Browser Hijacker - Gone as far as I can go

Hello!
I am trying to help clean my sister in law's computer. The problem started about a month and a half ago. She could not connect to the internet then I believe she did a windows update where the computer screen went black and she could not boot up. I got into safe mode, did a system restore, then noticed the extra tool bars on her browser which made me think virus/trojan/etc. Had a lot of trouble running online scans as they were being blocked from running but finally managed over time to clean a significant amount of items off the system. I believe she had Sardu, Yontoo, and a host of other unwanteds. Now, the final annoyance (there may still be more stuff) is a browser hijacker that will not go away. A Searchqu/search.fantastigames.com popup message keeps popping up when first opening IE. It says "The original search engine Fantastigames.com was changed from being the default and will change back." You close out the popup and it takes you to the manage add ons window but you can not delete the searchqu selection which is in third position. Tried to clean remnants of searchqu in registry from all the "known" items I could find from internet searches but problem still exists. Any help you can provide would greatly be appreciated. I hope I followed all directions correctly. All logs requested are attached below.

Thanks in advance, Mimi

 

Hi Tim,
Thanks for helping me. I got a successful message in updating the registry but the problem remains. I rebooted to see if that would help and it did not. Upon opening IE, I get a popup that tells me "a program on the computer corrupted my default search provider setting for IE, changing back to default (search.fantastigames.com). When I close or "x" out of it, it procedes to open the manage add ons window but I can't change or delete the default from search.fantastigames.com.

Also, not sure if this is related but I could not find the accessories folder on this computer from clicking Start/All programs? I found notepad and wordpad in a c:\program files\win NT\accessories folder and in c:\windows\winsxs\amd64_microsoftwindows folder (duplicates)? But other tools are just missing altogether like calculator. The laptop is Lenovo with Windows 64bit. Is it possible it is just set up differently? I have not done anything to the computer since uploading my log files as requested but weeks ago I tried to do a partial restore where you look for just the folder you want and move it over but it was not there? My sister-in-law did not even know it was missing so she could not tell me how far back this goes. I am trying to avoid a complete restore for her but do not want to waste your time if I have to do that in the end?

Please let me know next steps.

Thanks,
Mimi

 

Re-ran the MG tools as requested. Here you go. Thanks.

 

Hi Tim,

Got a successful message when updating the registry. Ran MGTools again as requested. Pop up still showing up and redirection still occurs. In the middle of the scan, by the way, I got a message that Steelwerx stopped working. Once I closed out it continued and gave me the log file. See Attached.

Thanks,
Mimi

 

I am very comfortable with deleting out of the registry in fact I had to manually delete the parts of this virus/trojan from the registry as no scan was picking it up and I ran so many of them (eset, f-secure, spybot, malwarebytes, to name a few). I deleted the items requested but not sure if you wanted me to delete the whole searchscopes folder (there were 3 subfolders with a long string of numbers) as there were other items in there? I rebooted and checked and it is still popping up and redirecting after the first search. When I went back into the registry those keys you asked me to delete are populated with new entries (if I am saying it correctly).

Thanks,
Mimi

 

Hello!

I edited the registry as instructed and got a successful message. Attached is the log file requested. FYI, The pesky little buggar still popped up when I opened IE.

Thanks Tim,
Mimi

 

Hello,

The registry was edited instructed and I got a successful message. Attached is the log file requested. No change in IE.

Thanks,
Mimi

 

Hi Tim,

I edited the registry as instructed. Did not run MGtools as you did not request this last time. Please let me know if you need an updated log. I wish I had good news but the stupid thing is still in there.....hijacking!! :confused

Thanks,
Mimi

 

Hello. I reset IE as instructed then opened IE and the popup still came up. Searchqu is still in there as a search option unable to delete. I then downloaded the System Repair and followed your directions. Once Sys. Repair was done (I did not have any issues) I rebooted and the popup stil remained. Under the browser add-on tab, I did not delete anything as none of the selections said searchqu or search.fantistigames.com or datamanager. I did see an activex for Unity webplayer control (which I am not sure what this is) I think was something downloaded by my sister-in-law's 11yr old. Could the virus be attached to that? I also noticed activeX controls that had a CLSID number in the registry but no name associated. Attached is the log file from System Repair.

