Windows 7 virus win32/small.CA trojan

Solved/Closed
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012 - Oct 16, 2012 at 12:21 PM
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 - Oct 23, 2012 at 04:45 AM
Hello,

Windows action center has told me to "remove the Win32/Small.CA virus from your computer".

Since then my computer has blue screened many times, usually about 2 minutes after boot.

When I try to run scans with Kaspersky 2011 and MRT they are stopped for some reason (guessing the virus).

I have used scanned with , tdsskiller, ComboFix, Malwarebytes, ESET, windows defender, HitmanPro and SuperAntiSpyware. All of these find nothing.

Seems I'm a late catcher of this virus with a few posts on this around December 2011, but haven't seen any solutions. Some talk about this being a false positive but with the amount of crashes that I'm getting.... bit dubious?

Any help/tips would be much appreciated.
Cheers

9 replies

Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 18, 2012 at 04:19 AM
Please download and install this most recent version of ZHP Diag and tell me if you get the H in ZHP Fix

https://www.commentcamarche.net/download/telecharger-34066799-zhpdiag
1
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 18, 2012 at 08:19 AM
I used that link, downloaded ZHP Diag, installed it on the computer. Opened ZHP Fix and it looks the same as it did before - no H button. Also installed it on my laptop - looks the same (no H button). Do you think I'm installing it wrong (my french isn't very good for the setup).

The peve.exe in C:\Windows has no previous versions.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 18, 2012 at 03:40 PM
Yes you are installing it correctly. It could be a 64 bit bug. I will look in to it and get back to you.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 16, 2012 at 03:43 PM
Hi

First, I would like to know what is your operating system.

Second, I would like to know the complete error message you are getting on the blue screen.

Third, To help you and precribe the remedy, I must make a diagnostic and to do so, I require a system log.
.

1. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

https://authentification.site

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here.

Best regards

Ambucias
Security Contributor
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 16, 2012 at 05:39 PM
Thanks for getting back to me!

1. Windows 7 Professional SP1 64bit

2. Have only just disabled automatic restarts for BSOD, but looking in event viewer I believe this was one of them:
"The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000379f620, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 101612-9204-01."
Will give you the numbers again on my next BSOD!

3.http://speedy.sh/c48DJ/ZHPDiag.txt

Hope that's everything, thank you very much.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 17, 2012 at 04:07 AM
Hi,

I have not yet looked at your log but the error code: 0x0000001e indicates that Windows has detected that the processor is attempting to process an unkown or invalid instruction. This is most often due to a hardware driver. The driver must eitheir be reinstalled or updated. It causes a memory dump.

In your case, you should check video card, sound card, and printer driver as well as any other hardware you may have connected.

Please remember that all of your drivers should be compatible with your OS.

Catch you later with more
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 17, 2012 at 05:00 AM
Thanks for the reply.
The message from windows telling me to remove the virus has gone now, but I have had 4 BSODs this morning:
1. SYSTEM_SERVICE_EXCEPTION
stop: 0x0000003B
2. BAD_POOL_HEADER
stop: 0x00000019
3. (no tittle)
stop: 0x00000024
4. (happened during a restart) IRQL_NOT_LESS_OR_EQUAL
stop: 0x0000000A

I built the computer a couple of months ago and not much has changed since installing and updating all the drivers.... but I will have a look at them. I'm 99% sure (dont want to sound to arrogant) that all my hardware is compatible and I'm 98% sure I've installed windows 7 64bit drivers! :)

Sadly my chrome and internet explorer wont connect to the internet this morning.... not sure if I'm starting to become paranoid but my laptop is connected absolutely fine....! Windows network and sharing centre says that I have internet access on the computer but my browsers just wont connect to anything (standard DNS lookup failure).

I have all my documents backed up and am tempted to just wipe my hard drives and reinstall everything..... But obviously if you find anything in the logs or want more logs just let me know!

Thanks a lot for your time
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 17, 2012 at 05:14 AM
Hello Ross,

My first study of the log does not show obvious malware but there is a possible W32/Heuristic-210!Eldorado trojan. I wish however to go about this with prudence.

1. I would like you to go to search for this file: pev.exe and tell me what the properties are.

2. I would like you to delete all of the antivirus applications you have recently downloaded except the one you have paid for. More than one antivirus application will cause conflicts, not detect malware or cause false alerts.

3. On your desktop, ZHP Diag created ZHP Fix. Launch ZHP Fix and click on the large X.

4. Copy and paste the following lines which are redundant and obsolete processes or orphean keys:

O4 - HKCU\..\Run: [Mobile Partner] Orphean Key
O4 - HKUS\S-1-5-21-185997528-2593348611-818886502-1003-185997528-2593348611-818886502-1000\..\Run: [Mobile Partner] Orphean Key
O4 - Global Startup: C:\Users\Ross\Desktop\Uni Documents.lnk . (...) -- \\samba.soton.ac.uk\rlh6g10 (.not file.) [MD5.00000000000000000000000000000000] [APT] [{13B1C6CA-32C5-41B4-8DCD-DC7610E9CD8D}] (...) -- C:\Users\Ross\Documents\Computer\Drivers\Intel_Chipset_V9301019_XPWin7\Driver\Chipset\setup.exe (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Minimal\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Network\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O87 - FAEL: "TCP Query User{8028B400-2AD1-4C0C-BF7F-FD5565809251}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P6 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)O87 - FAEL: "UDP Query User{5692377F-EC23-4C44-95FC-0DA3AAABC78F}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P17 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)

