Win32/small.ca [Solved/Closed]

win32/small.ca 4 Posts Sunday January 6, 2013Registration date January 13, 2013 Last seen - Jan 6, 2013 at 12:14 AM - Latest reply: Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen
- Jan 13, 2013 at 05:33 AM
Hello,

Windows action center has told me to "remove the Win32/Small.CA virus from your computer".I have mcafee antivirus but it is unable to detect it.The virus has changed some of my antivirus settings on its own. And the changes made by the virus are not reverting back.The system has become slow and my browser chrome is eithercrashing or hanging up again and again.But there has been no blue screen while booting.

See more 

12 replies

Best answer
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 6, 2013 at 04:33 PM
1
Thank you
Greetings again,

Please, bare in mind that Kioskea is a mutual aid community, all answers on the forum are provided by volunteers who give their time free to help solve issues.

Therefore, it is specifically requested from Kioskea forum users to correspond showing mutual respect. Therefore, when requesting assistance, to be courteous and to use polite expressions, as for elsewhere in similar circumstances

Win32/small CA if it's not the Win 7 bug, it is a generic name for a virus, the virus must be located and identified for proper removal.

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log. Before you follow the steps described below, please remove any cracked software which you may have if any.

1. Open this link and download ZHPDiag2 :

http://telechargement.zebulon.fr/telecharger-zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

http://www.speedyshare.com/

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1346 users this month

Zohaib R 2421 Posts Sunday September 23, 2012Registration date July 16, 2018 Last seen - Jan 6, 2013 at 02:12 AM
0
Thank you
Hi,

Check the below mentioned link. It has steps on how to manually remove Win32/small.ca :

http://guides.yoosecurity.com/how-to-remove-win32small-ca-virus-from-your-computer/

Do reply with results.
win32/small.ca 4 Posts Sunday January 6, 2013Registration date January 13, 2013 Last seen - Jan 6, 2013 at 03:14 AM
0
Thank you
the files are not deleting and the video is not at all clear.
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 6, 2013 at 06:30 AM
0
Thank you
Greetings,

With all due respect to Zohaib R, there is no virus and the link's solutions given never work, they want you to call and pay.

This is a typical bug with Win 7 action center.

Go to the Action Center (by clicking Control Panel | System and Security | Action Center) and select to Change Action Center Settings. This allows you to disable specific types of messages, including messages about Windows Update, Internet security settings, User Account Control, Windows Backup, and more.

Uncheck virus notification.

Regards
win32/small.ca 4 Posts Sunday January 6, 2013Registration date January 13, 2013 Last seen - Jan 6, 2013 at 01:57 PM
0
Thank you
then wt about the fact that my antivirus automatic scanning status is changing by itself , browser is crashing regularly,sys has become lot slower. And without connection to internet the system works fine bt soon as i connect it to internet it starts slowing down and hangs sometime.
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 7, 2013 at 06:13 AM
0
Thank you
Thanks for the log. Please stand-by for results.
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 7, 2013 at 06:54 AM
0
Thank you
Hi

There are several malware including a Rootkit which was probably came from Bit Torrent.

I noticed that you have installed several antivirus tools (Avast, Superantispyware, Kapersky, etc) along with your main McAfee. This is dangerous as all the scanning engines will create conflicts. You must delete all antivirus software and keep only one.

You have a toolbar which is called SweetIM, it is a virus. You must remove it.

Please follow the procedure below:

1 On your desktop ZHP created an icon ZHP Fix, looks like a seringe, double click to open it.

2. Copy the following lines:

[MD5.45945F39F2F6D08A0FAEC275E68FFC5A] - (.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe [295728] [PID.3448] => Infection PUP (PUP.SweetIM)
[MD5.982C048CF2B5828F93592BA7C07593EC] - (.SweetIM Technologies Ltd. - SweetIM Instant Messenger Enhancer.) -- C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe [114992] [PID.3456] => Infection PUP (PUP.SweetIM)
R0 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com => Infection PUP (PUP.SweetIM)
O2 - BHO: PriceGong [64Bits] - {1631550F-191D-4826-B069-D9439253D926} . (.PriceGong - PriceGong Comparative Shopping Tool.) -- C:\Program Files (x86)\PriceGong\2.6.3\PriceGongIE.dll => Infection BT (Adware.PriceGong)
O2 - BHO: StartNow Toolbar Helper [64Bits] - {6E13D095-45C3-4271-9475-F3B48227DD9F} . (.Unknown owner - Toolbar.) -- C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll => Infection PUP (Adware.Zugo)
O2 - BHO: SWEETIE [64Bits] - {EEE6C35C-6118-11DC-9C72-001320C79847} . (.SweetIM Technologies Ltd. - SweetPacks Toolbar module for Internet Expl.) -- C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll => Infection PUP (PUP.SweetIM)
O4 - HKLM\..\Wow6432Node\Run: [Sweetpacks Communicator] . (.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe => Infection PUP (PUP.SweetIM)
O4 - HKLM\..\Wow6432Node\Run: [SweetIM] . (.SweetIM Technologies Ltd. - SweetIM Instant Messenger Enhancer.) -- C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe => Infection PUP (PUP.SweetIM)
O23 - Service: Updater Service for StartNow Toolbar (Updater Service for StartNow Toolbar) . (...) - C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe => Infection PUP (Adware.Zugo)
O42 - Logiciel: PriceGong 2.6.3 - (.PriceGong.) [HKLM][64Bits] -- PriceGong => Infection BT (Adware.PriceGong)
O42 - Logiciel: StartNow Toolbar - (.StartNow.com.) [HKLM][64Bits] -- StartNow Toolbar => Infection PUP (Adware.Zugo)
[HKCU\Software\AppDataLow\Software\PriceGong] => Infection BT (Adware.PriceGong)
[HKLM\Software\Wow6432Node\SweetIM] => Infection PUP (PUP.SweetIM)
O43 - CFD: 4/6/2012 - 7:40:19 PM - [3.124] ----D C:\Program Files (x86)\PriceGong => Infection BT (Adware.PriceGong)
O43 - CFD: 7/14/2012 - 1:01:13 AM - [1.875] ----D C:\Program Files (x86)\StartNow Toolbar => Infection PUP (Adware.Zugo)
O43 - CFD: 4/6/2012 - 7:42:17 PM - [10.990] ----D C:\Program Files (x86)\SweetIM => Infection PUP (PUP.SweetIM)
O43 - CFD: 4/6/2012 - 7:42:17 PM - [0.426] ----D C:\ProgramData\SweetIM => Infection PUP (PUP.SweetIM)
O61 - LFC:Last File Created 1/5/2013 - 1:56:34 AM ---A- C:\Users\p\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cmap.uac.ace.advertising.com_0.localstorage [3072] O61 - LFC:Last File Created 1/5/2013 - 1:56:34 AM ---A- C:\Users\p\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cmap.uac.ace.advertising.com_0.localstorage-journal [3608] => Infection Rootkit (Rootkit.Agent)
O87 - FAEL: "{0DD67595-5CF1-4F0A-909C-A4AC06C4B41F}" | In - Public - P6 - TRUE | .(.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
O87 - FAEL: "{2A90940A-C107-42CB-B098-FEA87F701990}" | In - Public - P17 - TRUE | .(.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1631550F-191D-4826-B069-D9439253D926}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1631550F-191D-4826-B069-D9439253D926}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}]
[HKCU\Software\AppDataLow\Software\PriceGong]
[HKLM\Software\Classes\SWEETIE.IEToolbar]
[HKLM\Software\Classes\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKLM\Software\Classes\Toolbar3.SWEETIE]
[HKLM\Software\Wow6432Node\Classes\SWEETIE.IEToolbar]
[HKLM\Software\Wow6432Node\Classes\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKLM\Software\Wow6432Node\Classes\Toolbar3.SWEETIE] =
C:\Program Files (x86)\PriceGong
C:\Program Files (x86)\StartNow Toolbar
C:\Program Files (x86)\SweetIM
C:\ProgramData\SweetIM
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PriceGong
C:\Users\p\AppData\LocalLow\PriceGong
C:\Users\p\AppData\LocalLow\SweetIM
C:\Users\p\AppData\LocalLow\Toolbar4
SR - | Auto 265952 | (Updater Service for StartNow Toolbar) . (...) - C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe

3. Click on the clipboard button and the top, this will paste the lines you copied and a Go button will appear.

4. Click on Go and close ZHP Fix.

5. Downnload the following on your desktop:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

6. Close all running application including this one.

7. Unzip the folder and run the tool.

8. Once the scan is finished, check all the items found and delete.

9. Close the tool

10. Download, install and run Malwarebyte which you can find on this site:

http://ccm.net/download/download-105-malwarebyt es-anti-malware

Ensure you make an update.

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

11. Reboot your machine

12. Delete the ZHP Diag log, produce a new one a and upload it on Speedyshare

Good luck
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 8, 2013 at 05:33 PM
0
Thank you
Please stand-by
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 8, 2013 at 06:00 PM
0
Thank you
The Rookit is gone but there are still some malware.

Your McAfee should work except that the present malware in the form of toolbars is creating obstructions.

This is very important, after the following final steps, delete Malwarebyte from you system. If you McAfee still does not respond, you may need to either update or reinstall.

Now...

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

http://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button)

2.Close all open Windows including this one.

Close or disable all running Antivirus, and Firewall as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Good luck
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 11, 2013 at 06:37 AM
0
Thank you
Please,

1. I would like to see the Combofix log

2. Remove Avast from your system
3. Open ZHP Fix

4. Copy the following lines:

[HKCU\Software\AppDataLow\Software\PriceGong]
[HKLM\Software\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}]
[HKLM\Software\Wow6432Node\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}]
[HKLM\Software\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}]
[HKLM\Software\Wow6432Node\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}]
[HKLM\Software\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}] [HKLM\Software\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}]
[HKLM\Software\Wow6432Node\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}] [HKLM\Software\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}]
[HKLM\Software\Wow6432Node\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}] [HKLM\Software\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}]
[HKLM\Software\Wow6432Node\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}] [HKLM\Software\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}]
[HKLM\Software\Wow6432Node\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}]
[HKLM\Software\Wow6432Node\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}] => Infection BT (Adware.PriceGong)
[HKLM\Software\Wow6432Node\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}]
[HKLM\Software\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}]
[HKLM\Software\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}] => Infection BT (Hijacker.Seeearch)
[HKLM\Software\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}] => Infection BT (Hijacker.Seeearch)
[HKLM\Software\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}] => Infection BT (Adware. BullseyeToolbar)
[HKLM\Software\Wow6432Node\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}] => Infection BT (Adware. BullseyeToolbar)
[HKLM\Software\Classes\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKLM\Software\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}] => Infection BT (Adware.SocialSkinz)
[HKLM\Software\Wow6432Node\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}]
[HKLM\Software\Classes\AppID\PriceGongIE.DLL]
[HKCU\Software\AppDataLow\Software\PriceGong]
C:\Users\p\AppData\LocalLow\PriceGong => Infection BT (Adware.PriceGong)
C:\Users\p\AppData\LocalLow\Toolbar4

5. Click on the clipboard button at the top which will paste the copied lines.

6. Click on go button at the bottom
win32/small.ca 4 Posts Sunday January 6, 2013Registration date January 13, 2013 Last seen - Jan 13, 2013 at 12:52 AM
0
Thank you
Thnx for the help again .
combo fix log

Download Link:http://speedy.sh/2Udaa/comboflog.txt
Forum Link:[code]http://speedy.sh/2Udaa/comboflog.txt[/code]
HTML Link:<a href="http://speedy.sh/2Udaa/comboflog.txt">Download at SpeedyShare</a>
Ambucias 55435 Posts Monday February 1, 2010Registration dateModeratorStatus October 12, 2018 Last seen - Jan 13, 2013 at 05:33 AM
0
Thank you
You are most welcome.

Is your system still hanging ? When ? For how long ? Do you use a password ?