Titan Network

yes my computer is running.

no there is no red x over my internet icon.

my wifi devices can all see wifi networks, but attempting to connect results in "the connection was unsuccessful"

no I have not tried a direct connection via wire because no one knows the username or password it's all in the router.

I have recently removed a virus called netfilter.sys which adwcleaner flagged as a third party tracking program, however after it's removal I got limited connectivity to the internet.

The more I dug into it the more it looked like netfilter had woven it's way into the net drivers and devices and deleted the original net programs replacing them completely. looking in device manager I saw a slew of net device copies, even some which had not been connected to the computer in years all listed with (netfilter device) after them, so I ended up completely eradicating the registry entries with netfilter in them, it wasn't easy a few had been entered by the SYSTEM account. but I got rid of them and all the netfilter devices in device manager vanished. but still no net.

I replaced the drivers for the devices I use from the manufacturer's website but still have no net and windows trouble shooter still says there's a problem with the drivers for the devices. I am 100% sure it's no the device drivers, but some internal windows components that netfilter had it's way with that are refusing to function for a clean device.

I am running windows 7 ultimate 32bit. if anyone here has a clean system and knows what files, drivers and/or registry entries I need to input to get my wifi back please help or send me a copy of yours. I need windows net drivers, and possibly a new TC/IP copy from what I can see, but someone here may know more.

thankyou ahead of time for any help given.

Edit; I will be willing to pay via paypal for any help that enables me to get my netback without completely reinstalling windows (I really don't want to have to refind and reinstall all my software.)

The only netfilter.sys malware I'm aware of is a browser hijack malware.  I don't think removing it should have hosed your networking completely, but browser hijack software has been used to install other nasty things.  Maybe your antivirus software found lots of other stuff and damaged something in the process of cleaning up the mess.

I'm not sure what you mean by not having the user name or password to make ethernet connections, but if you are connecting to the internet via wifi, there's often two different wifi configuration programs you can use: one provided by the wifi adapter manufacturer and a generic one that comes with Windows itself.  The only thing that comes to mind if you are having trouble after reinstalling the wifi drivers and software is that I've often had issues when my system tried to run both at the same time.  Either you use the vendor one or the windows one, but not both at the same time.  If one is running, kill the other.

If it is a missing Windows component, then Windows 7 usually can fix that with the troubleshooting wizard.  If it can't, it would be difficult to tell what the problem was without significant technical information.  Does the WLAN see the correct SSID?  Does it actually connect to that SSID?  When you ipconfig /all do you see the wireless adapter, and does it show you acquiring IP address information?

Malwarebytes.

Pull it down onto a flash drive and load it - it will fix nearly anything.

You can try resetting the Winsock and TCPIP stack.  Sometimes that straightens out issues like this.

1. Run Elevated Command Prompt:
- Click the Start button
- Type: cmd in the Start Search text box.
- right-click and choose "Run as Administrator" (alternatively, press CTRL-SHIFT-ENTER to run it as administrator), and allow elevation request
2. Type: 'netsh winsock reset catalog' in the shell and hit Enter
3. Type: 'netsh int ip reset reset.log' and hit Enter again. If this doesn't work, try 'netsh int ipv4 reset reset.log' to just reset ipv4.
4. Restart the computer

thankyou all for the prompt replies, I will try all of this from the top tomorrow.

@ Arcana, I only mentioned ethernet because one of the typical IT questions is "have you tried connecting to the internet through a wire" and the answer is I'd like to, but can't because of no username or password for the actual internet account being available atm.

@ Ironwolf, I use malwarebytes regularly, it can't figure out whats wrong. Still I'll try again.

I have a list of the majority of the stuff that was removed so that will make things easier if it comes to files. I just hope I kept cn find the clean/scan logs.

Quote from: JoshexProxy on March 30, 2016, 02:50:14 PM
"have you tried connecting to the internet through a wire" and the answer is I'd like to, but can't because of no username or password for the actual internet account being available atm.

wired connections do not require a password (like WiFi).

