Everytime that I close Firefox, my default search changes to "Yahoo! Search Engine"!
Hi friendly people Title explains my current problem. Deleting that search engine is no use, it resets back on Firefox relaunch!
"MalwareBytes" , "Microsoft Security Essentials" and "Zemana AntiMalware" didn't help. Last one finds the malware but is not powerful enough to delete it!
Then I launched regedit and searched for "yahoo". I found some results but according to the name of above folder, I am not sure whether to delete those keys or what!!! You can read name of that folder from below bar.
Please help me get rid of this headache.
Thanks in advance.
Chosen solution
can you boot into windows safemode with networking once and see if adwcleaner works uninterrupted there? https://support.microsoft.com/en-us/help/17419/windows-7-advanced-startup-options-safe-mode
Read this answer in context 👍 1All Replies (16)
esmetozerbezan said
Then searched for "yahoo" on my HDD. Among results, there was a folder with a name like "yahoo + +" somewhere under FireFox folders, which I deleted it. Also "yahoo-lavasoft.xml" has been found, but there is no trace of it's location!!! Right-click does not work upon this search result!!! Also one of the results has title of this web page and I can not right-click on it too!
Which folders did you search under? Program folders or profile (settings) folders?
This article describes how to launch your currently active profile folder in a new Windows Explorer window: Profiles - Where Firefox stores your bookmarks, passwords and other user data.
Do you still have suspicious files in these locations like posted on page 1?
You can look for a file named dsengine.js in these locations. You should only find channel-prefs.js in the "defaults\pref" location. Any file found here apart from channel-prefs.js is suspicious. You can check the content of the file in a text editor (use open with and do not double-click the file).
C:\Program Files\Mozilla Firefox\defaults\pref\ C:\Program Files (x86)\Mozilla Firefox\defaults\pref\
You can look for a file named dsengine.cfg in the main Firefox program folder.
C:\Program Files\Mozilla Firefox\ C:\Program Files (x86)\Mozilla Firefox\
Delete the dsengine.js and dsengine.cfg files when present.
philipp said
can you boot into windows safemode with networking once and see if adwcleaner works uninterrupted there? https://support.microsoft.com/en-us/help/17419/windows-7-advanced-startup-options-safe-mode
I know how to launch windows in safe mode, but why should I try it in safe mode with "with networking"?!?!?
jscher2000 said
esmetozerbezan saidThen searched for "yahoo" on my HDD. Among results, there was a folder with a name like "yahoo + +" somewhere under FireFox folders, which I deleted it. Also "yahoo-lavasoft.xml" has been found, but there is no trace of it's location!!! Right-click does not work upon this search result!!! Also one of the results has title of this web page and I can not right-click on it too!Which folders did you search under? Program folders or profile (settings) folders?
This article describes how to launch your currently active profile folder in a new Windows Explorer window: Profiles - Where Firefox stores your bookmarks, passwords and other user data.
I searched under "Computer" meaning that everywhere has been searched. I said it before that I have managed to remove that malware search engine from inside FireFox and then removed "yahoo + +" folder; well, that folder was somewhere under "FireFox" and then under "Profile" folder.
Now I just have to correct those special entries in Registry and remove those files that AdwCleaner has found.
cor-el said
Do you still have suspicious files in these locations like posted on page 1?
You can look for a file named dsengine.js in these locations. You should only find channel-prefs.js in the "defaults\pref" location. Any file found here apart from channel-prefs.js is suspicious. You can check the content of the file in a text editor (use open with and do not double-click the file).
C:\Program Files\Mozilla Firefox\defaults\pref\ C:\Program Files (x86)\Mozilla Firefox\defaults\pref\You can look for a file named dsengine.cfg in the main Firefox program folder.
C:\Program Files\Mozilla Firefox\ C:\Program Files (x86)\Mozilla Firefox\Delete the dsengine.js and dsengine.cfg files when present.
Hi I found "dsengine.cfg" in the main FireFox program folder. After opening it with Notepad++ , I found some programming lines that I believe related to continuous replacement of that malware search engine with default search engine.
esmetozerbezan said
I know how to launch windows in safe mode, but why should I try it in safe mode with "with networking"?!?!?
in order to have an active network connection and so that anti-adware/malware tools can download the latest signatures before running their scan & cleanup operation.
philipp said
esmetozerbezan saidI know how to launch windows in safe mode, but why should I try it in safe mode with "with networking"?!?!?in order to have an active network connection and so that anti-adware/malware tools can download the latest signatures before running their scan & cleanup operation.
In safe mode with networking, AdwCleaner successfully deleted those files, actually deleted them on system restart.
