Solved win32/toolbar.widgi application

[nibbz]

ran a routine eset online scan and it came up with this, which said was probably a variant of
win32/toolbar.widgi application.....i ran a full scan 2 daYS AGO WITH COMODO AND IT FOUND NOTHING.....what should i do now to clean this?

 

[Broni]

Without knowing what file was involved it's impossible to advice.

 

[Bobbye]

The Widgi Toolbar is usually a part of a Search Settings from a company named Spigot. It is put on a system without your permission or knowledge. The Spigot home site itself is not even permitted to load on my machine, giving the Warning from my Site Advisor that "this company has a bad reputation."

The Widgi Toolbar is described by Category: Controlled Applications

In the Application Control policy, applications are allowed by default. System administrators choose applications that they wish to block. If you've received an alert about a blocked application, you can choose to:

• take no action, if you wish to continue blocking the application
• remove the software to prevent future alerts
• re-authorize a blocked application

While this may sound innocent, perhaps even a 'good thing', it is neither and should be removed, along with the related search entries.
==========================================
I will be glad to help find and remove the malware.

If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

Please leave the logs in your next reply for me to review.

 

[nibbz]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.20.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16443
nibbz :: NIBBZ-PC [administrator]
4/20/2012 6:58:44 PM
mbam-log-2012-04-20 (18-58-44).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211362
Time elapsed: 2 minute(s), 47 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\nibbz\AppData\Local\Temp\50or.exe (PUP.Adware.Agent) -> Quarantined and deleted successfully.
(end)

 

[nibbz]

