Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Residual Infection


  • Please log in to reply
2 replies to this topic

#1 enricophil

enricophil

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 09 September 2008 - 03:11 AM

Hello, my PC's CPU is an Intel Pentium 4 - 3.06 GHz (2 Processors)
My OS is as follows:
Windows XP Professional
Version 5.1 (Build 2600.xpsp_sp2_qfe.070227-2300 : Service Pack 2)
Memory available to Windows: 1,048,044 KB

At the beginning of August, Symantec Antivirus started giving me warnings about the presence of malwares, like Win32.Heur and similar. Apparently, the antivirus software was able to eliminate the problem. So, I shut down my PC and went on holiday.
When I was back at home, I updated the definitions of Symantec AV and downloaded AVG 8.0. Both programs seemed to eliminate Malwares like the previously noted ones.
At this point, I started getting an error warning after entering in Windows: Unable to load the module wftadfi16_080828a.dll. After this I was no longer able to connect to the Internet. The connection seems to work properly, but no program (IE7.0, Outlook, FTP Explorer, upgrade utilities, etc.) seems to recognize that the PC is connected.
I opened the Registry and I found a new value in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]:
mininyust = "%System%\inf\svcocht.exe %Windows\wftadfi16_080828a.dll tanlt88"
I removed that line. Now the PC seems to work properly, but the problem with the connection continues.
Meanwhile, I discovered a file ccc.exe in C:\WINDOWS\Prefetch, which I do not consider normal.

What do you think about the matter?
Is this the proper forum to get some suggestions and/or help?

Thanks in advance for cooperation. I look forward to hearing from you.
Best regards.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:15 PM

Posted 09 September 2008 - 09:34 AM

According to Prevx, wftadfi16_080828a.dll is Cloaked malware.

It's not unusual to receive "boot up" errors after using anti-virus and other security scanning tools to remove malware infection.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads which you have already done.

ccc.exe is a Catalyst Control Centre: Host application from ATI Technologies Inc. belonging to Catalyst Control Centre

http://www.processlibrary.com/directory/files/ccc

Prefetch files usually include alpha-numerical names with a .pf extension. Did you omit the full name?

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ProcessLibrary.com

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

I updated the definitions of Symantec AV and downloaded AVG 8.0

Using more than one anti-virus program is not advisable. The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. However, even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active. To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. The next thing to do is check with your ISP provider and confirm if your is coming through. If so, the problem must be at your end.

Try resetting the IP address:
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the command prompt type or copy/paste:: ipconfig /release
Hit Enter.
When the prompt comes back, type: ipconfig /renew
Hit Enter.
Close the command box and and see if that fixes the connection. No reboot needed.

If not, go to Start > Run > type: cmd
Press OK or Hit Enter.
At the command prompt, type or copy/paste: ipconfig /flushdns
Hit Enter.
You will get a confirmation that the flush was successful.
Close the command box.

If the above commands did not resolve the problem, the next thing to try is to Configure TCP/IP to use DNS.
  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.

If that still does not help and your using Windows XP SP2, log on as an administrator.
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the command prompt, type or copy/paste: netsh winsock reset
Hit Enter.
When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset."
Close the command box and reboot your computer.

Finally, if you continue to have connectivity problems, download WinSockFix from another computer, save to a usb stick, and transfer it to your computer.
Be sure to print out and follow the instructions for using this tool provided in the Winsock Repair Tutorial.

Also see "It's not always malware: How to fix the top 10 Internet Explorer issues", "Troubleshoot Internet Connection" and "Troubleshooting Internet Connection Problems".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 enricophil

enricophil
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 11 September 2008 - 04:19 AM

Hi quietman7, thanks for your prompt reply.
I am sorry, I did not explain that I connect to the web through a USB ADSL modem, not through a LAN.
Probably for this reason, the first advice you gave me does not work.
I stopped and went no further with your subsequent advices.

Would you give me advices relevant to this new detail on my PC?

Thanks for cooperation.
Best regards.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users