Win32/Toolbar.Widgi

Discussion in 'ESET NOD32 Antivirus' started by Carbonyl, Feb 7, 2013.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Hello.

    This morning when I woke up, I started up my computer and ESET warned me about finding a thread - Win32/Toolbar.Widgi - when sounds like some variant of a toolbar, but Google Searching indicates being a trojan.

    I do weekly scans with ESET, MBAM, and Hitman, and my most recent scan did not turn anything up (it was about three days ago). I haven't installed any software since then, nor do I have any toolbars running that I can see, so I'm highly concerned this constitutes some kind of breach.

    What exactly am I dealing with here? Is this the remnant of some old installer, that ESET is now picking up long after the fact, and thus I shouldn't be worried? Or is this some kind of infection, and I should start wiping my drive immediately?

    The location of the file was C:\Windows\Installer\{2D8CED57-CCDB-4D86-9087-3BBCAE8F8F22} and the file was named _985D6477562748CF925EF89F3E038BD3.exe

    EDIT: After telling ESET to delete the file, this happened SEVERAL more times, with several different files in similar locations with similar names.
     
  2. JoTho

    JoTho Registered Member

    Joined:
    Sep 23, 2009
    Posts:
    5
    Same here. DEF # 7980 on several computers at work. MBAM doesn't find anything. Seems the folder in question contains icon exe's in C:\Windows\Installers. Concerned...
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    ESET couldn't delete the contents of this folder without a reboot, but after rebooting it continued to find these threats over and over again. Growing more concerned myself here.
     
  4. esiemiat

    esiemiat Registered Member

    Joined:
    Feb 7, 2013
    Posts:
    1
    Location:
    United States
    Same here. ESET is setecting the icons for various applications, including itself, as this virus. I told ESET to clean a few of these and now the shortcuts on my start menu have no icons. I am going to need to repair these application installation to get the icons back. I think these are false positives.
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Also confirming that several shortcuts on my desktop have vanished since allowing ESET to clean, despite the fact that all the files in question were tagged as being located in C:\Windows\Installer\
     
  6. rcash

    rcash Registered Member

    Joined:
    Dec 5, 2007
    Posts:
    56
    Same here, getting hundreds of reports from my organization.

    C:\WINDOWS\Installer\{CBCD5492-F9E0-4262-BA65-1234F4F51145}\NewShortcut8_DDD933F4FB0B4B4082C616E9FD65A59A.exe contains Win32/Toolbar.Widgi potentially unwanted application.
     
  7. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Seeing the same here. Detections in Installshield-setups startet with signature update 7980. I have submitted a sample to ESET and uploaded it to Virustotal too:

    https://www.virustotal.com/file/a9e...c4cb6d1a63a2585237fb1be8/analysis/1360243195/

    ESET ist the only scanner detecting Win32/Toolbar.Widgi in it and it did so only after the 7980 signatures reached the scanners of Virustotal.

    My PC ist scanned daily and this morning's scan with signatures 7978 was without result. A renewed scan with 7980 found 10 files containing Win32/Toolbar.Widgi. These files have been on my system for days to several weeks and scanned on a daily basis.

    So, hopefully 7981 will see them as what they are again: clean
     
  8. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Does anyone have any idea what these installer files are actually for? Is their removal in any way detrimental?
     
  9. JoTho

    JoTho Registered Member

    Joined:
    Sep 23, 2009
    Posts:
    5
    I believe they are custom icons for user-installed programs.
     
    Last edited: Feb 7, 2013
  10. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Of all the times for Wilders to go down! Glad to see we're back.

    According to ESET's Twitter, this was all a case of false positives, and the latest definitions should put everything back in order.

    Does anyone know if it's possible to restore the afflicted, false-positive files from quarantine without consequence, or is something more needed? I allowed ESET to delete these files, and now I am worried that will impact my system.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    You can either restore files manually, via ERA or wait for an update that will restore the files automatically. The update should be released shortly if it passes pre-release tests.
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks for the reply, Marcos!
    Please let us know when that update is released and its virus database number (798?). Thanks.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The first report about the false positive was received at 15:35 CET. Updates were immediately suspended and a fix was released at 15:59 CET.
    Now we're testing an update that will restore quarantined files without user's intervention.
     
  14. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks very much, Marcos. This is top notch, and I thank you and everyone else for reacting so quickly to this situation.
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    fully agreed
    +1
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Antivirus and antispyware module 1381 that restores quarantined "Win32/Toolbar.Widgi" files without user's intervention has been released to the public. Should you come across any issues stemming from this false positive, please report them to samples[at]eset.com as well.
    We apologize for the inconvenience.
     
  17. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Thanks Marcos, And I got 1381 here :thumb:

    Though I didn't get any FPs at my end because I was stuck at the 7979 update for some time, and the updates were stopped (as you mentioned) before I got the faulty one, so nice and fast reaction indeed. Great work :thumb:
     
  18. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Hello,

    I just upgraded to v6.0.308.0 from v4.2. I have all the latest modules. ESET is still detecting this Win32/Toolbar.Widgi in a lot of applications. I didn't know it was a FP at first so I let it delete something in Google Earth (so I had to reinstall Google Earth afterwards :mad: ).

    If this is a FP why hasn't ESET ceased detection of it? I've disabled detection of potentially unwanted applications as a fix... otherwise ESET is constantly bugging me everytime I open a folder for a different application, making the PC unusable!

    Thanks,
    Mark

    EDIT: For some reason I wasn't using the latest modules afterall. I was on 7980 (from Feb 7) as opposed to the current 7992 (from today) even though I installed v6 today. Confusing.
     
    Last edited: Feb 10, 2013
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The FP was fixed as mentioned above. If it's still detected, then it's not FP but a normal detection of a potentially unwanted application.
     
Thread Status:
Not open for further replies.