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16443
Run by nibbz at 19:22:09 on 2012-04-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.5105.3764 [GMT -4:00]
.
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - C:\Program Files (x86)\WOT\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - C:\Program Files (x86)\WOT\WOT.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Akamai NetSession Interface] "C:\Users\nibbz\AppData\Local\Akamai\netsession_win.exe"
uRun: [cdloader] "C:\Users\nibbz\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\nibbz\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CLEANT~1.LNK - C:\Users\nibbz\Documents\cleantemp.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - C:\Users\nibbz\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{07FEE089-0AB3-4836-8C6F-4FD7505E0D95} : DhcpNameServer = 192.168.1.1
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun-x64: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\system32\DRIVERS\cmderd.sys --> C:\Windows\system32\DRIVERS\cmderd.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 CLPSLS;COMODO livePCsupport Service;C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2012-4-13 409232]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-3-30 1295416]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-11 116648]
S2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-3-30 681016]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-10 253088]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-11 116648]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-04-20 22:58:03 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-20 22:58:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-20 16:24:55 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{01154ED9-E4F7-49D8-B88D-5BD976186541}\mpengine.dll
2012-04-20 01:55:18 -------- d-----w- C:\Program Files (x86)\ESET
2012-04-19 02:19:46 -------- d-----w- C:\Users\nibbz\AppData\Local\Adobe
2012-04-19 00:48:45 -------- d-----w- C:\Users\nibbz\AppData\Local\magicJack
2012-04-17 01:11:53 -------- d-----w- C:\ProgramData\magicJack
2012-04-15 00:38:25 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2012-04-15 00:38:16 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-04-15 00:37:25 -------- d-----w- C:\Users\nibbz\AppData\Roaming\OpenCandy
2012-04-15 00:35:33 -------- d-----w- C:\Users\nibbz\AppData\Roaming\DVDVideoSoft
2012-04-14 16:41:39 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-14 16:41:39 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-14 13:55:12 8766112 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-13 01:42:15 -------- d-----w- C:\Users\nibbz\AppData\Local\Diagnostics
2012-04-12 04:23:02 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2012-04-12 04:22:55 -------- d-----w- C:\Intel
2012-04-12 01:28:37 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-12 01:28:37 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-12 01:27:17 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-04-12 01:27:11 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-04-12 01:22:58 -------- d-----w- C:\Windows\pss
2012-04-12 01:18:55 -------- d-----w- C:\Users\nibbz\AppData\Local\COMODO
2012-04-12 01:17:18 -------- d-----w- C:\security software
2012-04-12 00:50:40 -------- d-----w- C:\Windows\System32\SPReview
2012-04-12 00:50:33 -------- d-----w- C:\Windows\System32\EventProviders
2012-04-12 00:50:16 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-12 00:50:16 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-12 00:50:16 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-12 00:48:46 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-12 00:48:46 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-12 00:48:46 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-12 00:48:45 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-12 00:48:45 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-12 00:48:45 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-12 00:48:45 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-12 00:45:59 94208 ----a-w- C:\Windows\SysWow64\eappgnui.dll
2012-04-12 00:41:31 -------- d-----w- C:\Windows\SysWow64\C2MP
2012-04-12 00:28:46 -------- d-----w- C:\Users\nibbz\AppData\Local\Secunia PSI (BETA)
2012-04-11 23:45:01 -------- d-----w- C:\Users\nibbz\AppData\Local\Google
2012-04-11 23:44:49 -------- d-----w- C:\Users\nibbz\AppData\Local\Apps
2012-04-11 23:44:48 -------- d-----w- C:\Users\nibbz\AppData\Local\Deployment
2012-04-11 23:39:08 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2012-04-11 23:39:08 1071088 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-04-11 23:39:08 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2012-04-11 23:35:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-04-11 23:02:17 -------- d-----w- C:\ProgramData\CPA_VA
2012-04-11 02:49:13 -------- d-----w- C:\Program Files\WOT
2012-04-11 02:49:13 -------- d-----w- C:\Program Files (x86)\WOT
2012-04-11 02:47:12 -------- d-----w- C:\Users\nibbz\AppData\Roaming\Malwarebytes
2012-04-11 02:47:07 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-11 02:46:30 -------- d-----w- C:\Program Files (x86)\Secunia
2012-04-11 01:17:29 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-04-11 01:17:29 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-04-11 01:17:29 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-04-10 22:13:11 -------- d-----w- C:\Windows\SysWow64\Wat
2012-04-10 22:13:11 -------- d-----w- C:\Windows\System32\Wat
2012-04-10 21:32:14 -------- d-sh--w- C:\Windows\Installer
2012-04-10 21:32:01 -------- d-----w- C:\ProgramData\Comodo
2012-04-10 21:31:45 -------- d-----w- C:\Program Files\COMODO
2012-04-10 21:31:28 -------- d-----w- C:\Program Files (x86)\Comodo
2012-04-10 21:31:19 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2012-04-10 21:31:19 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
2012-04-10 21:31:19 1060864 ----a-w- C:\Windows\SysWow64\mfc71.dll
2012-04-10 21:27:11 -------- d-----r- C:\Downloads
2012-04-10 21:17:57 778752 ----a-w- C:\Windows\System32\mssvp.dll
2012-04-10 21:16:52 288640 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-04-10 21:16:52 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-04-10 21:16:36 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2012-04-10 21:16:36 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2012-04-10 21:16:28 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2012-04-10 21:16:28 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2012-04-10 21:16:28 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2012-04-10 21:16:28 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2012-04-10 21:16:00 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2012-04-10 21:16:00 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-04-10 21:16:00 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-04-10 21:16:00 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-04-10 21:16:00 100864 ----a-w- C:\Windows\System32\fontsub.dll
2012-04-10 12:41:45 605552 ----a-w- C:\Windows\System32\winload.exe
2012-04-10 12:40:59 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2012-04-10 12:36:24 77312 ----a-w- C:\Windows\System32\packager.dll
2012-04-10 12:36:24 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-04-10 12:35:14 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-04-10 07:47:32 -------- d-sh--w- C:\Boot
2012-04-10 04:06:10 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-10 04:06:09 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-04-10 04:06:09 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-04-10 04:06:09 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-10 04:06:09 20992 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2012-04-10 04:06:09 162816 ----a-w- C:\Windows\System32\rdpudd.dll
2012-04-10 04:06:09 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-04-10 04:06:09 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-04-10 03:57:47 -------- d-sh--we C:\Documents and Settings
2012-04-10 03:57:47 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-04-12 01:04:17 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-04-12 01:04:17 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-03-13 18:10:40 4379648 ----a-w- C:\Windows\System32\ffdshow.ax
2012-03-13 18:09:44 3473408 ----a-w- C:\Windows\SysWow64\ffdshow.ax
2012-03-13 18:08:28 4477440 ----a-w- C:\Windows\System32\ffmpeg.dll
2012-03-13 18:06:30 4417024 ----a-w- C:\Windows\SysWow64\ffmpeg.dll
2012-03-12 01:13:42 577824 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2012-03-12 01:13:42 43248 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2012-03-12 01:13:40 22696 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2012-03-12 01:13:22 41200 ----a-w- C:\Windows\System32\cmdcsr.dll
2012-03-12 01:13:20 301224 ----a-w- C:\Windows\SysWow64\guard32.dll
2012-03-12 01:13:18 389840 ----a-w- C:\Windows\System32\guard64.dll
2012-03-10 13:58:00 554496 ----a-w- C:\Windows\System32\LAVSplitter.ax
2012-03-10 13:57:56 758272 ----a-w- C:\Windows\System32\LAVVideo.ax
2012-03-10 13:57:52 248320 ----a-w- C:\Windows\System32\LAVAudio.ax
2012-03-10 13:57:48 202240 ----a-w- C:\Windows\System32\libbluray.dll
2012-03-10 13:57:42 6627455 ----a-w- C:\Windows\System32\avcodec-lav-54.dll
2012-03-10 13:57:42 396615 ----a-w- C:\Windows\System32\swscale-lav-2.dll
2012-03-10 13:57:42 213246 ----a-w- C:\Windows\System32\avutil-lav-51.dll
2012-03-10 13:57:42 130825 ----a-w- C:\Windows\System32\avfilter-lav-2.dll
2012-03-10 13:57:42 1161254 ----a-w- C:\Windows\System32\avformat-lav-54.dll
2012-03-10 13:55:26 462336 ----a-w- C:\Windows\SysWow64\LAVSplitter.ax
2012-03-10 13:55:22 593920 ----a-w- C:\Windows\SysWow64\LAVVideo.ax
2012-03-10 13:55:18 216576 ----a-w- C:\Windows\SysWow64\LAVAudio.ax
2012-03-10 13:55:16 172032 ----a-w- C:\Windows\SysWow64\libbluray.dll
2012-03-10 13:55:10 6454984 ----a-w- C:\Windows\SysWow64\avcodec-lav-54.dll
2012-03-10 13:55:10 371592 ----a-w- C:\Windows\SysWow64\swscale-lav-2.dll
2012-03-10 13:55:10 206473 ----a-w- C:\Windows\SysWow64\avutil-lav-51.dll
2012-03-10 13:55:10 142473 ----a-w- C:\Windows\SysWow64\avfilter-lav-2.dll
2012-03-10 13:55:10 1146161 ----a-w- C:\Windows\SysWow64\avformat-lav-54.dll
2012-03-10 13:53:50 179200 ----a-w- C:\Windows\System32\IntelQuickSyncDecoder.dll
2012-03-10 13:53:34 144384 ----a-w- C:\Windows\SysWow64\IntelQuickSyncDecoder.dll
2012-02-26 16:52:52 474624 ----a-w- C:\Windows\System32\ff_kernelDeint.dll
2012-02-26 16:52:36 92160 ----a-w- C:\Windows\System32\ff_vfw.dll
2012-02-26 16:52:30 114688 ----a-w- C:\Windows\System32\ff_wmv9.dll
2012-02-26 16:52:04 631296 ----a-w- C:\Windows\System32\TomsMoComp_ff.dll
2012-02-26 16:51:32 156672 ----a-w- C:\Windows\System32\ff_libmad.dll
2012-02-26 16:51:30 359424 ----a-w- C:\Windows\System32\ff_libfaad2.dll
2012-02-26 16:51:30 183808 ----a-w- C:\Windows\System32\ff_unrar.dll
2012-02-26 16:51:28 222720 ----a-w- C:\Windows\System32\ff_libdts.dll
2012-02-26 16:51:28 1532928 ----a-w- C:\Windows\System32\ff_samplerate.dll
2012-02-26 16:51:28 116224 ----a-w- C:\Windows\System32\ff_liba52.dll
2012-02-26 16:51:26 190464 ----a-w- C:\Windows\System32\libmpeg2_ff.dll
2012-02-26 16:47:02 79360 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-02-26 16:46:18 260608 ----a-w- C:\Windows\SysWow64\TomsMoComp_ff.dll
2012-02-26 16:46:00 99840 ----a-w- C:\Windows\SysWow64\ff_wmv9.dll
2012-02-26 16:46:00 158720 ----a-w- C:\Windows\SysWow64\ff_unrar.dll
2012-02-26 16:45:58 1525248 ----a-w- C:\Windows\SysWow64\ff_samplerate.dll
2012-02-26 16:45:58 146944 ----a-w- C:\Windows\SysWow64\ff_libmad.dll
2012-02-26 16:45:56 212480 ----a-w- C:\Windows\SysWow64\ff_libdts.dll
2012-02-26 16:45:56 115200 ----a-w- C:\Windows\SysWow64\ff_liba52.dll
2012-02-26 16:45:54 328704 ----a-w- C:\Windows\SysWow64\ff_libfaad2.dll
2012-02-26 16:45:54 137728 ----a-w- C:\Windows\SysWow64\libmpeg2_ff.dll
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-15 12:09:40 1576448 ----a-w- C:\Windows\System32\VSFilter.dll
2012-02-15 12:08:52 1288192 ----a-w- C:\Windows\SysWow64\VSFilter.dll
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-30 22:30:22 424960 ----a-w- C:\Windows\System32\cdxareader.ax
2012-01-30 22:30:08 500224 ----a-w- C:\Windows\System32\FLVSplitter.ax
2012-01-30 22:29:24 381440 ----a-w- C:\Windows\SysWow64\cdxareader.ax
2012-01-30 22:29:08 445440 ----a-w- C:\Windows\SysWow64\FLVSplitter.ax
.
============= FINISH: 19:22:38.93 ===============

