What To Do If Your Mac Has SafeFinder Virus
Most Mac users have gotten used to believing that macOS is invincible when it comes to malware and viruses. However, we’ve proven time and time again that macOS is just as vulnerable to viruses as Windows and other operating systems. In fact, some attackers even target Macs specifically, designing their malware to attack vulnerabilities that are unique to macOS.
One of the common Mac viruses is the browser redirect type, such as SafeFinder. This type of virus, also classified as adware, redirects all your traffic to a particular URL in a bid to generate revenue for its clients. SafeFinder can be annoying, not only because of the automatic redirects, but also because of the persistent ads delivered by the adware.
If you notice your suspicious browser behavior and more ads being displayed, then it is possible that your Mac has SafeFinder virus.
What is SafeFinder Virus on Mac?
Just like what the name implies, the SafeFinder virus mainly redirects traffic to the SafeFinder website, which is search.safefinder.com. Aside from this URL, your traffic could also be redirected to:
- search.safefinderformac.com
- search.macsafefinder.com
- search.safefinder.biz
- search.safefinder.info
The domains listed above are also considered fake search engines. These are the serving IP addresses related to this malware:
- 72.246.56.25
- 23.62.239.11
- 13.66.51.37
SafeFinder is mainly a browser hijacker that redirects your web browser activities to any of the third-party websites listed above and presents sponsored content to your search results. For example, when you try to perform a query using your browser, you’ll be surprised to find that your default search engine has changed. Instead of getting results from Google, for example, your query will be redirected to any of the fake search engines above, but since it is not actually a search engine, it will simply pull up search results from Yahoo instead.
Aside from changing your default search engine, the virus also modifies your homepage, new custom tab page, and might also install an extension without your permission. You might also notice that when you enter a URL on your web browser, the browser doesn’t take you directly to your desired page and takes you to a random page. This means that the hijacker has also skewed the DNS settings on your Mac.
The SafeFinder virus was developed by Linkury Ltd, a company based in Israel that produces software monetization solutions. This company is known for creating and distributing dodgy Mac cleaners and browser hijackers, including the Linkury browser hijacker and SafeFinder. Safe Finder is being promoted as a useful tool to simplify the web. However, the manner of distribution Linkury employs, which includes app bundling and other sketchy installations, gives you a clue about the nature of this supposed useful tool.
Safe Finder installs a toolbar, which is supposed to be non-intrusive, which features a lot of functions, including website translation, social media sharing, and website rating.
But all these features become useless because the malware makes it impossible to visit any other website other than search.macsafefinder.com or search.safefinder.com.
Earlier this year, Safe Finder has evolved once again and has incorporated a more notorious function. The affected victims find themselves being redirected to the Akamaihd.net instead, which is another type of browser hijacker. The default search engine is replaced with something like search8952443-a.akamaihd.net. This new function involves Akamai’s cloud services and the content delivery feature in the hope of keeping the adware activity afloat and allow the malicious infrastructure to overcome all forms of restrictions and blacklisting.
How is Safe Finder Being Spread?
In most cases, the Safe Finder virus finds its way into your Mac because you yourself installed it. Hence, it is not by accident that your computer has been infected. You might not remember installing the virus or the toolbar, but maybe you remember the freeware you installed recently. You might argue that the software you installed is legitimate, and it’s probably true. But what you don’t know is that that freeware came with an additional payload: the Safe Finder virus. And because you did not check every step of the installation process or you simply chose the Quick Install option, you didn’t realize that the malware was included in the installation package.
Another common method of distribution is the fake Adobe Flash Player pop-ups. This has been a long-standing distribution strategy, but it seems there are still users who fall for this trick. Hopefully, with the end of Flash, maybe attackers would no longer dare to use this technique to trick people into clicking the pop-up. The scheme is actually very simple: the vendor installs an automatic notification that appears when a user visits a certain website, asking the user to update his or her Flash player to be able to access the content of that website. But once the user clicks on the message, the malicious payload is downloaded to the user’s computer and creates havoc in the form of ads.
What makes Safe Finder more dangerous is when it works together with other malware or browser hijackers. For instance, Safe Finder might come from ad-injecting apps,such as SystemNotes 1.0 or AddUpgrade 1.0. And malware families coming to work together is bad news. Not only does it make it more difficult to remove SafeFinder virus from Mac, it also multiplies the trouble caused by the excessive number of ads. It is not actually a matter of one plus one, but a matter of exponential growth.
SafeFinder Virus Removal Instructions
When your Mac has SafeFinder virus, you need to make sure that files and components related to it are deleted from your computer. Otherwise, the malware will just come back.
Here are the steps to completely get rid of this nuisance from your Mac:
Step 1: Remove Safe Finder From Your Mac.
How to Delete SafeFinder Virus from macOS
macOS is more secure than Windows, but it is not impossible for malware to be present on Macs. Just like other operating systems, macOS is also vulnerable to malicious software. In fact, there have been several previous malware attacks targeting Mac users.
Deleting SafeFinder Virus from a Mac is a lot easier than other OS. Here’s the complete guide:
- If you suspect a recently installed software to be malicious, uninstall it immediately from your Mac. On Finder, click the Go > Applications. You should see a list of all the apps currently installed on your Mac.
- Find the app associated with SafeFinder Virus or other suspicious apps you want to delete. Right-click on the app, then choose Move to Trash.