Some do. It's possible to run 802.1x over wired connections as well as wireless, but it's rare to encounter outside of locked down corporate environments.

Much more common are old ADSL setups that require establishing a PPPoE link first (which requires a username/password) in order to get an Internet IP.

Quote from: Codewalker on March 30, 2016, 04:07:36 PM
Some do. It's possible to run 802.1x over wired connections as well as wireless, but it's rare to encounter outside of locked down corporate environments.

Much more common are old ADSL setups that require establishing a PPPoE link first (which requires a username/password) in order to get an Internet IP.

The "its all in the router" is what made me think it was something other than that, but I don't make a lot of presumptions when troubleshooting in the blind.

Quote from: Arcana on March 30, 2016, 08:53:25 AM
The only netfilter.sys malware I'm aware of is a browser hijack malware.  I don't think removing it should have hosed your networking completely, but browser hijack software has been used to install other nasty things.  Maybe your antivirus software found lots of other stuff and damaged something in the process of cleaning up the mess.

I'm not sure what you mean by not having the user name or password to make ethernet connections, but if you are connecting to the internet via wifi, there's often two different wifi configuration programs you can use: one provided by the wifi adapter manufacturer and a generic one that comes with Windows itself.  The only thing that comes to mind if you are having trouble after reinstalling the wifi drivers and software is that I've often had issues when my system tried to run both at the same time.  Either you use the vendor one or the windows one, but not both at the same time.  If one is running, kill the other.

If it is a missing Windows component, then Windows 7 usually can fix that with the troubleshooting wizard.  If it can't, it would be difficult to tell what the problem was without significant technical information.  Does the WLAN see the correct SSID?  Does it actually connect to that SSID?  When you ipconfig /all do you see the wireless adapter, and does it show you acquiring IP address information?

WLAN does see correct SSIDs it actually connects but acts like it didn't on the internet icon (no change), whilst it lists the connection to the SSID as EDIT: "limited access"

ipconfig /all does not show the device, it shows Windows IP Configuration with the host name being the computer identity,
dns:
node type: hybrid
IP routing enabled: no
WINS Proxy Enabled : no

then followed by tunnel adapter ????*15 , 6, 11, 12, 18, 19,13, 14, 16 all with the same settings:
media state: media disconnected
dns suffix:
description: either Microsoft 6to4 Adapter #1-10 or Microsoft Teredo Tunneling Adapter
physical address: 00-00-00-00-00-00-00-E0
DHCP ENabled: No
autoconfiguration enabled: Yes

also several entries of:
Tunnel adapter 6TO4 Adapter/ tunnel adapter reusable Microsoft 6To4 Adapter
same info.

wifi configuration programs, I don't know what those are or where to find them if they are on my system (help here might be what I need), I reinstalled the driver for the two wifi devices I use.

Quote from: Suspicious Package on March 30, 2016, 11:54:37 AM
You can try resetting the Winsock and TCPIP stack.  Sometimes that straightens out issues like this.

1. Run Elevated Command Prompt:
- Click the Start button
- Type: cmd in the Start Search text box.
- right-click and choose "Run as Administrator" (alternatively, press CTRL-SHIFT-ENTER to run it as administrator), and allow elevation request
2. Type: 'netsh winsock reset catalog' in the shell and hit Enter
3. Type: 'netsh int ip reset reset.log' and hit Enter again. If this doesn't work, try 'netsh int ipv4 reset reset.log' to just reset ipv4.
4. Restart the computer

Did not work, I got a fresh winsock and winsock 2 the other day but that's not the problem.

I'm guessing based purely off intuition that something is wrong with the TCP/IP files on my computer so resetting the stack won't help, I will need a valid IPv4 installer and ipv6 installer to test this intuition as I will need to uninstall IPv4 and 6 on each device and then reinstall it. I'm not sure that would help though.

the problem seems to be that although windows can see the device, the files and services that run net connection can't see the device. hence it is missing from ipconfig, yet the device itself is operating fine and as such can see SSIDs and attempt to connect but when it happens the net connection files and services are either not there to handle the connection operation or though they receive the call they don't respond because they can't see the device. It should show up as ASUS EZ n-10 or something similar.