 

[nibbz]

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2012 2:51:35 AM
System Uptime: 4/20/2012 7:08:06 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P6T SE
Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | LGA1366 | 1574/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 932 GiB total, 891.795 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 4/10/2012 12:06:10 AM - Windows Update
RP2: 4/10/2012 8:34:50 AM - Windows Update
RP3: 4/10/2012 5:35:20 PM - Device Driver Package Install: COMODO Network Service
RP4: 4/10/2012 5:37:44 PM - Windows Update
RP5: 4/10/2012 9:18:03 PM - Windows Update
RP6: 4/10/2012 10:48:57 PM - Installed WOT for Internet Explorer
RP7: 4/11/2012 7:34:46 PM - Installed Java(TM) 6 Update 31
RP8: 4/11/2012 8:48:10 PM - Windows Update
RP9: 4/11/2012 9:24:40 PM - Windows Update
RP10: 4/11/2012 9:29:36 PM - Windows Update
RP11: 4/11/2012 9:38:14 PM - Windows Update
RP12: 4/17/2012 1:20:15 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Comodo Dragon
COMODO GeekBuddy
ESET Online Scanner v3
Google Update Helper
Java Auto Updater
Java(TM) 6 Update 31
Malwarebytes Anti-Malware version 1.61.0.1400
Media Player Codec Pack 4.1.9
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Secunia PSI (3.0.0.0006)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
SpywareBlaster 4.6
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
.
==== Event Viewer Messages From Past Week ========
.
4/20/2012 6:50:10 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
4/20/2012 4:30:07 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} and APPID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user nibbz-PC\Guest SID (S-1-5-21-1243112257-1756932303-4238688702-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================

 

[nibbz]

gmer produced no log....

 

[Bobbye]

Brand new system> Install Date: 4/10/2012 2:51:35 AM?

I don't see the Spigot Search Settings but do see Open Candy. You most likely got the Widgi from the same download you got Open Candy:

Adware:Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent.

