Spigot help

Hello all,

I was on my laptop earlier and using Firefox and noticed that when I was searching through the address bar it was using yahoo, even though it is supposed to be google. I tried on chrome and had the same issue, where when you open the browser it opens “http://search.yahoo.com/?type=714647&fr=spigot-yhp-ch” and all searches use yahoo.

I looked at my program list and noticed something installed by spigot and promptly uninstalled it. I then scanned with avast and MBAM and they said there were no infected files. However when I went to use the browsers again the same page opened and the default search was still yahoo. I did some searches and looked for the purported “searchsetting.exe” in my registry and looked for anything spigot in my program files and for any other symptoms of spigot infection and found nothing.

I am a bit concerned as don’t know how serious this spigot thing is and I am a bit confused as to what to do next. I would really appreciate any help.

follow this guide and attach logs…not copy and paste http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done, malware experts will be notified and help you
when finish, all tools used will be removed

Thanks.

Attached are the logs for AdwCleaner, MBAM and OTL. Gonna post the aswMBR log in a moment.

And here is the aswMBR log.

Also how serious is this spigot malware/virus? Do I have to worry about my personal information and online accounts/passwords being compromised? Do I have to change passwords for all my important sites/accounts?

spigot is some browser / toolbar crap …

removers are notified, it may take some hours before one arrive so be patient

Oh okay so I take it it isn’t that serious? I just get kinda paranoid with every little infection. I usually try to be very vigilant with my comp security but my roommate still manages to picks some stuff up when he downloads stuff.

Thanks Pondus, I can wait a bit, I gotta catch some sleep right now anyway.

som info on one variant… and they can be a pain to remove

Widgi Toolbar by Spigot is a program that loads its gadget into your Internet browser without asking for approval. Due to this invasive process, security experts include it in the list of adware. Its origin can be a mixture of online tricks. It uses other software that will appear essential when you are viewing online videos or downloading any software. Makers of Widgi Toolbar usually embed the code to program not known to many.

i see one remover is online now… so you may get help very soon if you stay awake

With this I didn’t get any toolbar or anything, just the startup page and default search engine changing. What surprised me was even through numerous scans with Avast and MBAM it never showed up on any of them.

Thanks Pondus I will try to stay awake.

Edit: nm

Hi,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
CHR - homepage: http://search.yahoo.com?type=714647&fr=spigot-yhp-ch
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: []  File not found
FF - user.js - File not found

:commands
[CREATERESTOREPOINT]
[emptytemp]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.

Please download zoek.zip (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Okay here are the logs for both of those.

I’m about to fall asleep it’s almost 4 AM here so excuse me if I don’t respond till the morning. I appreciate the help.

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

{E155CB70-AA13-46CD-BA8A-CF4735EE9A0E};c
emptyclsid;
emptyrecycle.bin;
FFdefaults;
chrdefaults;
iedefaults;
emptyalltemp;
autoclean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

How long is the zoek tool supposed to run for this step? It has been running for some time now and it has not finished yet.

How long it lasts?

Stop zoek.

edit:

Is he gone spigot?

I stopped zoek and restarted my comp but my homepage for chrome is still "http://search.yahoo.com/?type=714647&fr=spigot-yhp-ch"and the default search is still yahoo but it seems that Firefox is no longer afflicted as my default homepage is no longer the URL above and my default search engine is google again. I am a bit unsure what to do at this point.

Re-run zoek with this script


{039DE0EC-B363-44EF-850A-71164E7383E0};c
{E155CB70-AA13-46CD-BA8A-CF4735EE9A0E};c
FFdefaults;
chrdefaults;
autoclean;

Okay I ran the Zoek Script and when I booted both chrome and firefox it went to their default pages, new tab and welcome to firefox, respectively. My Chrome extensions are gone and everything there is set to default, but my firefox add-ons are still there (which is okay because I just switched to FF anyway).

I have attached the log from the zoek script. It seems like it is gone but is there a way to be sure? I would just like to make sure before I start entering passwords for email/social sites and any CC info.

Looks good , I’ve set the default FF and Chrome but I did not touch extensions.
Now everything is fine.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Okay did all that and removed everything, so I should be in the clear right?

Thanks Pondus and Argus for all the help, really appreciate it, that was a pain to get rid of.