What is ONFIND?
ONFIND is a new browser extension that reroutes the users’ web browsing results to Boyu.com.tr. This piece of software, which we recently discovered, functions as a browser hijacker, diverting all queries from default search engines to others that the owners of the extension are promoting.
Unfortunately, it is not easy for the average user to uninstall this browser plugin once it gets installed. The developers use hard-code injection to make you unable to remove the ONFIND extension from the extensions tab, and that calls for more complex steps to get rid of it entirely.
What issues can ONFIND cause?
As a browser hijacking extension, ONFIND is a type of potentially unwanted software that can interfere with the normal functionality of any browser. It has questionable traits that allow it to watch what the user does when they browse, record what the user types, (and log these keywords). At worst, it even has the potential to take over the microphone and cameras whenever the user opens the affected internet browser. The most disturbing trait, however, is the ability to change the browser settings for the benefit of its authors without asking for direct approval.
Some of these modifications might include tweaks to the tabs’ appearance and—more significantly—the default search engine of the browser. It also resembles two similar extensions—Guardian Angel and NymphMiniica—that have been previously exposed on this website.
In addition, the ONFIND extension sets browser policies that make the browser operate in a “managed by an organization” state. This gives the malware creators the ability to define rules that keep the hijacker operational in the background of the system.
How does ONFIND operate?
ONFIND basically works by assigning a new search engine as the default in the browser settings. In this way, when a user enters a URL, they will be redirected to the first redirect URL (Findflarex.com), which is directly related to the extension. Then, this will ultimately lead them to Boyu.com.tr, instead of the standard Google.com search results.
These redirects allow us to assume that Boyu.com.tr, Findflarex.com, and the ONFIND extension were all created by the same author. Our further inspection indicates that the search results on the browser hijacker website are full of affiliate links and advertisements, from which the ONFIND creator gets paid when a user clicks on them. This is a common practice in which many developers use browser hijacking to make money.
Unfortunately, if you try to remove the intrusive software, you will notice that the usual “Delete” button is inoperable and there is also no “Disable” option. This makes the uninstallation process more challenging. Even if you go to the browser directory and remove ONFIND from the extensions’ folder, the next time you launch the browser, it will most probably be there again.
How does ONFIND distribute and install itself?
Similarly to other browser hijacking pieces of software, ONFIND is commonly distributed in a bundle with some other attractive-looking apps and browser add-ons.
The extension, particularly, is frequently downloaded by accidently clicking on advertisements on torrenting networks and websites that distribute pirated software or file-sharing services.
Many people easily fall for these distribution tactics because they fail to skip the numerous adverts that may appear on their screen before downloading the actual software they want. In some cases, they won’t even find the software they were searching for in the first place, but they may end up with a bunch of browser hijackers.
The image above displays a fraudulent download page from a risky file-sharing website that installs the ONFIND extension along with other dangers. If you come across this or a similar page, remember not to run any files you download from there, especially if they are just a few megabytes in size and have a generic name like Setup.exe or File.exe.
Why you should remove ONFIND ASAP?
Long-term use of the ONFIND browser extension may unintentionally expose users to dangerous online content, so it is best to remove it from the browser. For example, if you carelessly click on some of its sponsored links or advertisements, you might become infected with ransomware or a Trojan Horse (this is just an example, not a proven fact).
The same thing might occur if a redirect lands you on a compromised website. This software also provides poor search results, which could make browsing downright irritating and unpleasant. Not to mention the modifications it makes to the browser, which might be used maliciously in the future.
SUMMARY:
| Name | ONFIND |
| Type | Adware/Browser Hijacker |
| Detection Tool |
Remove ONFIND Extension Virus
To try and remove ONFIND quickly you can try this:
- Go to your browser’s settings and select More Tools (or Add-ons, depending on your browser).
- Then click on the Extensions tab.
- Look for the ONFIND extension (as well as any other unfamiliar ones).
- Remove ONFIND by clicking on the Trash Bin icon next to its name.
- Confirm and get rid of ONFIND and any other suspicious items.
If this does not work as described please follow our more detailed ONFIND removal guide below.
If you have a Windows virus, continue with the guide below.
If you have a Mac virus, please use our How to remove Ads on Mac guide.
If you have an Android virus, please use our Android Malware Removal guide.
If you have an iPhone virus, please use our iPhone Virus Removal guide.
Some of the steps may require you to exit the page. Bookmark it for later reference.
Next, Reboot in Safe Mode (use this guide if you don’t know how to do it).
Uninstall the ONFIND app and kill its processes
The first thing you must try to do is look for any sketchy installs on your computer and uninstall anything you think may come from ONFIND. After that, you’ll also need to get rid of any processes that may be related to the unwanted app by searching for them in the Task Manager.