Now I have to correct those Registry entries to get done with it.
Also there is that file with name of yahoo-lavasoft.xml that I have mentioned already. This time right-click worked on it and I managed to click on "Properties". What and where is it? "searchplugins" folder does not exist in that partition of mine!
esmetozerbezan said
philipp saidesmetozerbezan saidI know how to launch windows in safe mode, but why should I try it in safe mode with "with networking"?!?!?in order to have an active network connection and so that anti-adware/malware tools can download the latest signatures before running their scan & cleanup operation.
In safe mode with networking, AdwCleaner successfully deleted those files, actually deleted them on system restart.
Now I have to correct those Registry entries to get done with it.
Also there is that file with name of yahoo-lavasoft.xml that I have mentioned already. This time right-click worked on it and I managed to click on "Properties". What and where is it? "searchplugins" folder does not exist in that partition of mine!
No one knows is capable to help me in this matter?
Your screenshot is of an internet shortcut, or in other words, a Windows favorite. It points to a file on your D drive. Is the file still there, or is the shortcut just a left over?
jscher2000 said
Your screenshot is of an internet shortcut, or in other words, a Windows favorite. It points to a file on your D drive. Is the file still there, or is the shortcut just a left over?
As I said before, "searchplugins" folder does not exist in that partition of mine! So I can't find that fishy file!
esmetozerbezan said
jscher2000 saidYour screenshot is of an internet shortcut, or in other words, a Windows favorite. It points to a file on your D drive. Is the file still there, or is the shortcut just a left over?As I said before, "searchplugins" folder does not exist in that partition of mine! So I can't find that fishy file!
In that case, the shortcut appears to be out of date and you just need to get rid of the obsolete shortcut. No?
jscher2000 said
esmetozerbezan saidjscher2000 saidYour screenshot is of an internet shortcut, or in other words, a Windows favorite. It points to a file on your D drive. Is the file still there, or is the shortcut just a left over?As I said before, "searchplugins" folder does not exist in that partition of mine! So I can't find that fishy file!
In that case, the shortcut appears to be out of date and you just need to get rid of the obsolete shortcut. No?
Ok, I couldn't find out where it was, but I got rid of it from search window.
Now I just have to correct these special entries in Registry to fully get rid of this malware! How to correct them, without destroying windows structure?!?
Here those 4 entries are:
1.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP] "BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\
4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\ 38,25,33,64
"ChangeNotice"=dword:00000000 "DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\
64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\ 00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00
2.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK] "YahooMusicEngine.exe"=dword:00000001
3.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK] "YahooMusicEngine.exe"=dword:00000001
4.
[HKEY_USERS\S-1-5-21-1981202106-4247340770-1964091639-1000\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP] "BackupHomePage"=hex:01,00,00,00,12,00,00,00,8f,09,24,bc,77,1c,9e,0f,f5,c6,5f,\
4a,37,9e,c3,4a,66,b3,02,00,00,00,0e,00,00,00,68,5a,66,6b,55,5a,6f,65,63,4b,\ 38,25,33,64
"ChangeNotice"=dword:00000000 "DoNotAskAgain"=hex(7):69,00,6d,00,70,00,2e,00,79,00,74,00,64,00,77,00,6c,00,\
64,00,2e,00,63,00,6f,00,6d,00,00,00,73,00,65,00,61,00,72,00,63,00,68,00,2e,\ 00,79,00,61,00,68,00,6f,00,6f,00,2e,00,63,00,6f,00,6d,00,00,00,00,00
It should be noted that non-binary data of "DoNotAskAgain" keys is:
esmetozerbezan said
Now I just have to correct these special entries in Registry to fully get rid of this malware! How to correct them, without destroying windows structure?!?
I have no idea what those are. Do you think they are causing a problem? You may want to ask on a forum related to Windows or malware.
Microsoft support forum:
Ok, thanks to everyone who helped or tried to help me in this matter.
In case someone likes to follow this subject:
@ esmetozerbezan :
Just curious - you started this thread with the header :
" Everytime that I close Firefox, my default search changes to "Yahoo! Search Engine"! "
Does that still happen ?
Happy112 said
@ esmetozerbezan : Just curious - you started this thread with the header : " Everytime that I close Firefox, my default search changes to "Yahoo! Search Engine"! " Does that still happen ?
Nope, when I cleaned those files in safe mode, this part solved.
I want to completely get rid of it. To avoid future problems.
esmetozerbezan said
Nope, when I cleaned those files in safe mode, this part solved.
Well, at least that's a relief !
I want to completely get rid of it.
To avoid future problems.
Totally understandable - wishing you good luck on the Microsoft support forum !