Removing search engines from Safari installed maliciously

Short version: where are settings/prefs of the (OS is Big Sur) Safari Search Engines located?
Long version: Got a call/email from an old contact. She is an artist/designer/teacher and started having email issues. Sent me screen shot of her Connection Doctor of Apple Mail (I didn’t ask so, I am glad she is atleast trying to resolve on her own). She could get mail on her phone and via her browsers on her mac, but not Apple Mail. And her setting were correct. So I asked, anything else weird or suspicious. And behold, she confirmed her search page kept changing from Google to marquis or baron. Asked if she uses any antivirus/antimalware and she said no. Pointed her to MBAM and asked her to try it (but buy it if it works is always my motto).
Week goes by and get email. Found 20+ things called PUPs (Potentially Unwanted Programs). And tada, email works now. So I ask if the search thing is still going on and she confirmed. Did a remote session and reset Chrome, found a suspicious login item, fixed her Firefox (tip: some people still do not know how to install apps… they incorrectly alias the app in the image download-if the download is deleted, the alias breaks. DMG mounted installers may indicate to “drag the FF icon onto the Applications Icon” in the opened download. Just drag it ontop and it will copy. Then drag the app from the application folder to spot on the dock, if you want). Firefox was 20 versions behind. Now Safari had some Capital One shopping extension, along with app in the application folder and this was likely the payloader. But MBAM didn’t flag it. I removed the extension, and the app. Made sure search engine now was Google but saw one in the Search Engines pull down (Safari/Preferences/Search) that was Ecosia?
I couldn’t figure out how to remove it. Wasn’t in ~lib or lib Internet Plugins or Extensions, nor in the Application Support, Launch agents or daemon directories. Did find some application support items of the Capital One shopping and purged. Found a suspicious Configuration Profile and removed. Cleared out cache of Safari and any extensions. But I wonder where the items of the Safari Search Engines is stored. Any ideas?
(note, after some discussion, its possible she fell for an Adobe Flash Updater trap…I cleared all traces of Flash and confirmed nothing she had would need it, and found the rogue AdobeFlàshUpdater installer in her downloads…).

Try looking in System Preferences to see if there is a Profiles tab. If there is one, I believe that a lot of search hijacks happen when a profile is installed.

I have a profile installed myself, but I put it there myself to allow the Mail app to access the Proton Mail bridge app to get my mail. Most people shouldn’t have profiles on home computers.

Oh, and also look in the network pane of System Preferences. Click the advanced button for the network interface used by that computer and then the proxies tab. See if there are any set up. I think that web and secure web proxies are used to hijack searches.

And to answer the question, Safari preferences, Search tab, is where the default search engine is set b

Ecosia wasn’t “installed maliciously”, it’s one of Safari’s standard search engine options in recent releases, you can’t remove it. It’s the same with all the search engines in the dropdown, you can’t add or remove from those options. Ecosia is a search engine that uses proceeds from your searches to fund tree planting projects in various countries.

DuckDuckGo and Ecosia are the only privacy-respecting search options built in to Safari.

Ah! I didn’t know since I am not on Big Sur (I’m on Safari on Mojave

and it doesn’t have Ecosia). So then her mac is clean. :slight_smile:

1 Like

I had cleaned the profiles (there was something there, jibberish and some code). And I checked network prefs for proxies. Thanks! All good tips.

I’m on Mojave too – if you apply the most recent updates, it includes Ecosia as a search engine (I think this was two Safari updates ago on Mojave).

1 Like

And so… I realized that my updates are turned off, and on 14.01. of Safari. So now, I did a security update and Safari update to 14.0.3 and there is Ecosia in the Search Engine options. Thanks again, Jolin! :no_mouth:

1 Like

We really do try to cover all this stuff. :slight_smile: Ecosia is mentioned in our coverage of macOS 11.1 and the other December updates.

1 Like

Many readers are not at the latest version when you report on things.

When I ever feel safe to move from Mojave (because of unresolved Mail loss reports), will I remember everything that’s been published on Catalina and Big Sur? All the tricks and gotchas that early adopters have long ago solved?

1 Like

I’m usually on the ball (but no thanks to Covid) with updates, but I too, am on Mojave, and the 11.1 mention of the Safari update was skimmed; because I don’t and cannot install Big Sur on my current Mac mini (2012).
@ace Thank you for the coverage! I missed that and made a note to the friend to “you need to sub to Tidbits!” :slight_smile:

Undoubtedly not, sadly. That’s unfortunately one of the costs of delaying upgrades. But simultaneously, I wouldn’t stress about it because there are so vastly many more details than there used to be that you can never even read them all, much less remember them. I certainly don’t. :slight_smile:

My nudge was more in the direction of “You can search TidBITS for answers before asking in TidBITS Talk.”

Or search TidBITS Talk for previous discussions:

Good info on searching Tibits!

Re moving to Big Sur - I went and had no mail loss probs. I do a lot - a lot - of email each day and have a lot stored.

I was hesitant to upgrade because of the reports - but did an pretty seamless!


For what it’s worth, the Capital One shopping extension (available for pretty much every major browser) is legit (well, if it’s the real thing), if you consider letting a financial institution know your browsing and buying habits is OK. It’s like Honey: looks for coupons for any item on any vendor page.

I found a new and exciting strain of malware on a client’s machine the other day – the giveaway was that Safari stayed on Bing even after MalwareBytes allegedly removed what it found (which, I think, was actually an earlier infection). There were two files, mmproxy and mmproxyd, saved into /Library/PreferencePanes (though they didn’t show visually in System Preferences), and an item in /Library/LaunchDaemons to kick it off. Googling those turned up nothing. MalwareBytes didn’t detect this at all, so I assume it’s new. While I usually have to do clean-up work and sometimes remove rogue Chrome extensions after running it, I don’t think I’ve ever seen it totally fail to detect something major.