Quote from: JoshexProxy on March 31, 2016, 04:22:30 AM
WLAN does see correct SSIDs it actually connects but acts like it didn't on the internet icon (no change), whilst it lists the connection to the SSID as EDIT: "limited access"

ipconfig /all does not show the device, it shows Windows IP Configuration with the host name being the computer identity,
dns:
node type: hybrid
IP routing enabled: no
WINS Proxy Enabled : no

then followed by tunnel adapter ????*15 , 6, 11, 12, 18, 19,13, 14, 16 all with the same settings:
media state: media disconnected
dns suffix:
description: either Microsoft 6to4 Adapter #1-10 or Microsoft Teredo Tunneling Adapter
physical address: 00-00-00-00-00-00-00-E0
DHCP ENabled: No
autoconfiguration enabled: Yes

also several entries of:
Tunnel adapter 6TO4 Adapter/ tunnel adapter reusable Microsoft 6To4 Adapter
same info.

wifi configuration programs, I don't know what those are or where to find them if they are on my system (help here might be what I need), I reinstalled the driver for the two wifi devices I use.

That's strange.  If you do not see a wifi adapter listed when you did a ipconfig, then that sounds like the drivers did not install correctly.  Check device manager to see if the wifi adapter driver appears to have an issue.  You can get to the device manager by right-clicking on My Computer and selecting properties, then clicking on Device Manager in the upper left corner of the Control Panel system page.  You should see the wifi adapter under something like "Network adapters".  If you see a yellow warning triangle, then there's something wrong.  If you don't see it at all, your computer isn't even detecting the wifi hardware correctly.

Quote from: Arcana on March 31, 2016, 12:49:13 PM
That's strange.  If you do not see a wifi adapter listed when you did a ipconfig, then that sounds like the drivers did not install correctly.  Check device manager to see if the wifi adapter driver appears to have an issue.  You can get to the device manager by right-clicking on My Computer and selecting properties, then clicking on Device Manager in the upper left corner of the Control Panel system page.  You should see the wifi adapter under something like "Network adapters".  If you see a yellow warning triangle, then there's something wrong.  If you don't see it at all, your computer isn't even detecting the wifi hardware correctly.

no yellow triangle, it is there though, but I installed it's driver before I completely killed the netfilter devices, so reinstalling that might be a good thing to try. will try tonight.

result, same issue no change. the device pops up just fine in device manager when I plug it in.

found this: http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/my-wireless-connection-says-limited-access-no/4536bd94-28ad-40d5-8a4e-6fe29c171039

will attempt to try this too.

Quote from: JoshexProxy on March 31, 2016, 02:25:53 PMfound this: http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/my-wireless-connection-says-limited-access-no/4536bd94-28ad-40d5-8a4e-6fe29c171039

will attempt to try this too.

That article seems to be saying the same things I am: check driver, check adapter (in network connections or ipconfig), check connection (acquired address), check for competing WLAN configuration tools.

Quote from: Arcana on March 31, 2016, 03:43:43 PM
That article seems to be saying the same things I am: check driver, check adapter (in network connections or ipconfig), check connection (acquired address), check for competing WLAN configuration tools.

indeed, if it works you get credit.

it just tells me step by step instructions for each.

with older version of windows make sure you turn off /disable the onboard ethernet port if your going ot use wifi. sometimes with both of them on windows wont log onto the net right with wifi. with your wifi stick google the vendor info online. see if the chipset vendor for the usb dongle has newer drivers then the dongle maker. also try hitman pro it another 3 party scanner that finds stuff malware bytes wont. also run msconfig and look under add/remove program for any toolbar helpers or anti virus or anti malware programs you did not install. a lot of trojans and new virus use real looking programs to reinfect your pc over and over. if the virus has damaged windows you may have to back up your files and reinstall it.

