Some malware has violated Windows Policy with modifying special registry entries!

Question

Hi Microsoft staff

Recently, some malware that seems to be new, has infested my computer.

I tried to get rid of it with help of friendly Firefox support staff, now I am just one step away from completely getting rid of it

More information about this malware could be found here: https://support.mozilla.org/en-US/questions/1207901

Now I just want to know how to correct some registry entries, without destroying windows structure. Please help

Here those 4 entries are:

1.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP]

"BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\

  4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\

  38,25,33,64

"ChangeNotice"=dword:00000000

"DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\

  64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\

  00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00

2.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]

"YahooMusicEngine.exe"=dword:00000001

3.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]

"YahooMusicEngine.exe"=dword:00000001

4.

[HKEY_USERS\S-1-5-21-1981202106-4247340770-1964091639-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP]

"BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\

  4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\

  38,25,33,64

"ChangeNotice"=dword:00000000

"DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\

  64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\

  00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00

It should be noted that non-binary data of "DoNotAskAgain" keys is:

imp.ytdwld.com

search.yahoo.com

Please help me get rid of this headache.

Answer 1

Just run scan with Unhack me in safe mode.

Answer 2

I have tested several malware scanners, it was AdwCleaner that removed it in safe mode (after restart).

As I said in the first post, I have solved other parts of this infection with help of friendly people at Firefox forum. (You can read about the process, in the link to Firefox support forum.)

Currently, yahoo traces can only be found in those 4 registry entries.

I knew how to export registry keys, so I did; Then I copied what was inside those 4 .reg files, and pasted the information at the first post.

I have never installed any yahoo app in my current windows, and that "YahooMusicEngine.exe" file is nowhere to be found, so #2 and #3 are fishy.

Anyway, I said to myself that probably deleting #2 and #3 wouldn't cause any harm, but #1 and #4 bear warning message from Microsoft, so I came here.

You mean that I can safely delete DoNotAskAgain DWORD values and if a problem appeared, double clicking on those .reg files solve the matter?!? (those keys are protected)