Fake shopping services are among the most common types of malware currently plaguing computer users. These programs find their way onto your Mac by bundling themselves with seemingly legitimate apps, such as video players Nice Player and MPlayerX. Once installed on your Mac, they display intrusive adverts claiming to offer discounts and coupons. SurfBuyer is one example of this type of malware that’s currently attacking computers.
Everything you need to know about SurfBuyer virus
SurfBuyer is malicious adware that, in addition to displaying instructive and difficult-to-close adverts, steals browsing data like search queries and your IP address. It does this by installing a number of components on your Mac, such as launch agents and browser extensions.
You may be completely unaware that SurfBuyer has installed itself until you start seeing adverts for shopping coupons or discounts. That’s because SurfBuyer uses a technique called bundling, where it hides in a package that looks like a completely different app. In SurfBuyer’s case, that app is usually a video player like MPlayer X or Nice Player. Both of those apps were once popular on the Mac but seem to have been abandoned by their developers and are now used by scammers as a means of putting their malware on your Mac.
To avoid downloading and installing SurfBuyer, you should be careful about the apps you install. Stick to either the App Store or the website of the original app developer and avoid specialist download sites. If you see a warning from macOS telling you that an app you’re trying to install needs special permission because it doesn’t come from a trusted developer, don’t ignore it. Think carefully about whether you want to risk installing it.
If you’ve already downloaded and installed SurfBuyer, don’t panic, you can remove it.
How to remove SurfBuyer from your Mac
There are several steps to getting rid of SurfBuyer because it installs several elements.
1. Remove the host application
Remember we said that SurfBuyer is bundled with another app? Well, the first thing to do is to get rid of that app. Go to your Applications folder and look for any app that you think fits the description above. If you find it, drag it to the Trash and empty the Trash.
2. Deal with any additional files generated by SurfBuyer
These files could be in several different locations. We’ve listed them below. For each Finder location listed, click on the Go menu in the Finder, choose Go to Folder and paste the location in the box. Then look for any suspicious files that have names similar to the apps you’ve removed or names related to shopping, coupons, or discount. When you find them, drag them to the Trash.
/Library/LaunchAgents
~/Library/LaunchAgents
/Library/Application Support
/Library/LaunchDaemons
Once you’ve checked all those folders and got rid of any suspicious files, check for Login Items by following the steps below.
- Click on the Apple menu and choose System Preferences.
- Select Users & Groups.
- Click on your user name and choose the Login Items tab.
- Look for any login items that look suspicious.
- If you find any, press the ‘-’ button to remove them.
If all that seems like a lot of work, there is an easier way.
How to remove SurfBuyer with CleanMyMac X
CleanMyMac X can delete malware at the press of a button. It automatically removes all the files associated with the application from your Mac, so you don’t need to go searching in, for example, the Application Support folder.
- CleanMyMac X has a free edition — download it here.
- Launch the app and click the Malware Removal tab in the sidebar
In the same app, click on the Optimization tab. You’ll find Login items and so-called Launch Agents. These are two more locations where the SurfBuyer virus may be hiding. CleanMyMac X can also remove Launch Agents and Login Items very quickly.
3. Remove browser extensions
The next step is to remove browser extensions and reset preferences for your homepage and default search engine in each browser you use.
Safari
- Launch Safari, click on the Safari menu, and choose Preferences.
- Select the Extensions tab and look for any extensions that you haven’t chosen to install.
- If you find one, select it and press Uninstall.
- Go to Preferences > General.
- In the box next to the homepage, type the URL of your preferred browser homepage, and set the default search engine to the one you want to use.
- Close Preferences, quit Safari, and launch it again.
Chrome
- Launch Chrome and type the following into the address bar:
chrome://extensions
- Review the installed extensions and if you find any that you haven’t chosen to install, click Remove next to them.
- Now, type this into the address bar:
chrome://settings
- Scroll down to “On startup” and set your preferred startup behavior (for example, your chosen homepage).
- Go further down the page to the Search Engines section, and if it has been altered, change it back to your preferred search engine.
- Quit Chrome and restart it.
Firefox
- Launch Firefox and click on the three horizontal lines at the right of the address bar.
- Choose Add-ons, then Extensions.
- Look for any extensions you haven’t chosen to install. If you find any, click on them and choose Remove.
- Press the three lines again and this time, choose Options.
- Set the homepage and search engine to your preferences.
- Quit Firefox and restart it.
SurfBuyer isn’t a virus, but it is malware and will display intrusive adverts on your Mac, interrupting web browsing. It may also steal data, such as your IP address and search queries, so you should remove it as soon as you notice it. Fortunately, removing it isn’t too difficult. And if getting rid of it manually takes too long, you can use CleanMyMac X to help!