How to get rid of SurfBuyer virus and protect your Mac

Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.

Fake shopping services are among the most common types of malware currently plaguing computer users. These programs find their way onto your Mac by bundling themselves with seemingly legitimate apps, such as video players Nice Player and MPlayerX. Once installed on your Mac, they display intrusive adverts claiming to offer discounts and coupons. SurfBuyer is one example of this type of malware that’s currently attacking computers.

Everything you need to know about SurfBuyer virus

SurfBuyer is malicious adware that, in addition to displaying instructive and difficult-to-close adverts, steals browsing data like search queries and your IP address. It does this by installing a number of components on your Mac, such as launch agents and browser extensions.

You may be completely unaware that SurfBuyer has installed itself until you start seeing adverts for shopping coupons or discounts. That’s because SurfBuyer uses a technique called bundling, where it hides in a package that looks like a completely different app. In SurfBuyer’s case, that app is usually a video player like MPlayer X or Nice Player. Both of those apps were once popular on the Mac but seem to have been abandoned by their developers and are now used by scammers as a means of putting their malware on your Mac.

To avoid downloading and installing SurfBuyer, you should be careful about the apps you install. Stick to either the App Store or the website of the original app developer and avoid specialist download sites. If you see a warning from macOS telling you that an app you’re trying to install needs special permission because it doesn’t come from a trusted developer, don’t ignore it. Think carefully about whether you want to risk installing it.

Did you know? 

macOS includes a tool called Gatekeeper that’s designed to make it difficult to install apps that don’t come from developers trusted by Apple. If you want to install an app like that, you need to go to System Preferences and override the default settings. That’s the first sign that an app you’re trying to install may not be safe. Don’t ignore it!


If you’ve already downloaded and installed SurfBuyer, don’t panic, you can remove it.

How to remove SurfBuyer from your Mac

There are several steps to getting rid of SurfBuyer because it installs several elements.

1. Remove the host application

Remember we said that SurfBuyer is bundled with another app? Well, the first thing to do is to get rid of that app. Go to your Applications folder and look for any app that you think fits the description above. If you find it, drag it to the Trash and empty the Trash.

2. Deal with any additional files generated by SurfBuyer

These files could be in several different locations. We’ve listed them below. For each Finder location listed, click on the Go menu in the Finder, choose Go to Folder and paste the location in the box. Then look for any suspicious files that have names similar to the apps you’ve removed or names related to shopping, coupons, or discount. When you find them, drag them to the Trash.

/Library/LaunchAgents

~/Library/LaunchAgents

/Library/Application Support

/Library/LaunchDaemons

Once you’ve checked all those folders and got rid of any suspicious files, check for Login Items by following the steps below.

  1. Click on the Apple menu and choose System Preferences.
  2. Select Users & Groups.
  3. Click on your user name and choose the Login Items tab.
  4. Look for any login items that look suspicious.
  5. If you find any, press the ‘-’ button to remove them.

If all that seems like a lot of work, there is an easier way.

How to remove SurfBuyer with CleanMyMac X

CleanMyMac X can delete malware at the press of a button. It automatically removes all the files associated with the application from your Mac, so you don’t need to go searching in, for example, the Application Support folder.

  • CleanMyMac X has a free edition — download it here.
  • Launch the app and click the Malware Removal tab in the sidebar
Removing malware files

In the same app, click on the Optimization tab. You’ll find Login items and so-called Launch Agents. These are two more locations where the SurfBuyer virus may be hiding. CleanMyMac X can also remove Launch Agents and Login Items very quickly.

CleanMyMac X - Login items

3. Remove browser extensions

The next step is to remove browser extensions and reset preferences for your homepage and default search engine in each browser you use.

Safari

  1. Launch Safari, click on the Safari menu, and choose Preferences.
  2. Select the Extensions tab and look for any extensions that you haven’t chosen to install.
  3.  If you find one, select it and press Uninstall.
  4. Go to Preferences > General.
  5. In the box next to the homepage, type the URL of your preferred browser homepage, and set the default search engine to the one you want to use.
  6. Close Preferences, quit Safari, and launch it again.

Chrome

  1. Launch Chrome and type the following into the address bar: chrome://extensions
  2. Review the installed extensions and if you find any that you haven’t chosen to install, click Remove next to them.
  3. Now, type this into the address bar: chrome://settings
  4. Scroll down to “On startup” and set your preferred startup behavior (for example, your chosen homepage).
  5. Go further down the page to the Search Engines section, and if it has been altered, change it back to your preferred search engine.
  6. Quit Chrome and restart it.

Firefox

  1. Launch Firefox and click on the three horizontal lines at the right of the address bar.
  2. Choose Add-ons, then Extensions.
  3. Look for any extensions you haven’t chosen to install. If you find any, click on them and choose Remove.
  4. Press the three lines again and this time, choose Options.
  5. Set the homepage and search engine to your preferences.
  6. Quit Firefox and restart it.
Tip:

CleanMyMac X can also remove extensions from Safari with just a click.

Extensions module of CleanMyMacX


SurfBuyer isn’t a virus, but it is malware and will display intrusive adverts on your Mac, interrupting web browsing. It may also steal data, such as your IP address and search queries, so you should remove it as soon as you notice it. Fortunately, removing it isn’t too difficult. And if getting rid of it manually takes too long, you can use CleanMyMac X to help!

Did you enjoy this post?
Share it or subscribe to our newsletter
Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.
April 19, 2019
Updated: March 03, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway