Windows 7 virus win32/small.CA trojan [Solved/Closed]

Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
- - Latest reply: Ambucias
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
- Oct 23, 2012 at 04:45 AM
Hello,

Windows action center has told me to "remove the Win32/Small.CA virus from your computer".

Since then my computer has blue screened many times, usually about 2 minutes after boot.

When I try to run scans with Kaspersky 2011 and MRT they are stopped for some reason (guessing the virus).

I have used scanned with , tdsskiller, ComboFix, Malwarebytes, ESET, windows defender, HitmanPro and SuperAntiSpyware. All of these find nothing.

Seems I'm a late catcher of this virus with a few posts on this around December 2011, but haven't seen any solutions. Some talk about this being a false positive but with the amount of crashes that I'm getting.... bit dubious?

Any help/tips would be much appreciated.
Cheers
See more 

9 replies

Best answer
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
1
Thank you
Please download and install this most recent version of ZHP Diag and tell me if you get the H in ZHP Fix

http://www.commentcamarche.net/download/start/telecharger-34066799-zhpdiag

Say "Thank you" 1

A few words of thanks would be greatly appreciated. Add comment

CCM has helped 2902 users this month

virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
I used that link, downloaded ZHP Diag, installed it on the computer. Opened ZHP Fix and it looks the same as it did before - no H button. Also installed it on my laptop - looks the same (no H button). Do you think I'm installing it wrong (my french isn't very good for the setup).

The peve.exe in C:\Windows has no previous versions.
Ambucias
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
-
Yes you are installing it correctly. It could be a 64 bit bug. I will look in to it and get back to you.
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
Hi

First, I would like to know what is your operating system.

Second, I would like to know the complete error message you are getting on the blue screen.

Third, To help you and precribe the remedy, I must make a diagnostic and to do so, I require a system log.
.

1. Open this link and download ZHPDiag2 :

http://telechargement.zebulon.fr/telecharger-zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

http://www.speedyshare.com/

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here.

Best regards

Ambucias
Security Contributor
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Thanks for getting back to me!

1. Windows 7 Professional SP1 64bit

2. Have only just disabled automatic restarts for BSOD, but looking in event viewer I believe this was one of them:
"The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000379f620, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 101612-9204-01."
Will give you the numbers again on my next BSOD!

3.http://speedy.sh/c48DJ/ZHPDiag.txt

Hope that's everything, thank you very much.
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
Hi,

I have not yet looked at your log but the error code: 0x0000001e indicates that Windows has detected that the processor is attempting to process an unkown or invalid instruction. This is most often due to a hardware driver. The driver must eitheir be reinstalled or updated. It causes a memory dump.

In your case, you should check video card, sound card, and printer driver as well as any other hardware you may have connected.

Please remember that all of your drivers should be compatible with your OS.

Catch you later with more
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Thanks for the reply.
The message from windows telling me to remove the virus has gone now, but I have had 4 BSODs this morning:
1. SYSTEM_SERVICE_EXCEPTION
stop: 0x0000003B
2. BAD_POOL_HEADER
stop: 0x00000019
3. (no tittle)
stop: 0x00000024
4. (happened during a restart) IRQL_NOT_LESS_OR_EQUAL
stop: 0x0000000A

I built the computer a couple of months ago and not much has changed since installing and updating all the drivers.... but I will have a look at them. I'm 99% sure (dont want to sound to arrogant) that all my hardware is compatible and I'm 98% sure I've installed windows 7 64bit drivers! :)

Sadly my chrome and internet explorer wont connect to the internet this morning.... not sure if I'm starting to become paranoid but my laptop is connected absolutely fine....! Windows network and sharing centre says that I have internet access on the computer but my browsers just wont connect to anything (standard DNS lookup failure).

I have all my documents backed up and am tempted to just wipe my hard drives and reinstall everything..... But obviously if you find anything in the logs or want more logs just let me know!

Thanks a lot for your time
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
Hello Ross,

My first study of the log does not show obvious malware but there is a possible W32/Heuristic-210!Eldorado trojan. I wish however to go about this with prudence.

1. I would like you to go to search for this file: pev.exe and tell me what the properties are.

2. I would like you to delete all of the antivirus applications you have recently downloaded except the one you have paid for. More than one antivirus application will cause conflicts, not detect malware or cause false alerts.

3. On your desktop, ZHP Diag created ZHP Fix. Launch ZHP Fix and click on the large X.

4. Copy and paste the following lines which are redundant and obsolete processes or orphean keys:

O4 - HKCU\..\Run: [Mobile Partner] Orphean Key
O4 - HKUS\S-1-5-21-185997528-2593348611-818886502-1003-185997528-2593348611-818886502-1000\..\Run: [Mobile Partner] Orphean Key
O4 - Global Startup: C:\Users\Ross\Desktop\Uni Documents.lnk . (...) -- \\samba.soton.ac.uk\rlh6g10 (.not file.) [MD5.00000000000000000000000000000000] [APT] [{13B1C6CA-32C5-41B4-8DCD-DC7610E9CD8D}] (...) -- C:\Users\Ross\Documents\Computer\Drivers\Intel_Chipset_V9301019_XPWin7\Driver\Chipset\setup.exe (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Minimal\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Network\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O87 - FAEL: "TCP Query User{8028B400-2AD1-4C0C-BF7F-FD5565809251}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P6 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)O87 - FAEL: "UDP Query User{5692377F-EC23-4C44-95FC-0DA3AAABC78F}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P17 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)

5. Click on GO

6. See if you got any improvement. If not, launch ZHP Fix again, copy and paste the following lines:

O44 - LFC:[MD5.FE52E3AB6381CF6CC34D57BD28A6B2E0] - 26/06/2011 - 06:45:56 ---A- . (...) -- C:\Windows\PEV.exe [256000]
O44 - LFC:[MD5.233566D0EE963948D3C4B6C31FD5D64F] - 07/11/2010 - 17:20:24 ---A- . (...) -- C:\Windows\MBR.exe [208896]
O64 - Services: CurCS - 25/06/2010 - C:\Windows\System32\drivers\npf.sys (NPF) .(.CACE Technologies, Inc. - npf.sys (NT5/6 AMD64) Kernel Driver.) - LEGACY

Click on GO

7. Give me feed back
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Hi again,

1. I have two pev.exe both created 16 October 2012, modified 26 June 2011 and Accessed 16 October 2012 (at slightly different times).

Locations:
C;\Windows
C:\ComboFix

2. I have turned off Windows Defender real-time protection.
I have deleted all other antivirus/malware removal tools.
I have left Kaspersky Anti-Virus 2011 installed and running.

3. Not sure what big X to look for?! I have ZHPFix v1.3.04 and don't see a big X haha. Sorry!
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
3. Is it one of the tools on the right side e.g: CTFFix, HOSTFix, HiddenFix etc or am I looking in the wrong place?
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
I may be repeating myself but when you installed ZHP Diag, three icons were created on your desktop: ZHP Diag, ZHP Fix and MRB Check.

I meant to use ZHP Fix. Double click it, at the top you will see a large H which stands for helper or hospital or hip hip hip hurrah.

The pev.exe in C:\combofix is probably in a quarantine file.
The pev.exe in C:\windows is the one I am interested in and which is 80% chance of malware. I would like to know everything that is said under the tab "version".

After you have run ZHP Fix, I would like to know if the state of your machine is healthy. Delete the previous ZHP Diag log from your machine and send me a new one for verification and further instructions.

Regards

P.S. Please, don't ha ha, this is serious stuff and I'm driving...entering a tunnel... catch you later
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Hello again Ambucias,

Here is a screenshot of my ZHP Fix v1.3: http://speedy.sh/UrCRd/ZHPFix-v1.3.jpg
This new version does not have a large x ("Launch ZHP Fix and click on the large X.") or a large H ("you will see a large H"). So I'm sorry but I still have not run the programme! I have tried to download an earlier version of ZHPDiag2 so that I could follow your instructions but could not find an earlier release of the program!

Best Regards,
Ross
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
There is a bug!

Will get back to you tomorrow morning!

Sorry for the delay.
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
The H was removed.

Just paste the lines and click on Go
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Will get back to you with an outcome on Monday.
Cheers
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Ok, I ran ZHP Fix twice (pasting all your lines). The blue screens have gone away (so far) and windows action centre has not found the win32/small.ca virus again after a few restarts.

Here is the latest ZHP diag and ZHP fix report: http://speedy.sh/QgFv5/ZHPDiag.txt

So I think my original problem is fixed, but I've still got no internet.....
Thanks again
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
Looks like you sent me the very same log as before. Ensure that all the logs are deleted from the machine before generating a new one.

Sorry
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
Here is the new log, sorry about that.
http://speedy.sh/pV2gc/ZHPDiag.txt
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
0
Thank you
Greetings Ross,

Well I'm happy to report that your system is virus free, as clean as a whistle.

There are however some redundant processes that are running which you can delete or stop using ZHP Fix. They are:

[MD5.00000000000000000000000000000000] [APT] [{13B1C6CA-32C5-41B4-8DCD-DC7610E9CD8D}] (...) -- C:\Users\Ross\Documents\Computer\Drivers\Intel_Chipset_V9301019_XPWin7\Driver\Chipset\setup.exe (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Minimal\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O49 - CSB:Control Safe Boot HKLM\...\CCS\Network\55334416.sys . (...) -- C:\Windows\System32\Drivers\55334416.sys (.not file.)
O87 - FAEL: "TCP Query User{8028B400-2AD1-4C0C-BF7F-FD5565809251}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P6 - TRUE | .(...) -- D:\easysetupassistant\wr941n\easysetupassistant.exe (.not file.)
O87 - FAEL: "UDP Query User{5692377F-EC23-4C44-95FC-0DA3AAABC78F}D:\easysetupassistant\wr941n\easysetupassistant.exe" |In - Private - P17 - TRUE | .(...) -- D:\easysetupassistant\wr941

Now, you mention that you do not have Internet. I am not an Internet connection or configuration expert but a virus security contributor.

Nonetheless, I don't know what kind of Internet connection you priviledge. I have noted a few items which may ring bells to you or guide you to restore it.

1. You are using a proxy. (You can stop the use of a proxy in your Internet settings)
2. Seems that you have installed Wifi.
3. Google Chrome often creates connection problems
4. You Internet Explorer control panel has been deactivated.

Please delete Eset Online scanner as well as any other antivirus applications you may have installed except your Kaspersky which an excellent antivirus suite. (None are 100% proof)

Let me know about your internet connection. I am keeping your log on file for 3 days, in case you need my help again.

Cherio! Chin up! See you in Tipperary!
virushelpme
Posts
11
Registration date
Tuesday October 16, 2012
Last seen
October 23, 2012
-
All fixed! Victory! Thanks a lot for your time and help.
Ambucias
Posts
50325
Registration date
Monday February 1, 2010
Last seen
November 22, 2018
-
The pleasure was all mine.