Yesterday MacBook Pro was infected with the 'safefinder' malware. I have followed all instructions to remove it, run Malwarebytes and found and deleted relevant files, and STILL the browsers automatically redirect to the "Safefinder" yahoo search engine. I've deleted history, cookies, caches, all my bookmarks, and more. I no longer have the option to change my preferred browser winder in Preferences. It is grayed out.
Those folder contents are ok.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
The following step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
Then: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
Those folder contents are ok.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
The following step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
Then: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
To ascertain the cause so that you can eliminate it, start by inspecting the contents of the following folder:
~/Library/LaunchAgents
To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:
... and click the Go button.
A Finder window will open. Make sure all its file names are readable by selecting View > as List or other selection that shows that folder's complete contents. Then, take a screenshot of that Finder window.
Often, there is nothing in that Launch Agents folder so don't be surprised to find it empty.
In the same manner as the above, navigate to this next folder:
/Library/LaunchDaemons
The Finder's Go menu > Go to Folder... field should look like this:
... and click the Go button once again.
Once again ensure all its files and their names are readable and capture a screenshot.
Then, repeat that exercise with the following folder:
/Library/LaunchAgents
Notice its pathname is different than the other two. The Finder's Go menu > Go to Folder... field should look like this:
In the end, you will have captured the contents of the following three separate folders:
~/Library/LaunchAgents
/Library/LaunchDaemons
/Library/LaunchAgents
All three will be saved to your Mac's Desktop with names "Screen Shot... " followed by the date and time they were captured. Please be sure to include or otherwise indicate the name of the folder that corresponds to each screenshot, so that you and I can keep track of which ones they are.
Post the entire contents of all three windows, one at a time, using the "picture" icon that appears below your reply text:
Manual method to remove malware .
To locate the path of malware , open Activity monitor through spotlight , select a process and click on I icon and click on open files and ports , you can copy the file and paste in search bar of the activity monitor to find the path in the folder say in system library and user library .
Open system preferences and click on users and groups , open the pad lock by entering admin name and password ( in case if it is an admin account ) , select login items , if you see unknown app select it and click on subtract sign to get deleted .
In system preferences itself click on Security and privacy , click on Accessibility then privacy select the unknown app click on subtract sign to get deleted .
Click on finder and search in Applications and download folder .
The next step would be enter in System Library .
Click on Finder , take cursor on top menu bar click on Go - Computer - Macintosh HD - Library
You have to manually search malware in some folders where they reside .
1.Application Support
2.Caches
3.LaunchAgents
4.LaunchDaemons
5.Logs
6.PriviledgedHelperTools
7.Startup-items
8.Receipts
9.Preferences - the plist of malware is to be removed , if there is com.apple .xxxx .plist.lockfile or com.apple.xxx.plistlockfile its an indication ( xxx denotes malware .plist ) and the small folder before it will turn black and it's a symptom of the malware , and it could also be com.apple.xxx.plist
10.Extensions
11.Frameworks
12.internet Plug -ins
13.Input Methods
14.ScriptingAdditions
Then enter in User library - click on finder > Go > hold option key > Library
Search Malware in folders
1.Application Support
2.Caches
3.Cookies
4.Safari
5.Logs
6.Saved Application State
7.LaunchAgents
8.Internet Plug -ins
9.Input Methods
10.Preferences - com.apple.xxx.plist ( xxx - denotes the malware .plist )
11.Containers are also to be checked .
Then again click on Finder - Go - Macintosh HD - System - Library - Frameworks - search the malware in Framework folder .
Right click on malware from the above folders and move to the trash , restart the computer and empty the trash .
Malware bytes will remove the malware for system library and user library , but will not delete the complete folder for an unidentified app installed or the malware that is inside the folder and also the .plist of malware from user library .
You will see the folders name of app in last column .
Second method is click on finder from the dock , again click on new finder window in its spotlight search enter the name of app safe finder , click on search this Mac , you find the residues of app , click on cross sign to delete them .
Take suggestions before following the steps as mentioned with senior apple care advisors https://support.apple.com/en-in/HT201232
if there is left over of malware in Mac even you create a new test user account it will not help it will remain in Mac , deleting com.apple.safari.plist is done when safari is corrupted .
Oh, and I've created a kind of workaround by setting up another user profile on my Mac. That one doesn't seem to have the 'safe finder' problem. I was able to take care of some important business safely this morning by doing that. It's temporary, but it gave me some sense of safety.
The following from the Malwarebytes forum may help: https://forums.malwarebytes.com/topic/236261-how-to-remove-the-after-effects-of-adware/
ArizonaG810 Said:
"'safefinder' malware cannot be removed"
-------
Delete From Quarantine:
Did you delete it from the quarantine? Once deleted, restart your Mac.
The "fix" that someone suggested doesn't work any better now than when I tried it several hours ago. The malware has, according to everything I have done, been removed. However, the malicious homepage remains. it cannot be removed regardless of the numerous times I have gone through all the steps to remove it. As soon as I restart the computer, it is there again. I have even deleted and reinstalled browsers. it still come back.
Yes, I did. Everything is looking clean, but the "Safefinder" search homepage is still there and can't be taken off. My ability to choose my own homepage is now grayed out and inaccessible. I have done everything people are suggesting, including cleaning out Library files, and even opening up the Terminal and entering a long list of code that my son in NY suggested. Nothing works.
Thanks John. I've done some of these things already, but not others. However, I have not tried them in SafeMode. I do need another external hard drive. I gave mine to someone because he needed it more than I did, and still haven't replaced it. Once I've done that, I will go through your suggestions and try doing it all in Safe Mode.
All those steps are required. The necessity of a Time Machine backup cannot be overstated, unless of course you don't care about the information on your Mac.
That isn't even related to malware though. If you don't back up your Mac by definition you are unconcerned about losing everything on it.
Thank you. I hope this helps. There may be something in there that my son missed yesterday.
'safefinder' malware cannot be removed
