’s approval. These are Safe Finder, Search Mine, Search Pulse, and Any Search Manager. They override the victim’s original online navigation defaults, such as the preferred search provider and homepage, by embedding a setting of their own. The affiliated web pages are search.safefinder.com, searchmine.net, search.searchpulse.net, and search.anysearchmanager.com, respectively. The wicked logic of their functioning revolves around the exploitation of what’s called the Yahoo Hosted Search (YHS). When Safari, Chrome, or Firefox is redirected due to the hijack, the landing resource is typically a customized version of Yahoo and there is a logo of the corresponding shady service shown in the upper right-hand corner of the results page, and there is a phrase saying “Explore with Yahoo! Search” next to the search bar. These characteristics might not be too eye-catching, but they are a telltale sign of the attack.

How did Yahoo Search virus infect my Mac?

The operators of this traffic redistribution wave didn’t reinvent the wheel as far as the infection vector is concerned. The underlying harmful application comes with software bundles that seem innocuous upon initial inspection but actually promote additional items in a surreptitious way. The fake Adobe Flash Player update popup is the central point of this large-scale propagation. It is triggered on numerous breached or known-malicious sites, stating that the visitor must download and install the latest version of Flash Player to continue enjoying the web browsing to the fullest.

Fake Adobe Flash Player update alert

The installer imposes the express option that will supposedly complete the process in no time and in a hassle-free manner. The goal is to prevent the user from exploring what else is on board and thereby to install the concomitant threat onto the Mac. This quirk confirms the relevance of the security mantra about taking the custom installation route in such situations, which allows the user to see the full structure of the package and easily uncheck whatever seems suspicious.

Why is search.yahoo.com hijacker so persistent?

Mac users who have bumped into the Yahoo redirect virus issue are well aware how hard it is to fix the problem. The adware may not show up in the browser extensions list or installed application, which complicates the cleanup, to put it mildly. The foundation of this culprit’s stubborn essence is a malicious device profile it creates on the computer without the victim’s awareness. Profiles are powerful tools to instruct the Mac to behave in a particular way.

The image above shows a sketchy user profile created by the Yahoo Search virus. Its name can vary across the board, but if you take a closer look you will see that it manages certain settings in Google Chrome. Normally, this setting is blank unless you are using a company-issued Mac and your employer has added a user profile to specify what you and can’t do on the machine. So, going to Profiles under System Preferences is a reasonable starting point in the attack remediation.

How do I remove Yahoo redirect virus from Mac?

Although this threat manifests itself in the web browser only, it actually leaves a footprint across the system to maintain persistence. The subsection below will help you find and remove all the components of Yahoo virus manually. Keep in mind that some of its files are a no-brainer to spot, while a few may be hidden so that the cleanup is harder to complete than in a typical software uninstall situation.

  • Expand the Go menu in your Mac’s Finder and click the Utilities entry.
Access the Utilities dashboard
  • Proceed to the Activity Monitor.
Select the Activity Monitor
  • Explore the Activity Monitor for processes that appear dubious and use up a good deal of the CPU. Be advised that the malicious executable isn’t necessarily named Yahoo Search, Safe Finder or similar, so you’ll have to follow your intuition to an extent. If you find such a suspicious object, use the Quit Process option to terminate it. Confirm the action by clicking Force Quit on a follow-up prompt.
Terminate the malicious executable
  • In the Finder bar, click the Go icon and select Go to Folder in the list. Alternatively, you can press the Command+Shift+G key combo.
  • Once the system search bar appears, type /Library/LaunchAgents in it and click Go.
Go to Folder box
  • When the LaunchAgents folder is in front of you, look for suspicious files and drag them to the Trash. Note that the names of such malicious objects might appear to be unrelated to Yahoo adware. Here are a few examples of known-harmful files spawned by Mac viruses: com.mcp.agent.plist, com.pcv.herlperamc.plist, com.avickupd.plist, etc. Any items that don’t fit the mold of benign Mac files should be moved to the Trash immediately.
  • Follow the same logic (Go to Folder feature) to open the directories called ~/Library/LaunchAgents, /Library/Application Support, and /Library/LaunchDaemons in turn. Look for suspicious files (see examples above) in each one of these folders and remove them.
  • Now use the Go drop-down menu in the Finder again and choose Applications.
Go to the Applications pane
  • Inspect the list of your applications for a potentially unwanted entity whose installation time co-occurred with the issue. It’s most likely Search Pulse, Safe Finder or some random-named piece of software you don’t recollect installing recently. Once you find the unwelcome app, drag it to the Trash. Empty the Trash folder when done.
Uninstall the malicious app
  • Use the Apple menu to navigate to your System Preferences.
Proceed to System Preferences from your Mac’s Finder
  • Proceed to Users & Groups and select Login Items. The system will display all the programs executed automatically whenever you turn on your computer. Use the “minus” pictogram to delete the rogue account along with the sketchy item triggered at boot time. When done, go to Profiles under System Preferences to see if the virus has created configuration profiles on your Mac. If anything dubious is there, select it and click the “minus” symbol.
Eliminate the unwanted user account and login item

Uninstalling the harmful application is half the battle. It is a way to make sure that the symptoms won’t reappear after you implement the browser-level part of the repair. In the meanwhile, the Yahoo redirect nasty continues to affect your preferred web browser and therefore you need to revert to the correct Internet surfing settings. Read the subsection below to find out how.

