Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: win32/Small.CA virus

08 Feb 2013   #1
veegee

Windows 7 Home Premium 64 bit SP1
 
 
win32/Small.CA virus

A little background info. Afew days ago I installed Easy Burner prog. from Soft Pedia in error and uninstalled it but parts of it did not uninstall. Did afew sys. restores, then PC wouldn't shut down & had to use power button to be able to restart again. Then Windows said that it detected a critical error and had to restart. I.E.'s were both not responding. Popup at bottom: MBAM successfuly blocked access to a potentially malicious website 207.232.22.60 -- Type: outgoing -- Port 5328 (but always a different port number) when opening I.E. Process: Avast svc.exe. Info on I.E. page indicated network problems so tried network diagnostics that they recommended and finally it said 'no problems'. I.E is now working.

Google Chrome is still unresponsive with "This website page is not available" at the top and the same popup as above from MBAM & Avast as was on I.E. Google Chrome has website www.searchnu.com sitting in the address bar. Is this a rogue site as I could not find any info about it?

Action Center reports this message: remove win32/Small.CA virus

Windows Fire Wall: There has never been any entries in the 'allow programs thro' firewall', as I was told that it wasn't necessary to configure it as the firewall just did it's thing. However, now there are over 30 entries of various kinds listed and some randomly checked under home/work & public. ??

None of these browsers have proxy enabled. Scans done -- complete MBAM, SAS, Avast & boot, MSRT, MSS, spybot. Did a lot of searching but am unsure what is safe to do. Would greatly appreciate some help. Thanks in advance.


My System SpecsSystem Spec
08 Feb 2013   #2
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

My System SpecsSystem Spec
08 Feb 2013   #3
veegee

Windows 7 Home Premium 64 bit SP1
 
 
win32/Small.CA virus

Thanks Jacee

Here is the ADWcleaner log file you requested:

# AdwCleaner v2.111 - Logfile created 02/08/2013 at 22:43:53
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : - xxxxxx-PC
# Boot Mode : Normal
# Running from : C:\Users\xxxxxx\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Deleted : C:\Program Files (x86)\search results toolbar
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\xxxxxx\Documents\Inbox
***** [Registry] *****
Key Deleted : HKLM\SOFTWARE\Software
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.7601.17514
[OK] Registry is clean.
-\\ Google Chrome v24.0.1312.57
File : C:\Users\xxxxxx\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.11] : homepage = "hxxp://www.searchnu.com/421",
Deleted [l.15] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/421" ]
Deleted [l.51] : keyword = "search-results.com",
Deleted [l.54] : search_url = "hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=101&systemid=421&apn_dtid[...]
Deleted [l.1707] : homepage = "hxxp://www.searchnu.com/421",
Deleted [l.1860] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/421" ]
*************************
AdwCleaner[S1].txt - [1376 octets] - [08/02/2013 22:43:53]
########## EOF - C:\AdwCleaner[S1].txt - [1436 octets] ##########
My System SpecsSystem Spec
09 Feb 2013   #4
cottonball

Windows 7 Home Premium
 
 

veegee,

While Jacee gets here, is Action Center still reporting: remove win32/Small.CA virus?

Also, let's do some searching...

Next, please download SystemLook:
64-bit:
http://jpshortstuff.247fixes.com/SystemLook_x64.exe
Save to your Desktop.
Right-click on SystemLook.exe, and select: Run As Administrator

At the SystemLook program console, copy the content inside the following quote box into the main textfield:

Quote:
:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Click the Look button to start the scan.

When finished, a notepad window opens with the results of the scan.

Please post the SystemLook.txt (found on the Desktop) in your reply.
My System SpecsSystem Spec
10 Feb 2013   #5
veegee

Windows 7 Home Premium 64 bit SP1
 
 
win32/Small.CA virus

Cottonball- thanks for the reply
Action Center is still asking to remove win32/Small.CA virus

Here is the System Look results you requested:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:44 on 09/02/2013 by xxxxxx
Administrator - Elevation successful
========== reg ==========
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
"HPADVISOR"="C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
(No values found)

-= EOF =-
My System SpecsSystem Spec
10 Feb 2013   #6
cottonball

Windows 7 Home Premium
 
 

Hmmm....

AdwCleaner got rid of the Searchnu fastidious entries.

Let's see what your system shows with the following short scan...


Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the x64 version for your 64-bit system.
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

Allow for the prescan to run. Under Status you see: Prescan finished
At the program console, press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
My System SpecsSystem Spec
10 Feb 2013   #7
veegee

Windows 7 Home Premium 64 bit SP1
 
 
win32/Small.CA virus

Below is Rogue Killer reports:

RogueKiller V8.5.0 _x64_ [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : xxxxxx [Admin rights]
Mode : Scan -- Date : 02/10/2013 01:06:25
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

The quarantine report has nothing in the file except date & time. Hope I did this right!!
My System SpecsSystem Spec
10 Feb 2013   #8
cottonball

Windows 7 Home Premium
 
 

Please post the entire RKreport.txt

It seems as if it was cut off.

Thanks!
My System SpecsSystem Spec
10 Feb 2013   #9
veegee

Windows 7 Home Premium 64 bit SP1
 
 
win32/Small.CA virus

Sorry Cottonball - complete Rogue Killer report below:

RogueKiller V8.5.0 _x64_ [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : xxxxxx [Admin rights]
Mode : Scan -- Date : 02/10/2013 01:06:25
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



[...]

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST350041 8AS SCSI Disk Device +++++
--- User ---
[MBR] 33ac8be5a0e2011f4ed30d4da523a415
[BSP] 7d4c6fd333c05d0f83c903ade30cb386 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 464857 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 952233984 | Size: 11981 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_02102013_02d0106.txt >>
RKreport[1]_S_02102013_02d0106.txt
My System SpecsSystem Spec
10 Feb 2013   #10
cottonball

Windows 7 Home Premium
 
 

Please go back to Post #4, and run SystemLook once again.

This time, use the following text contained in the quote box below:

Quote:
:reg
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /sub

Then, post the results of the new SystemLook.txt (found on the Desktop) in your reply.

This looks at the Registry entries for the Action Center. We need to know what is happening there.
My System SpecsSystem Spec
Reply

 win32/Small.CA virus




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:00 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App