User profile for user: a brody
a brody
User level: Level 10
(85,296 points)

How to remove a nefarious web browser redirect extension

by:  a brody
Last modified: Oct 13, 2020 7:05 PM
9 3531 Last modified Oct 13, 2020 7:05 PM



If the computer is hijacked with a warning message asking you to call a phone number and you can't get rid of it, hold the three keys


command-option-escape (Command often has the 4 leaf cloverleaf logo, or is a Windows logo key on keyboards designed to work with Microsoft Windows machines, and Alt key is the corresponding key on Windows keyboards for Option. The Control, CTRL keys are not to be used in this command).


down together and force quit each browser (Safari, Firefox, Opera, Chrome, Mozilla, iCab, Omniweb are all programs that open .html files, which are web browsers) with the window that is open in the window below:



and any other program you don't recognize.


If delays persist after rebooting, you may need to check the hard drive health with DriveDX.

https://binaryfruit.com/drivedx

If the hard drive shows any failure status, get it replaced. This is a key reason you need to backup your data:

https://discussions.apple.com/docs/DOC-1992


As long as the hard drive is healthy, delays can be due to malware that installed during the browser intrusion or before, or other unknown software you installed. Follow the steps below to find what might be affecting your computer.


If this redirect is on anything other than Chrome, Use Malwarebytes to attempt to get rid of it.


If it is on Safari, using Devon Technologies Easy Find to locate and remove all safariextz files that don't belong.

https://www.devontechnologies.com/apps/freeware


Use http://www.etrecheck.com/

to discover if you missed some. This tip explains how to use it to post the results. In general any program that is an extension in a web browser preference page that is not dedicated to adblocking is generally not necessary, unless you are absolutely certain its source is safe.

Some programs may not be able to be removed with EasyFind, unless you boot the machine in safe mode. This means restarting the computer holding the Shift key and logging in.


On Chrome, you need to run the Terminal (A program found in Macintosh HD-Applications-Utilities) with Chrome quit first, entering the following 6 lines:

defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
defaults write com.google.Chrome HomepageLocation -string "https://www.google.com/"
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName


Restart the computer when done with the Apple logo menu in the upper left. If chrome://policy still looks awkward after holding the shift-key when launching chrome, then you should reload the policies.


https://bit.ly/2zwvB4E - is a Chrome Policy remover software for the Mac that was recently posted to the Google Forums by a Platinum poster which may work better than the Terminal commands.



The shift key launch procedure also works on all other browsers to launch the browser in the home page or an empty page instead of the last page launched.


https://malwaretips.com/blogs/remove-safe-finder-virus/ - is another great resource that echos much of what has been stated here and gives some additional tips.


LaunchDaemons detected by EasyFind from macpaw, zeobit, any with "cleaner" names should be removed as found by Etrecheck. You will likely need to boot into safe mode to remove these.

If you need help with this, contact the author of this tip*.


Another great tip on the topic is:

https://discussions.apple.com/docs/DOC-8071


*Links to me may provide me compensation.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up