How do I stop redirects search.yahoo.com in the web browser?

Thankfully, you needn’t reinvent the wheel in terms of invalidating the adverse tweaks caused by the Yahoo virus in your browser. A tried-and-true technique is to reset the affected browser to its original defaults. On a side note, Apple has removed the “Reset Safari” button since the release of the Mac native browser’s version 9 back in 2015, so the procedure is now a bit more complex than a one-click experience (see below). Anyway, here’s a simple way to purge the most popular web browsers of the malicious influence:

  1. Remove Yahoo Search virus from Safari browser
    • Select Preferences in the Safari menu and as illustrated below.
      Go to Safari Preferences
    • Click the Advanced tab and put a checkmark next to the Show Develop menu in menu bar option.
      Show Develop menu in menu bar’ option
    • Click the Advanced tab and put a checkmark next to the Show Develop menu in menu bar option.
      Empty Caches in Safari
    • Check if the browser is still being forwarded to a-akamaihd.net. If it is, go back to the Safari menu bar, expand the History menu, and select the Clear History option as shown in the screenshot below.
      Clear History in Safari
    • Customize the process using a follow-up dialog that allows you to define the period of time for which you want to remove cookies and other website data. It’s recommended that you select all history. Then, go ahead and click Clear History.
      Clear all Safari history
    • If your Safari browser is being rerouted to the rogue URL regardless, go to the Preferences pane via the Safari menu bar again and hit the tab called Privacy. Find and click the Manage Website Data button.
      Manage Website Data button
    • Safari will display a list of all sites that have retained your online data. Click the Remove All button without a second thought. Once the information has been deleted, click Done at the bottom right.
      Remove all site data in Safari
  2. Get rid of Yahoo Search redirect in Google Chrome
    • Open Chrome, click the Customize and control Google Chrome () icon in the upper right-hand part of the window, and select Settings in the drop-down list.
    • Look for the button called Advanced and click it to access beyond the basic Chrome settings.
    • In the Reset settings area, click the button that says Restore settings to their original defaults.
      Reset Google Chrome on Mac
    • All that’s left to do is click Reset settings on the respective dialog in case you are okay with the resulting changes listed there. Restart Chrome to make sure the benign tweaks take effect.
  3. Delete Yahoo search engine in Mozilla Firefox
    • Open Firefox, click Help, and select Troubleshooting Information in the list.
    • Click the button called Refresh Firefox.
      Refresh Firefox on Mac computer
    • The browser will trigger an extra popup dialog where you should confirm the reset action. When finished, restart Firefox and enjoy your web surfing without Any Search Manager virus messing around with it.

How do I make sure that Yahoo virus is gone?

Symptoms isolated to the browser are the tip of the iceberg. Yahoo redirect virus and its associated malware can gain a foothold in the Mac beyond redirect activity alone. The drawback of manual removal is that there might be hidden leftovers of the threat that will reinstall it after what seems to be a successful cleanup. This isn’t necessarily the case, but you may want to double-check if you are in the clear.

Consider scanning your Mac with Combo Cleaner, an optimization and security app with a decent track record. It’s lightweight, and it can detect all prevalent forms of Mac malware in a snap. Here’s the how-to:

1. Download and install Combo Cleaner.

By downloading any software provided on this website you consent to the provisions listed in our Privacy Policy and Terms of Use. Be advised that Combo Cleaner scan is free, but you will have to buy its full (Premium) version to enable the virus removal feature.

2. Open the Launchpad from your Mac’s Dock and click the Combo Cleaner icon to run the app. Wait for the tool to update its database of virus definitions and click the Start Combo Scan button.

Click ‘Start Combo Scan’

3. In addition to identifying malware and privacy issues, the app will inspect your Mac for junk files, duplicates, and large files you might no longer need. Deleting these redundant objects can release a good deal of disk space.

Combo Cleaner scan in progress

4. Scrutinize the scan report. Hopefully, its results by the antivirus and privacy categories are blank and the verdict is “No Threats”, which means you are safe. If there are infections listed in the report, though, use the Remove Selected Items option to get rid of them.

LEAVE A REPLY

Please enter your comment!
Please enter your name here