To completely get rid of SafeFinder Virus, empty your Trash.
Step 2: Undo the Changes to Your Browser.
You need to uninstall the toolbar and reset the default settings of your browser. You can follow the instructions according to the browser you are using from the instructions below:
How to Get Rid of SafeFinder Virus from Safari
The computer’s browser is one of the major targets of malware — changing settings, adding new extensions, and changing the default search engine. So if you suspect your Safari to be infected with SafeFinder Virus, these are the steps you can take:
1. Delete suspicious extensions
Launch the Safari web browser and click on Safari from the top menu. Click Preferences from the drop-down menu.
Click on the Extensions tab at the top, then view the list of currently installed extensions on the left menu. Look for SafeFinder Virus or other extensions you don’t remember installing. Click the Uninstall button to remove the extension. Do this for all your suspected malicious extensions.
2. Revert changes to your homepage
Open Safari, then click Safari > Preferences. Click on General. Check out the Homepage field and see if this has been edited. If your homepage was changed by SafeFinder Virus, delete the URL and type in the homepage you want to use. Make sure to include the http:// before the address of the webpage.
3. Reset Safari
Open the Safari app and click on Safari from the menu at the upper-left of the screen. Click on Reset Safari. A dialog window will open where you can choose which elements you want to reset. Next, click the Reset button to complete the action.
How to Remove SafeFinder Virus from Google Chrome
To completely remove SafeFinder Virus from your computer, you need to reverse all of the changes on Google Chrome, uninstall suspicious extensions, plug-ins, and add-ons that were added without your permission.
Follow the instructions below to remove SafeFinder Virus from Google Chrome:
1. Delete malicious plugins.
Launch the Google Chrome app, then click on the menu icon at the upper-right corner. Choose More Tools > Extensions. Look for SafeFinder Virus and other malicious extensions. Highlight these extensions you want to uninstall, then click Remove to delete them.
2. Revert changes to your homepage and default search engine.
Click on Chrome's menu icon and select Settings. Click On Startup, then tick off Open a specific page or set of pages. You can either set up a new page or use existing pages as your homepage.
Go back to Google Chrome's menu icon and choose Settings > Search engine, then click Manage search engines. You'll see a list of default search engines that are available for Chrome. Delete any search engine that you think is suspicious. Click the three-dot menu beside the search engine and click Remove from list.
3. Reset Google Chrome.
Click on the menu icon located at the top right of your browser, and choose Settings. Scroll down to the bottom of the page, then click on Restore settings to their original defaults under Reset and clean up. Click on the Reset Settings button to confirm the action.
This step will reset your startup page, new tab, search engines, pinned tabs, and extensions. However, your bookmarks, browser history, and saved passwords will be saved.
How to Delete SafeFinder Virus from Mozilla Firefox
Just like other browsers, malware tries to change the settings of Mozilla Firefox. You need to undo these changes to remove all traces of SafeFinder Virus. Follow the steps below to completely delete SafeFinder Virus from Firefox:
1. Uninstall dangerous or unfamiliar extensions.
Check Firefox for any unfamiliar extensions that you don't remember installing. There is a huge chance that these extensions were installed by the malware. To do this, launch Mozilla Firefox, click on the menu icon at the top-right corner, then select Add-ons > Extensions.
In the Extensions window, choose SafeFinder Virus and other suspicious plugins. Click the three-dot menu beside the extension, then choose Remove to delete these extensions.
2. Change your homepage back to default if it was affected by malware.
Click on the Firefox menu at the upper-right corner of the browser, then choose Options > General. Delete the malicious homepage and type in your preferred URL. Or you can click Restore to change to the default homepage. Click OK to save the new settings.
3. Reset Mozilla Firefox.
Go to the Firefox menu, then click on the question mark (Help). Choose Troubleshooting Information. Hit the Refresh Firefox button to give your browser a fresh start.
Once you’ve completed the steps above, SafeFinder Virus will be completely gone from your Mozilla Firefox browser.
How to Get Rid of SafeFinder Virus from Internet Explorer
To ensure that the malware that hacked your browser is completely gone and that all unauthorized changes are reversed on Internet Explorer, follow the steps provided below:
1. Get rid of dangerous add-ons.
When malware hijacks your browser, one of the obvious signs is when you see add-ons or toolbars that suddenly appear on Internet Explorer without your knowledge. To uninstall these add-ons, launch Internet Explorer, click on the gear icon at the top-right corner of the browser to open the menu, then choose Manage Add-ons.
When you see the Manage Add-ons window, look for (name of malware) and other suspicious plugins/add-ons. You can disable these plugins/add-ons by clicking Disable.
2. Reverse any changes to your homepage caused by the malware.
If you suddenly have a different start page or your default search engine has been changed, you can change it back through the Internet Explorer's settings. To do this, click on the gear icon at the upper-right corner of the browser, then choose Internet Options.
Under the General tab, delete the homepage URL and enter your preferred homepage. Click Apply to save the new settings.
3. Reset Internet Explorer.
From the Internet Explorer menu (gear icon at the top), choose Internet Options. Click on the Advanced tab, then select Reset.
In the Reset window, tick off Delete personal settings and click the Reset button once again to confirm the action.
Summary
Safe Finder is not just your ordinary browser hijacker. It keeps on evolving and growing in terms of sophistication and variations. So the moment you notice its presence, make sure to remove it completely from your Mac.