Find this file and delete it as follows:
2012-04-15 00:37:25 -------- d-----w- C:\Users\nibbz\AppData\Roaming\OpenCandy

1. Show Hidden Files and Folders in Windows Vista and Windows 7:

• Click on the Start button and select Computer
• Press the Alt key on your keyboard and click on Tools
• Select Folder Options
• Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
• Next, uncheck the box next to Hide protected operating system files (Recommended)
• Then, uncheck the box next to Hide extensions for known filetypes
• Click Apply then click OK

2. Right click on Start> Explore> Navigate to Application Data for nibbz> Click on + sign to expand> Right click on Open Candy> Delete.

3. Go back to Folder Options and rehide the files.
============================================
Reboot
============================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Leave the log if there is one.

 

[nibbz]

C:\Users\nibbz\Desktop\media.player.codec.pack.v4.1.9.setup.exe probably a variant of Win32/Toolbar.Widgi application

 

[Bobbye]

There it is!

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Files 
  C:\Users\nibbz\Desktop\media.player.codec.pack.v4.1.9.setup.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================================
Run one more scan for me, okay?
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================

 

[nibbz]

All processes killed
========== FILES ==========
C:\Users\nibbz\Desktop\media.player.codec.pack.v4.1.9.setup.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 14973943 bytes
->Temporary Internet Files folder emptied: 860155892 bytes
->Java cache emptied: 233248 bytes
->Flash cache emptied: 470 bytes

User: nibbz
->Temp folder emptied: 187853116 bytes
->Temporary Internet Files folder emptied: 74687180 bytes
->Java cache emptied: 1 bytes
->Flash cache emptied: 470 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 113549136 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36338242 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,228.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04262012_173010
Files moved on Reboot...
C:\Users\nibbz\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...

 

[nibbz]

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.WJLBCQ
----- EOF -----

 

[nibbz]

if its clean now thanks !!! you guys here are the best and should ne commended for spending so much time solving other peoples problems with viruses Thanks and let me know if anything else i need to do

 

[Bobbye]

Glad to help. Go ahead with the following:

Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
  [o] Click START> then RUN
  [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
• Download OTCleanIt by OldTimer and save it to your Desktop.
  [o] Double click OTCleanIt.exe.
  [o] Click the CleanUp! button.
  [o] If you are prompted to Reboot during the cleanup, select Yes.
  [o]The tool will delete itself once it finishes.
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  
• Set a new, clean Restore Point
  [o] Click on Start> right click on Computer> Properties
  [o] Select System Protection
  [o] Click on the Create button (near bottom)
  [o] Type a name for the Restore Point
  [o] Click on Create again to save the restore point.
  
• Deleting all but the most recent System Protection point in Windows 7
  [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
  [o] Click Disk Cleanup from there.
  
  
  
  [o] Click Clean up system files
  This restarts Disk Cleanup to run in elevated mode.
  [o] Click the More Options tab
  
  
  
  [o] Click the Clean up under System Restore and Shadow Copies.
  [o] Click OK.
  [o] You will get a confirmation screen> Just click Delete.
  [o] Click OK on the Disk Cleanup Screen.
  [o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

 

[nibbz]

Ok done,new restore point done per ur instructions....

 

[Bobbye]

Stay safe and enjoy computing!

You may find the following helpful: (Links are Bold Blue)
Tips for added security and safer browsing:

1. Browser Security
   [o][url="http://www.bleepingcomputer.com/tutorials/tutorial102.htm]Make Internet Explorer safer][/url]
   [o] Use a Site Advisor..
   Have layered Security:
2. Antivirus Software(only one):
   [o]Microsoft Security Essentials
   [o]Comodo AV
   [o]Avast! Free Antivirus
   =============================
3. Firewall (only one)
   [o] Zone Alarm Free
   [o]Comodo Firewall Free
4. Antispyware/Security: I recommend all of the following:
   [o]Spywareblaster:Protects against bad ActiveX.
   [o]IE/Spyad Restricts bad domains.
   [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Popup Stopper
5. Stay current on updates:
   [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
   [o] Adobe Reade. Uninstall old.
   [o]Java Uninstall old.
6. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
7. Do regular Maintenance
   [o]To include Disc Cleanup, Defrag, Error Check/
8. Remove Temporary Internet Files regularly:
   [o]TFC
9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
   [*] Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.

Please let me know if you find any bad links.