Hi, I have once again got Safe Finder on my Macbook. All my searches are being directed through Yahoo. All the processes I went through before to get rid of it don't seem to be working. Any ideas?
MacBook Air 13", macOS 10.15
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
~/Library/LaunchAgents:
/Library/LaunchDaemons:
/Library/LaunchAgents:
Nothing needs to be deleted from /Library/LaunchAgents
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use.
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
While you're there, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents.
Remaining within System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware will bear identical names ("ExpertModuleSearch" for example). If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
~/Library/LaunchAgents:
/Library/LaunchDaemons:
/Library/LaunchAgents:
Nothing needs to be deleted from /Library/LaunchAgents
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use.
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
While you're there, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents.
Remaining within System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware will bear identical names ("ExpertModuleSearch" for example). If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
Describing what you did before might help.
Navigate to the following folder, and post its contents in a screenshot:
~/Library/LaunchAgents
To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:
... and click the Go button.
A Finder window will open. Take a screenshot showing all that folder's contents, and post it in a reply. To learn how to do that please read the Appendix in the following User Tip: Writing an effective Apple Support Communities question.
Usually, there is nothing in that folder so don't be surprised to find it empty. The reason for starting with that folder is to eliminate other potential causes before proceeding with steps that will identify and eradicate whatever is affecting that Mac.
There will be additional instructions to follow and this is just the first step.
ExpertModuleSearch almost certainly needs to be deleted, and you're welcome to do that if you wish, but you should continue with the following to ensure no other components are present. Otherwise, it might just reappear on its own, resulting in duplication of effort.
---
In the same manner as the above, open the following folder:
/Library/LaunchDaemons
To open that folder, copy and paste it in the Finder's Go menu > Go to Folder... field. It should look like this:
Once again ensure all its files and their names are readable, take a screenshot, and post it.
Then, repeat that exercise with the following folder:
/Library/LaunchAgents
Notice its pathname is different than the other two.
In the end, you will have captured and posted the contents of the following three separate folders:
~/Library/LaunchAgents
/Library/LaunchDaemons
/Library/LaunchAgents
Please be sure to include or otherwise indicate the name of the folder that corresponds to each screenshot, so that you and I can keep track of which ones they are.
HI, here is the screen shot. When I've had the Safe Finder Adware before I have gone into Safari Preferences and reset my home page and also deleted any extensions. I have also deleted any unwanted profiles in My System Preferences.
Thank you
Looks suspicious to me, definitely not Apple. Move it to the Trash and test. (I'd also do a restart) If that gets rid of Safe Finder then you can empty the Trash.
Of course, if you revisit the website that is generating it, it will return.
What is ExpertModuleSearch?
I have no idea to be honest.
Thank you so much. I’ll give all this a go once I’ve fed the kids!!
Done it all and everything looks great and back to normal. Thank you so much. I've spent needless hours trying to sort it out without any knowledge!
Great! Thanks for the update.
With the knowledge that you now have, teach others how to do it.
Adware Safe Finder - new removal techniques?
