win32/Small.CA virus

Page 1 of 5 123 ... LastLast

  1. Posts : 69
    Windows 7 Home Premium 64 bit SP1
       #1

    win32/Small.CA virus


    A little background info. Afew days ago I installed Easy Burner prog. from Soft Pedia in error and uninstalled it but parts of it did not uninstall. Did afew sys. restores, then PC wouldn't shut down & had to use power button to be able to restart again. Then Windows said that it detected a critical error and had to restart. I.E.'s were both not responding. Popup at bottom: MBAM successfuly blocked access to a potentially malicious website 207.232.22.60 -- Type: outgoing -- Port 5328 (but always a different port number) when opening I.E. Process: Avast svc.exe. Info on I.E. page indicated network problems so tried network diagnostics that they recommended and finally it said 'no problems'. I.E is now working.

    Google Chrome is still unresponsive with "This website page is not available" at the top and the same popup as above from MBAM & Avast as was on I.E. Google Chrome has website www.searchnu.com sitting in the address bar. Is this a rogue site as I could not find any info about it?

    Action Center reports this message: remove win32/Small.CA virus

    Windows Fire Wall: There has never been any entries in the 'allow programs thro' firewall', as I was told that it wasn't necessary to configure it as the firewall just did it's thing. However, now there are over 30 entries of various kinds listed and some randomly checked under home/work & public. ??

    None of these browsers have proxy enabled. Scans done -- complete MBAM, SAS, Avast & boot, MSRT, MSS, spybot. Did a lot of searching but am unsure what is safe to do. Would greatly appreciate some help. Thanks in advance.
      My Computer


  2. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #2

    Download AdWareCleaner AdwCleaner Download to your desktop
    1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
    2.Click on Delete button.
    3.Confirm each time with OK.
    4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
    Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

      My Computer


  3. Posts : 69
    Windows 7 Home Premium 64 bit SP1
    Thread Starter
       #3

    win32/Small.CA virus


    Thanks Jacee

    Here is the ADWcleaner log file you requested:

    # AdwCleaner v2.111 - Logfile created 02/08/2013 at 22:43:53
    # Updated 05/02/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : - xxxxxx-PC
    # Boot Mode : Normal
    # Running from : C:\Users\xxxxxx\Desktop\AdwCleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****
    File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
    Folder Deleted : C:\Program Files (x86)\search results toolbar
    Folder Deleted : C:\ProgramData\boost_interprocess
    Folder Deleted : C:\Users\xxxxxx\Documents\Inbox
    ***** [Registry] *****
    Key Deleted : HKLM\SOFTWARE\Software
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v8.0.7601.17514
    [OK] Registry is clean.
    -\\ Google Chrome v24.0.1312.57
    File : C:\Users\xxxxxx\AppData\Local\Google\Chrome\User Data\Default\Preferences
    Deleted [l.11] : homepage = "hxxp://www.searchnu.com/421",
    Deleted [l.15] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/421" ]
    Deleted [l.51] : keyword = "search-results.com",
    Deleted [l.54] : search_url = "hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=101&systemid=421&apn_dtid[...]
    Deleted [l.1707] : homepage = "hxxp://www.searchnu.com/421",
    Deleted [l.1860] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/421" ]
    *************************
    AdwCleaner[S1].txt - [1376 octets] - [08/02/2013 22:43:53]
    ########## EOF - C:\AdwCleaner[S1].txt - [1436 octets] ##########
    Last edited by veegee; 11 Feb 2013 at 01:05. Reason: correction
      My Computer


  4. Posts : 2,470
    Windows 7 Home Premium
       #4

    veegee,

    While Jacee gets here, is Action Center still reporting: remove win32/Small.CA virus?

    Also, let's do some searching...

    Next, please download SystemLook:
    64-bit:
    http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    Save to your Desktop.
    Right-click on SystemLook.exe, and select: Run As Administrator

    At the SystemLook program console, copy the content inside the following quote box into the main textfield:

    :reg
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Click the Look button to start the scan.

    When finished, a notepad window opens with the results of the scan.

    Please post the SystemLook.txt (found on the Desktop) in your reply.
    Last edited by cottonball; 09 Feb 2013 at 23:35.
      My Computer


  5. Posts : 69
    Windows 7 Home Premium 64 bit SP1
    Thread Starter
       #5

    win32/Small.CA virus


    Cottonball- thanks for the reply
    Action Center is still asking to remove win32/Small.CA virus

    Here is the System Look results you requested:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 23:44 on 09/02/2013 by xxxxxx
    Administrator - Elevation successful
    ========== reg ==========
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    "HPADVISOR"="C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    (No values found)

    -= EOF =-
    Last edited by veegee; 11 Feb 2013 at 01:07. Reason: correction
      My Computer


  6. Posts : 2,470
    Windows 7 Home Premium
       #6

    Hmmm....

    AdwCleaner got rid of the Searchnu fastidious entries.

    Let's see what your system shows with the following short scan...


    Please download RogueKiller:
    Tlcharger RogueKiller (Site Officiel)

    When you get to the website, go to where it says:
    (Download link) Lien de téléchargement:

    Select the x64 version for your 64-bit system.
    Click the dark-blue button to download.
    Save to the Desktop.

    Close all windows and browsers.
    Right-click and select: Run as Administrator

    Allow for the prescan to run. Under Status you see: Prescan finished
    At the program console, press: SCAN

    When done, a report opens on the Desktop: RKreport.txt

    Please provide the RKreport.txt (Mode: Scan) in your reply.
      My Computer


  7. Posts : 69
    Windows 7 Home Premium 64 bit SP1
    Thread Starter
       #7

    win32/Small.CA virus


    Below is Rogue Killer reports:

    RogueKiller V8.5.0 _x64_ [Feb 9 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : RogueKiller - Geeks to Go Forums
    Website : Download RogueKiller (Official website)
    Blog : tigzy-RK
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : xxxxxx [Admin rights]
    Mode : Scan -- Date : 02/10/2013 01:06:25
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤

    The quarantine report has nothing in the file except date & time. Hope I did this right!!
    Last edited by veegee; 11 Feb 2013 at 01:08. Reason: correction
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #8

    Please post the entire RKreport.txt

    It seems as if it was cut off.

    Thanks!
      My Computer


  9. Posts : 69
    Windows 7 Home Premium 64 bit SP1
    Thread Starter
       #9

    win32/Small.CA virus


    Sorry Cottonball - complete Rogue Killer report below:

    RogueKiller V8.5.0 _x64_ [Feb 9 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : RogueKiller - Geeks to Go Forums
    Website : Download RogueKiller (Official website)
    Blog : tigzy-RK
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : xxxxxx [Admin rights]
    Mode : Scan -- Date : 02/10/2013 01:06:25
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    [...]

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: ST350041 8AS SCSI Disk Device +++++
    --- User ---
    [MBR] 33ac8be5a0e2011f4ed30d4da523a415
    [BSP] 7d4c6fd333c05d0f83c903ade30cb386 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 464857 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 952233984 | Size: 11981 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1]_S_02102013_02d0106.txt >>
    RKreport[1]_S_02102013_02d0106.txt
    Last edited by veegee; 15 Feb 2013 at 13:04. Reason: questions & corrections
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #10

    Please go back to Post #4, and run SystemLook once again.

    This time, use the following text contained in the quote box below:

    :reg
    HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /sub

    Then, post the results of the new SystemLook.txt (found on the Desktop) in your reply.

    This looks at the Registry entries for the Action Center. We need to know what is happening there.
    Last edited by cottonball; 10 Feb 2013 at 18:00.
      My Computer


 
Page 1 of 5 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:49.
Find Us