5. Click on GO

6. See if you got any improvement. If not, launch ZHP Fix again, copy and paste the following lines:

O44 - LFC:[MD5.FE52E3AB6381CF6CC34D57BD28A6B2E0] - 26/06/2011 - 06:45:56 ---A- . (...) -- C:\Windows\PEV.exe [256000]
O44 - LFC:[MD5.233566D0EE963948D3C4B6C31FD5D64F] - 07/11/2010 - 17:20:24 ---A- . (...) -- C:\Windows\MBR.exe [208896]
O64 - Services: CurCS - 25/06/2010 - C:\Windows\System32\drivers\npf.sys (NPF) .(.CACE Technologies, Inc. - npf.sys (NT5/6 AMD64) Kernel Driver.) - LEGACY

Click on GO

7. Give me feed back
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 17, 2012 at 06:21 AM
Hi again,

1. I have two pev.exe both created 16 October 2012, modified 26 June 2011 and Accessed 16 October 2012 (at slightly different times).

Locations:
C;\Windows
C:\ComboFix

2. I have turned off Windows Defender real-time protection.
I have deleted all other antivirus/malware removal tools.
I have left Kaspersky Anti-Virus 2011 installed and running.

3. Not sure what big X to look for?! I have ZHPFix v1.3.04 and don't see a big X haha. Sorry!
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 17, 2012 at 11:34 AM
3. Is it one of the tools on the right side e.g: CTFFix, HOSTFix, HiddenFix etc or am I looking in the wrong place?
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 17, 2012 at 04:33 PM
I may be repeating myself but when you installed ZHP Diag, three icons were created on your desktop: ZHP Diag, ZHP Fix and MRB Check.

I meant to use ZHP Fix. Double click it, at the top you will see a large H which stands for helper or hospital or hip hip hip hurrah.

The pev.exe in C:\combofix is probably in a quarantine file.
The pev.exe in C:\windows is the one I am interested in and which is 80% chance of malware. I would like to know everything that is said under the tab "version".

After you have run ZHP Fix, I would like to know if the state of your machine is healthy. Delete the previous ZHP Diag log from your machine and send me a new one for verification and further instructions.

Regards

P.S. Please, don't ha ha, this is serious stuff and I'm driving...entering a tunnel... catch you later
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 17, 2012 at 05:11 PM
Hello again Ambucias,

Here is a screenshot of my ZHP Fix v1.3: http://speedy.sh/UrCRd/ZHPFix-v1.3.jpg
This new version does not have a large x ("Launch ZHP Fix and click on the large X.") or a large H ("you will see a large H"). So I'm sorry but I still have not run the programme! I have tried to download an earlier version of ZHPDiag2 so that I could follow your instructions but could not find an earlier release of the program!

Best Regards,
Ross
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 17, 2012 at 05:30 PM
There is a bug!

Will get back to you tomorrow morning!

Sorry for the delay.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 19, 2012 at 05:01 AM
The H was removed.

Just paste the lines and click on Go
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 19, 2012 at 07:04 AM
Will get back to you with an outcome on Monday.
Cheers
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 22, 2012 at 03:31 AM
Ok, I ran ZHP Fix twice (pasting all your lines). The blue screens have gone away (so far) and windows action centre has not found the win32/small.ca virus again after a few restarts.

Here is the latest ZHP diag and ZHP fix report: http://speedy.sh/QgFv5/ZHPDiag.txt

So I think my original problem is fixed, but I've still got no internet.....
Thanks again
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 22, 2012 at 05:30 AM
Looks like you sent me the very same log as before. Ensure that all the logs are deleted from the machine before generating a new one.

Sorry
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 22, 2012 at 06:27 AM
Here is the new log, sorry about that.
http://speedy.sh/pV2gc/ZHPDiag.txt
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 22, 2012 at 04:46 PM
Greetings Ross,

Well I'm happy to report that your system is virus free, as clean as a whistle.

There are however some redundant processes that are running which you can delete or stop using ZHP Fix. They are:

[MD5.00000000000000000000000000000000] [APT] [{13B1C6CA-32C5-41B4-8DCD-DC7610E9CD8D}] (...) -- C:\Users\Ross\Documents\Computer\Drivers\Intel_Chipset_V9301019_XPWin7\Driver\Chipset\setup.exe (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Minimal\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Network\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O87 - FAEL: "TCP Query User{8028B400-2AD1-4C0C-BF7F-FD5565809251}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P6 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)
O87 - FAEL: "UDP Query User{5692377F-EC23-4C44-95FC-0DA3AAABC78F}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P17 - TRUE | .(...) -- D:\easysetupassistant\wr941

Now, you mention that you do not have Internet. I am not an Internet connection or configuration expert but a virus security contributor.

Nonetheless, I don't know what kind of Internet connection you priviledge. I have noted a few items which may ring bells to you or guide you to restore it.

1. You are using a proxy. (You can stop the use of a proxy in your Internet settings)
2. Seems that you have installed Wifi.
3. Google Chrome often creates connection problems
4. You Internet Explorer control panel has been deactivated.

Please delete Eset Online scanner as well as any other antivirus applications you may have installed except your Kaspersky which an excellent antivirus suite. (None are 100% proof)

Let me know about your internet connection. I am keeping your log on file for 3 days, in case you need my help again.

Cherio! Chin up! See you in Tipperary!
0
virushelpme Posts 11 Registration date Tuesday October 16, 2012 Status Member Last seen October 23, 2012
Oct 23, 2012 at 04:33 AM
All fixed! Victory! Thanks a lot for your time and help.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,253
Oct 23, 2012 at 04:45 AM
The pleasure was all mine.
0