Thank,
Mimi

 

Sorry it took a while to respond. Was not able to do a screen capture as her accessories folder is missing. So no snipping tool, no paint program. Think this issue is from a windows update but that is for another forum. :eek So I tried resetting IE again since you thought maybe I didn't do it right and the third time it took!! So after resetting, now bing is the only search provider listed and Lenovo (what the system is) is the homepage. Upon opening IE though, I get the manage addons window popup every time. I rebooted and opened IE and still get the manage addons window popping up after the homepage loads (see attached afterresett.jpg). That makes me nervous that it is not entirely clean. I followed the reset by a system repair and will attach that new log just in case you need it. For the heck of it, I am attaching the other screen captures that happened previous to show you what I saw. Maybe it will help? Also, to answer your questions as to what was happening, I was getting a popup after homepage loaded, then the manageaddon window, then after doing a search or two from the URL field, I got the fantastigames metacrawler search. I try to keep it short so I may not have explained myself clearly. Hope that explains everything.

Thanks, Mimi

 

Well, not exactly. I don't get the manage add-on notification popup at the bottom of the screen as in the example you provided from worldstart but I still followed their directions on creating a new shortcut since I was gettting "a" manage add-on dialog box window popping up. I deleted IE off the start menu and from the desktop and created a new shortcut for both. The popup is occuring. In this case, it is an actual dialog box window for the manage addons selections. The same one you would see if you were in IE and clicked from the drop down menu "Manage Add-ons". What leads me to believe there may still be something going on, is because one it keeps popping up upon opening IE and two because it will now not let me delete bing as the search provider and use google or use google as the default provider. Look at the two attachments I provided. The first attachment called searchselection (posted yesterday, having trouble reattaching to this message) where the manage addon window popped up to show 3 choices. Searchqu/search.fantastigames was not an intentionally installed choice and when you look at the bottom, "Set as default" and "Remove" is grayed out, will not let me change. Since resetting IE, this selection is no longer there so we are getting better, but now bing is acting in the same manner, grayed out will not let me delete. See my second attachment (called managepopup) where I highlighted the bottom buttons? They are unavailable where previous I could delete Bing. When I select Google, I can remove but when I try to set as default (which is not grayed out by the way) it will not work, Bing remains the default.

If you no longer see traces of any virus, could a .dll, .ocx, or other IE file be corrupted? Should I try to reinstall IE9? Will that help? If so, do I need to entirely remove traces of IE from the system? or just install over?

Thanks,Mimi

 

Hi Tim,

I have been running explorer without addons. I get the notification window that lets me know plus when the manage addon window pops up you can see they are all disabled. I tried so many different things. However, I never disabled the way described below in your link provided. So, I followed their suggestions and when I opened IE using the method below, the popup still came up. Please don't give up on me.

 

Hi,

I copied and pasted the text as instructed. When I ran it this way, IE did open and the popup still opened up too.

Thanks,
Mimi

 

Hi,

It may no longer be a malware problem but it started out as one. This system had Strong Vault, Yontoo and a host of others. When I do a google search for search.fantastigames.com it comes up that this thing completely messes with your browser. That is why I think this popup will not go away. In message #21 I also mention that I can not select google as my default. It appears as if I can because it is not grayed out but when I press it nothing happens. Bing stays in first position and cannot be deleted. When the search.fantastigames.com selection was there it behaved the same way. Whatever is in that box should allow you to remove, set as default, move up or down. If it does not something is wrong. That is what is going on in addition to this box opening as soon as I open the browser. No matter how many times I close the browser and re-open, the manage add-on window keeps opening.

Hope that helps to clarify a bit more.
Mimi

 

I wanted to thank you guys for helping me with my sister-in-law's computer. You definitely helped me remove all remnants of the virus. Unfortunately she needed the system back as her other one got infected with a virus as well! LOL I was able to clean that one fairly quickly though. Before giving her back the laptop, I did do the final steps below and the pop-up remains but she is okay with just closing it out for now. If it continues to be a nuisance for her I might have to revisit the issue and maybe in different forum as there is no more virus but just wanted to let you know so you can close this out.

Thanks,
Mimi