Some malware has violated Windows Policy with modifying special registry entries!

Hi Microsoft staff

Recently, some malware that seems to be new, has infested my computer.

I tried to get rid of it with help of friendly Firefox support staff, now I am just one step away from completely getting rid of it

More information about this malware could be found here: https://support.mozilla.org/en-US/questions/1207901

Now I just want to know how to correct some registry entries, without destroying windows structure. Please help

Here those 4 entries are:

1.


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP]
"BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\
  4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\
  38,25,33,64
"ChangeNotice"=dword:00000000
"DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\
  64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\
  00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00

2.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
"YahooMusicEngine.exe"=dword:00000001

3.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
"YahooMusicEngine.exe"=dword:00000001

4.

[HKEY_USERS\S-1-5-21-1981202106-4247340770-1964091639-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP]
"BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\
  4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\
  38,25,33,64
"ChangeNotice"=dword:00000000
"DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\
  64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\
  00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00

It should be noted that non-binary data of "DoNotAskAgain" keys is:

imp.ytdwld.com
search.yahoo.com

Please help me get rid of this headache.

 

Question Info


Last updated October 10, 2018 Views 1,627 Applies to:

Have you checked Control panel> Programs and features for imp.ytdwld.com (or similar)
search.yahoo.com

or any other program you don't remember installing that might be causing this problem?

Most users report that Malwarebytes and Zemana remove a Yahoo search redirect. Curious that they didn't work for you.

https://malwaretips.com/blogs/yahoo-toolbar-removal/

About those Registry keys...

With a stock Windows 7 installation, and no hijack or redirect or Yahoo problems, I have the same keys/values in #2 and #3 that you have. I don't think you need to change those.

In #1 and #4 I don't have the DoNotAskAgain DWORD Values at all.

You know how to backup/export the Registry, right?

I would backup the Registry then delete those DoNotAskAgain DWORD values.

If there's a problem after deleting those DWORD values, restore that Registry backup.

Don

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I have tested several malware scanners, it was AdwCleaner that removed it in safe mode (after restart).

As I said in the first post, I have solved other parts of this infection with help of friendly people at Firefox forum. (You can read about the process, in the link to Firefox support forum.)

Currently, yahoo traces can only be found in those 4 registry entries.

I knew how to export registry keys, so I did; Then I copied what was inside those 4 .reg files, and pasted the information at the first post.

I have never installed any yahoo app in my current windows, and that "YahooMusicEngine.exe" file is nowhere to be found, so #2 and #3 are fishy.

Anyway, I said to myself that probably deleting #2 and #3 wouldn't cause any harm, but #1 and #4 bear warning message from Microsoft, so I came here.

You mean that I can safely delete DoNotAskAgain DWORD values and if a problem appeared, double clicking on those .reg files solve the matter?!? (those keys are protected)

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I have tested several malware scanners, it was AdwCleaner that removed it in safe mode (after restart).

As I said in the first post, I have solved other parts of this infection with help of friendly people at Firefox forum. (You can read about the process, in the link to Firefox support forum.)

Currently, yahoo traces can only be found in those 4 registry entries.

I knew how to export registry keys, so I did; Then I copied what was inside those 4 .reg files, and pasted the information at the first post.

I have never installed any yahoo app in my current windows, and that "YahooMusicEngine.exe" file is nowhere to be found, so #2 and #3 are fishy.

Anyway, I said to myself that probably deleting #2 and #3 wouldn't cause any harm, but #1 and #4 bear warning message from Microsoft, so I came here.

You mean that I can safely delete DoNotAskAgain DWORD values and if a problem appeared, double clicking on those .reg files solve the matter?!? (those keys are protected)

-

Let's back up. Are you seeing any signs of a hijack? Has Yahoo taken over in some visible way? Are you able to select the default Search Provider for any browsers you're using and have those selections stick?

You may be trying to solve a non-problem.

Don

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Just run scan with Unhack me in safe mode.

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.