Browser hijackers are among the most common types of malware on both Mac and PC. They present themselves as a better way to surf the web or even ‘the perfect way to surf the web’ but in reality harvest your browsing data, redirect your browser, and display adverts for questionable products and services. SafeFinder is one such browser hijacker.


What is SafeFinder?

Just like real viruses, computer viruses also mutate. The creators behind SafeFinder may soon change certain details about this virus to evade detection. So technically, it doesn't matter if the virus is called "Safefinder", "EasySearch", or has any other fake name. What we deal with is the whole category of malware that overtakes your browser search. 

Name

SafeFinder search redirect

CategorymacOS browser hijacker, adware redirect
Also known as

SafeFinder for Mac, SafeFinder.biz

SymptomsOverrides the default search engine, displays ads
Infection method

Flash Player updater, pirated apps

System damageInstalls malicious profiles, hijacks Safari preferences
RemovalCleanMyMac X anti-virus, Malwarebytes

The SafeFinder virus is a category of malware known as a ‘potentially unwanted program’ or PUP for short. PUPs can take many forms but the one thing they have in common is that they are usually downloaded inadvertently because they are bundled with apparently legitimate software. 

SafeFinder virus

In SafeFinder’s case, once downloaded and installed, it hijacks your web browser, in much the same way as Chumsearch and Any Search. When you launch your web browser after SafeFinder has installed itself, your homepage will have changed to search.safefinderformac.com, search.macsafefinder.com, or search.safefinder.com. When you type a search query into the box, the search is eventually redirected to Yahoo, but in the meantime, SafeFinder may have gathered information from your browser and forwarded it to a central server. It may also display adverts and slow down your browser. So how to get rid of SafeFinder? First, we’ll perform some diagnostics.

How to tell if SafeFinder has infected your Mac

The most noticeable change will be what you see as soon as you launch a web browser, its homepage has been changed to a web address that includes the term ‘safefinder’.

The most common way that browser hijackers are downloaded is by bundling with other apps or tools. In SafeFinder’s case, it appears like it is bundled in media apps named NicePlayer or MPlayerX. The latter used to be one of the best media players on the Mac for playing files directly from a high-definition digital video camera and is still in the Mac App Store. However, it hasn’t been updated in several years and it appears that hackers now use it to bundle malware. So you shouldn’t download it from anywhere other than the Mac App Store.

The last few versions of macOS have a tool called GateKeeper which allows you to only download apps from either the Mac App Store alone or the Mac App Store and developers whom Apple trusts. However, it is possible to override GateKeeper on a case-by-case basis, and if you’re running an older version of macOS, you won’t be protected at all.

How to remove SafeFinder from your Mac

Step 1: Remove SafeFinder from your Applications folder

  1. Go to your Applications folder and look for any apps that you don’t recognize or that look suspicious. In particular, look out for apps with SafeFinder in their name, as well as NicePlayer, and if you haven’t downloaded it from the Mac App Store, MPlayerX. 
  2. If you find any apps in step 1, drag them to the Trash and empty it. 
  3. Launch System Preferences from the Apple menu. 
  4. Look in the bottom row for a pane called Profiles. If it’s there, click on it. 
  5. Click on the profile called ‘AdminPrefs’ and press the ‘-‘ at the bottom of the window to remove it.

Step 2: Check your Login Items

Some PUPs add themselves to your Login Items so that they launch at startup. Although you’ve now removed SafeFinder, for completeness you should also remove its Login Item.

  1. Go to System Preferences and choose Users & Groups.
  2. Click on your username and then the padlock, and type in your password.
  3. Choose the Login Items tab, check the box next to the SafeFinder Login Item and then press ‘-‘

Step 3: How to remove SafeFinder from your browsers 

What we'll do is reset the homepage to its default state. 

Remove SafeFinder from Safari

  1. Launch Safari, click on the Safari menu, and choose Preferences.
  2. Select the General tab and next to ‘Homepage’ type the URL of the site you want to use as your homepage.
  3. Select the Search tab, and choose the search engine you want to set as the default. 

Also, you need to remove Safari preferences. This is a special logbook that's located in Library on your Mac. Don't worry: if you delete the infected Preference file, it will be auto-created without virus entries in it.

Click on the Finder and choose Go in the top menu.
Choose Go to Folder...
Paste in: 

~/Library/Preferences/com.apple.Safari.plist

Delete the file  — if it's there. Restart your Safari browser.

Step 4: Remove SafeFinder from Chrome

  1. Launch Chrome. 
  2. Choose the Settings icon in the left of the window (it looks like three horizontal lines stacked on top of each other), or type “chrome://settings” into the address bar.
  3. Select “on startup” and check the button next to Open a specific page or set of pages.”
  4. Press the “More” button (three dots, one above the other).
  5. Choose “edit” and type or paste the address of the homepage you want to use into the text box. 
  6. Click Save. 
  7. Choose Settings again and select “search engine.” 
  8. Click on “manage search engines” and press the “more” button next to SafeFinder and choose “remove from list.”
  9. Select the dropdown menu next to “Search engine used in the address bar” and choose the search engine you want to use.

How to remove SafeFinder in a click 

If all that seems like a long process, there is another option. CleanMyMac X has a malware removal tool that can remove SafeFinder at the click of a couple of buttons. It works like this:

  1. Download the free version of CleanMyMac X (Apple-notarized edition).
  2. Choose Malware Removal and press Scan.
  3. When it finds SafeFinder, press Remove.

And that’s it, gone. The malware removal tool uses a regularly updated database to check whether what it finds on your Mac is malware. If it finds it, you can remove it quickly and easily. If it finds nothing, it will give your Mac a clean bill of health, and you can relax. 

Other ideas to try

  • Uninstall your browsers and download them again.
  • Create a new user profile on your Mac.
  • Roll back your Mac to the past state using Time Machine.

SafeFinder is a browser hijacker that takes the form of a PUP. It’s most often bundled with seemingly legitimate software and installed without the user even noticing. The only sign that you have the SafeFinder virus is that the homepage of your web browser will redirect to a SafeFinder search page. Fortunately, it’s not too difficult to remove it, though if you use several different browsers, you’ll have to remove it from each one. The easiest way to remove it, however, is to use the malware utility in CleanMyMac X, which will identify it and allow you to remove it quickly.