Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CANNOT Remove Win32/Small.CA Virus--with normal tools so far...


  • This topic is locked This topic is locked
2 replies to this topic

#1 rexrzer727

rexrzer727

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 24 October 2013 - 12:23 AM

Good evening, as I have come to this forum upon recommendation of Mr. "boopme" in the forums here. We did the so-called "first defense/attack" method of trying to rid my office server/No.1 PC (in my stable of 4 OEM PC's) with dire and deviously frustrating results.

That topic is here:

http://www.bleepingcomputer.com/forums/t/511524/most-likely-i-have-an-infection-of-some-sortmy-first-post-here-follows/?p=3188961

If one refers to what I have done thus far it is what boopme refers to as being earnest first steps to remove this dang blasted virus from my System, but he indicated that the thing has entrenched itself deeper and harder to get at areas of my computer than the tools we used thus far could help with. Oh, I found a TON of bad stuff in the computer all right, using the tools in the above thread I assure, but it did NOT remove the Win32/Small.CA Virus.

Action Center keeps telling me that I have to "Remove the Win32/Small.CA virus"l which was my first indicator approximately 4 (four) days ago--when this all started. I have no idea how the infected computer became so, not a clue as to cause and effect. I would like to post the log of the ESET Scan here if I may, which is the last thing we tried under boopme's direction, as I could not post the attachment there for some reason or other, protocols or other reasons no doubt (me being a new member?), so here's hoping that I can post it here.

I have been instructed by boopme to use a "Preparation Guide" and do steps 6, 7, 8 in this guide, and start this new topic, so off I go to do those things, whatever they may be, as I have yet to read in the topic he refers to.

Any assistance in this vein would be greatly appreciated by the guru's in this forum, as boopme indicates that a deeper, more thorough and with "other tools" scan sequence is going to be needed to deal with my particular infection. We are 100% certain the computer IS infected with the Win32 virus, it seems, at least I am, as my PC has not been the same since this all began possibly as far back as two weeks ago, even though I really started dealing with it, trying to remove it et al, in the past 3-4 days.

If I can figure out how to post this attachment I would give you all the log of ESET right now, but be it because of not knowing the tools here in this forum well enough to post a legitimate file attachment, or for whatever other reason(s), I cannot do this as yet.

Could someone please answer my question about posting a file here in this thread? HOW does one post a file here, as I have not found, though I have looked 10X or more, no "Attach File" icon or indicator, or file addendum in the formatting section of the posting directives as yet. HOW DO I ATTACH A FILE HERE?

EDIT: Here is the ESET Scan results in Notepad format (.txt)

C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Temp\d5cfceba-4324-4f83-afad-1e71de1e025b.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\Documents\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\Documents\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27BS0PDU\stubinst_pkg_en-us[1].cab Win32/OpenCandy application deleted - quarantined
C:\Users\poweruser\Documents\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Temp\d5cfceba-4324-4f83-afad-1e71de1e025b.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\Documents\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\CrystalDiskInfo3_9_3a-en.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\Documents\hwmonitor_1.17-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\poweruser\Documents\sound-video-PC\GlaryRegClnr-setup.exe multiple threats cleaned by deleting - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn\Documents\Documents (2)\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Burn\Burn1\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined
C:\Users\poweruser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27BS0PDU\stubinst_pkg_en-us[1].cab Win32/OpenCandy application deleted - quarantined
C:\Users\poweruser\Documents\epson14039.exe a variant of Win32/Bundled.Toolbar.Ask.D application deleted - quarantined

Edited by rexrzer727, 24 October 2013 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:57 PM

Posted 24 October 2013 - 01:17 AM

Hello -

There was a bit of a mix up with your directions

Please visit the link below and follow on from Step #6 and Copy / Paste new DDS logs (as requested)

http://www.bleepingcomputer.com/forums/topic34773.html

 

Then post a new topic in => Virus, Trojan, Spyware, and Malware Removal Logs area as linked

 

You have reposted back to the same area where you started.

 

Thank You -



#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:57 AM

Posted 24 October 2013 - 08:24 AM

Reference:  http://www.bleepingcomputer.com/forums/t/511714/my-no1-pc-has-a-virus-infection-win32smallca-virus/#entry3189357

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

 

Louis

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users