Dad's PC infected with Dregol, etc.

gregrocker · 12 May 2015

My Dad's PC was infected with some sort of adware package I think was clicked on in a webpage popup. He says he knows not to do anything but close those out, but I wonder if even doing that can download them. Are they able to reprogram the exit X to download in IE11? Should we always just reboot if a dodgy ad page or popup appears while browsing?

For Dregol, after uninstalling that and some others in Control Panel, a search suggested SPyhunter which I ran. It seems to have found multiple adware and searchware. But when I click Fix Infections it wants us to pay so now I'm suspicious of it. It says it found evidence of Conduit, Search Protect, Adware Helpers which I see no evidence of so I'm now wondering if it is illegit and maybe seeded us. I uninstalled it.

I could not remove Dregol from IE search so reset that browser which seems OK now. There is no evidence of it in files or registry using name search.

MBAM found PUPS I removed but didn't seem to find Dregol, SAS found cookies, so I ran AdwCleaner and ESET online scanner. AdwCleaner found Conduit and Search Protect and some other things but I'm waiting for ESET to finish before cleaning those up since it wants to Force Shut all programs.

Anything else suggested?

RolandJS · 12 May 2015

Hitman Pro is one of the few that actually find Conduit and Ask, SpyHunter's probably correct on that one. I still have Malwarebytes AM & SUPERAntispyware on my system. Take heed using SpyHunter, many others have removed it.

Jacee · 12 May 2015

Greg, this adware will sneak in with some 'freeware software'. Warn your Dad about that!

Download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

cottonball · 12 May 2015

Greg,

After running JRT as recommended by Jacee, please see if you can do the following to check a few things:

Please download Zoek.exe:
Download z o e k . e x e version 5.0.0.0
Save to the Desktop.

Please close all antivirus and anti-malware programs so they do not interfere with the download or execution of Zoek.
Instructions how to disable security application:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

• Next, double click zoek.exe to start the program.
• Copy and paste the following script in the code box:

Note: This script is written specifically for this user's computer.
Do not use it on another computer even if its problems are similar !

Code:

standardsearch;
installedprogs;
process;
services-list;
srinfo;
emptyfolderscheck;

• Close any open browsers.
• Click the Run script button and wait patiently.
• When finished the logfile, zoek-results.log, is opened in Notepad.
• If a reboot is needed the logfile is opened after rebooting.
• The zoek-results.log is also found on your system drive (normally C:\).

Please post the zoek-results.log in your reply.

gregrocker · 13 May 2015

His performance Is better than before. He's a little annoyed by new IE11 install asking if he wants to enable Add-Ons like WMP and Quicktime plug-in, offering only to Allow but not to Disable unless he goes into IE Add-Ons. I will keep an eye on that.

Both logs coming

RolandJS · 13 May 2015

Greg, Wise Plugin Manager, just one of several good ones, might be a good tool for him. I've used it to remove some pesky plugins, extensions. Be advised that many FF add-ons have mighty unhelpful strange names listed in WPM :) However, the listing within Chrome and IE are almost always in plain language.

cottonball · 13 May 2015

Greg,

Did not see malware in the Zoek report, and the JRT took care of an item.

If you wish, you can also check browsers plugins and see if they are up to date.
Plugins add new capabilities into the browser, but, they can also provide opportunities for malicious code to get in.

Check Firefox > https://www.mozilla.org/en-US/plugincheck/

To check other browsers, use: Qualys BrowserCheck
It is a cloud service that scans your browsers and plugins to see if they are all up-to-date.

Download > https://browsercheck.qualys.com/

When the program opens, click on: Scan without installing plugin
Then, click on: Scan now