Note that sometimes an app, especially a rogue one, may ask you to install something else or keep some of its data (such as settings files) on your PC – never agree to that when trying to delete a potentially rogue software. You need to make sure that everything is removed from your PC to get rid of the malware. Also, if you aren’t allowed to go through with the uninstallation, proceed with the guide, and try again after you’ve completed everything else.
- Uninstalling the rogue app
- Killing any rogue processes
Type Apps & Features in the Start Menu, open the first result, sort the list of apps by date, and look for suspicious recently installed entries.
Click on anything you think could be linked to ONFIND, then select uninstall, and follow the prompts to delete the app.
Press Ctrl + Shift + Esc, click More Details (if it’s not already clicked), and look for suspicious entries that may be linked to ONFIND.
If you come across a questionable process, right-click it, click Open File Location, scan the files with the free online malware scanner shown below, and then delete anything that gets flagged as a threat.
After that, if the rogue process is still visible in the Task Manager, right-click it again and select End Process.
Undo ONFIND changes made to different system settings
It’s possible that ONFIND has affected various parts of your system, making changes to their settings. This can enable the malware to stay on the computer or automatically reinstall itself after you’ve seemingly deleted it. Therefore, you need to check the following elements by going to the Start Menu, searching for them, and pressing Enter to open them and to see if anything has been changed there without your approval. Then you must undo any unwanted changes made to these settings in the way shown below:
- DNS
- Hosts
- Startup
- Task
Scheduler - Services
- Registry
Type in Start Menu: View network connections
Right-click on your primary network, go to Properties, and do this:
Type in Start Menu: C:\Windows\System32\drivers\etc\hosts
Type in the Start Menu: Startup apps
Type in the Start Menu: Task Scheduler
Type in the Start Menu: Services
Type in the Start Menu: Registry Editor
Press Ctrl + F to open the search window
Remove ONFIND from your browsers
- Delete ONFIND from Chrome
- Delete ONFIND from Firefox
- Delete ONFIND from Edge
- Go to the Chrome menu > More tools > Extensions, and toggle off and Remove any unwanted extensions.
- Next, in the Chrome Menu, go to Settings > Privacy and security > Clear browsing data > Advanced. Tick everything except Passwords and click OK.
- Go to Privacy & Security > Site Settings > Notifications and delete any suspicious sites that are allowed to send you notifications. Do the same in Site Settings > Pop-ups and redirects.
- Go to Appearance and if there’s a suspicious URL in the Custom web address field, delete it.
- Firefox menu, go to Add-ons and themes > Extensions, toggle off any questionable extensions, click their three-dots menu, and click Remove.
- Open Settings from the Firefox menu, go to Privacy & Security > Clear Data, and click Clear.
- Scroll down to Permissions, click Settings on each permission, and delete from it any questionable sites.
- Go to the Home tab, see if there’s a suspicious URL in the Homepage and new windows field, and delete it.
- Open the browser menu, go to Extensions, click Manage Extensions, and Disable and Remove any rogue items.
- From the browser menu, click Settings > Privacy, searches, and services > Choose what to clear, check all boxes except Passwords, and click Clear now.
- Go to the Cookies and site permissions tab, check each type of permission for permitted rogue sites, and delete them.
- Open the Start, home, and new tabs section, and if there’s a rogue URL under Home button, delete it.
How to protect from browser hijackers like ONFIND in the future?
Long-term maintenance of your device will be made easier with the help of the following information and advice:
Check to see if all of your software is current.
Make sure every software on your computer is running the most recent version that the developer has made available. Malware actors often take advantage of bugs and issues that are fixed by these updates. To prevent malware from exploiting a security flaw, make sure Windows is updated as well.
Don’t download files from unidentified sources.
Third-party installations are one of the main ways that malware infects a computer system. This happens when a user downloads a particular program from sources other than the official download links. Games, cracked software, and torrent files are a few of the frequently encountered sources of malware.
Avoid visiting dubious websites.
Stay away from websites with unfiltered ads, such as those that stream illegally, platforms that offer cracked software, and links that you receive from people you don’t trust. These websites frequently have links to redirect chains that load when you click on one of the page’s advertisement elements. Following this trail frequently results in phishing pages and drive-by malware that the typical user might eventually overlook.
Use caution when opening attachments from emails.
Threat actors frequently send thousands of these infected emails to regular users and company employees worldwide in an attempt to break into their network. Most types of malware frequently poses as attachments and documents. That’s why, it is advisable to regularly verify the source of your emails. It is possible that a project attachment you received through email did not originate from a coworker.
Leave a Comment