This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Constantly redirected by annoying malware "Safe Finder Yahoo Search"

more options

Please help!

For the last 2 days this malware has taken over my firefox browser! First I noticed that my homepage and new user tab was changed and redirected to safe finder. Even though I was able to fix that through a Firefox refresh, my browser still redirects to this safe finder yahoo search engine, whenever I try to visit a url directly or use the search bar or even use one of Firefox settings options (e.g. add-ons and options).

I've signed out of my firefox account, refreshed firefox twice and deleted the old firefox data folders each time. I installed avast and malwarebytes (windows defender win.10 was useless) to do a scan and moved some viruses to the chest during reboot. Then I went into safe mode and uninstalled firefox, checked all my processes although I didn't see any suspicious programs in my task manager and then followed with a disk cleanup before rebooting.

I still have these problems after reinstalling firefox and even in safe mode I still get redirected. Help!??

"http://r.search.yahoo.com"

"http://r.search.yahoo.com/_ylt=A0LEVvDibglXWDwA9twXFwx./RV=2/RE=1460264803/RO=10/RU=http%3a%2f%2fwww.safefinder.net%2findex1.html/RK=0/RS=WFKZj9_uqq8LqbTzbGo6VtWbPw0-"

Please help! For the last 2 days this malware has taken over my firefox browser! First I noticed that my homepage and new user tab was changed and redirected to safe finder. Even though I was able to fix that through a Firefox refresh, my browser still redirects to this safe finder yahoo search engine, whenever I try to visit a url directly or use the search bar or even use one of Firefox settings options (e.g. add-ons and options). I've signed out of my firefox account, refreshed firefox twice and deleted the old firefox data folders each time. I installed avast and malwarebytes (windows defender win.10 was useless) to do a scan and moved some viruses to the chest during reboot. Then I went into safe mode and uninstalled firefox, checked all my processes although I didn't see any suspicious programs in my task manager and then followed with a disk cleanup before rebooting. I still have these problems after reinstalling firefox and even in safe mode I still get redirected. Help!?? "http://r.search.yahoo.com" "http://r.search.yahoo.com/_ylt=A0LEVvDibglXWDwA9twXFwx./RV=2/RE=1460264803/RO=10/RU=http%3a%2f%2fwww.safefinder.net%2findex1.html/RK=0/RS=WFKZj9_uqq8LqbTzbGo6VtWbPw0-"

Chosen solution

Hi Phoxuponyou

Thank you so much for the suggestions.

I dug deeper into the safe finder website and found that it was run by "Linkury" (contact@SafeFinder.com, http://search.safefinder.com/?st=dd&q). Still nothing came up in the registry or anywhere so I went back into malware bytes to do another scan. I noticed that it wasn't set up to act on threats so I went into all the settings and reset to "recommended settings" (not sure how they got mixed up...i just downloaded the program yesterday). Activated the upgraded trial and ran the scan again and was able to get rid of 600+ detected items - including the "linkury' malware! Yayyyy

It was mostly saved in my programdata folder under some file named "medtrax" but similar files were showing up everywhere. The crap was quarantined and then permanently deleted with a reboot. FIrefox is working perfectly again!! :) :)

If anyone is interested, I have attached screenshots of the "detected items". I'd REALLY like to know how these got into my computer...have they been dormant in my temporary folder for some time or from a recent visit to a website? Anyone have a clue?

Read this answer in context 👍 1

All Replies (3)

more options

It looks like "Safe Finder" is an external program, so no matter what you do to your browser, Safe Finder will come back if you do not root it out from your system. I am slightly surprised MBAM did not take care of it, but not all scanners catch all threats. Some may even treat these horrible add-ons, usually toolbars, as legitimate tools installed by users (as they may have been).

First, I would recommend you try the Mozilla KB instructions for malware cases: https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware#w_how-do-i-get-rid-of-malware_2. That array of scanners has yielded good results in the past, although this is the first time I've come across Safe Finder.

If you'd like to try manually:

  1. Look for installed instances. Go into Apps & features in Windows 10 and uninstall any instances of Safe Finder. This is safe for anyone to do.
  2. Look for files. Go into Program Files and look for the Safe Finder folder, possibly under Yahoo. Move folder to trash bin. Riskier, but if the folder is clearly titled Safe Finder, it's a pretty safe bet that's the one.
  3. Look for registry entries. Press Win+R to open the Run prompt, type regedit and press Enter. Search for and delete "Safe Finder" entries. HIGH RISK, ONLY PERFORM IF YOU ARE FAMILIAR WITH REGISTRY OPERATIONS
  4. Restore Firefox settings. Change your homepage at about:preferences, check your search engines at about:preferences#search. Check the Extensions and Plugins tabs at about:addons for mentions of Yahoo or Safe Finder - uninstall or disable as appropriate.
  5. Finish up with a cleaner like CCleaner, http://www.piriform.com/ccleaner, and the scanners mentioned above.

Did the scanners work? Did you find the installed instance in Windows?

Modified by Phoxuponyou

more options

Suluhisho teule

Hi Phoxuponyou

Thank you so much for the suggestions.

I dug deeper into the safe finder website and found that it was run by "Linkury" (contact@SafeFinder.com, http://search.safefinder.com/?st=dd&q). Still nothing came up in the registry or anywhere so I went back into malware bytes to do another scan. I noticed that it wasn't set up to act on threats so I went into all the settings and reset to "recommended settings" (not sure how they got mixed up...i just downloaded the program yesterday). Activated the upgraded trial and ran the scan again and was able to get rid of 600+ detected items - including the "linkury' malware! Yayyyy

It was mostly saved in my programdata folder under some file named "medtrax" but similar files were showing up everywhere. The crap was quarantined and then permanently deleted with a reboot. FIrefox is working perfectly again!! :) :)

If anyone is interested, I have attached screenshots of the "detected items". I'd REALLY like to know how these got into my computer...have they been dormant in my temporary folder for some time or from a recent visit to a website? Anyone have a clue?

more options

Good to hear you got it sorted! MBAM usually takes care of business, but it is not flawless.

Searching online for the PUP IDs, they mostly point to software bundling. This is how a lot of "crap" gets installed: user wants program A, so the developer or distributor bundles malwares 1 and 2 in the installer for program A so the user installs the crap along with what they wanted.

Even mostly-reputable vendors like Adobe do it (with McAfee antivirus, Chrome, etc. "offered" as "an option" with the Flash Player plugin). The difference between the reputables and the malicious is that the latter may hide, obfuscate or plain deny the selection to opt out of the package (i.e. the crap). All share the characteristic of pushing needless software onto unsuspecting users, which may cause conflicts with existing software (existing antivirus and browsers, in the case of Adobe) and unwanted changes to their system.

IMO never install bundled stuff. At best it's just extra crap burdening your system, at worst it is malicious stuff that hijacks it!

The best way to avoid running into it is to use known-good software, download it from official sources only and always deny any additional software offered. This should only leave actual attacks and virus infections to deal with.