Quote from: microc on April 01, 2016, 11:29:26 AM
with older version of windows make sure you turn off /disable the onboard ethernet port if your going ot use wifi. sometimes with both of them on windows wont log onto the net right with wifi. with your wifi stick google the vendor info online. see if the chipset vendor for the usb dongle has newer drivers then the dongle maker. also try hitman pro it another 3 party scanner that finds stuff malware bytes wont. also run msconfig and look under add/remove program for any toolbar helpers or anti virus or anti malware programs you did not install. a lot of trojans and new virus use real looking programs to reinfect your pc over and over. if the virus has damaged windows you may have to back up your files and reinstall it.

I'll run hitman, I already do the other stuff on a regular basis

side note, I may have stumbled across the culprit, under device manager I right-clicked one of my adapters and opened it's properties window, went to details and clicked the drop down menu and lo and behold there are at least 10 entries reading {3ab22e31-8264-4b4e-9af5-a8d2d8e33e62}[1] - [10]

suspicious I think, now how to test that theory, finding their file locations is going to be a hassle if they aren't named the same, their registry entries should be easy to find, the question is kill or don't kill?

Quote from: JoshexProxy on April 01, 2016, 01:18:08 PM
I'll run hitman, I already do the other stuff on a regular basis

side note, I may have stumbled across the culprit, under device manager I right-clicked one of my adapters and opened it's properties window, went to details and clicked the drop down menu and lo and behold there are at least 10 entries reading {3ab22e31-8264-4b4e-9af5-a8d2d8e33e62}[1] - [10]

suspicious I think, now how to test that theory, finding their file locations is going to be a hassle if they aren't named the same, their registry entries should be easy to find, the question is kill or don't kill?

Don't mess with those.  I'm pretty sure that's the PCI device root GUID.  In other words, it is the place where device drivers store their PCI device properties.

Yep, here it is in the pci include file pciprop.h from the Windows SDK:

Quote//
// The GUID {3AB22E31-8264-4b4e-9AF5-A8D2D8E33E62} is a seed for all properties
// defined for a PCI device.
//

#define DEFINE_PCI_DEVICE_DEVPKEY(_DevPkeyName, _Pid) \
   DEFINE_DEVPROPKEY((_DevPkeyName), 0x3ab22e31, 0x8264, 0x4b4e, 0x9a, 0xf5, 0xa8, 0xd2, 0xd8, 0xe3, 0x3e, 0x62, (_Pid))

My PCI devices also have those keys: in particular my AMD Radeon and my Realtek PCIe gig ethernet.  If it is a PCI(e) device under Windows Vista and higher, it will probably have those keys.  There seem to be 25 sub properties listed, so you can see subs from [1] to [25] inclusive.  However, not every device must implement them all: my Realtek only uses 1-17 and 25.  That's normal (I guess the Realetk doesn't implement those PCI error handling options).

Quote from: Arcana on April 01, 2016, 07:02:56 PM
Don't mess with those.  I'm pretty sure that's the PCI device root GUID.  In other words, it is the place where device drivers store their PCI device properties.

Yep, here it is in the pci include file pciprop.h from the Windows SDK:

My PCI devices also have those keys: in particular my AMD Radeon and my Realtek PCIe gig ethernet.  If it is a PCI(e) device under Windows Vista and higher, it will probably have those keys.  There seem to be 25 sub properties listed, so you can see subs from [1] to [25] inclusive.  However, not every device must implement them all: my Realtek only uses 1-17 and 25.  That's normal (I guess the Realetk doesn't implement those PCI error handling options).

ok so don't kill.

hmm it's gonna be a long few days before I have time to even get hitman and run it or try anything you said.  crap, it might be a week before I can do anything.

sick + work +sudden train trip coming up then followed by more work. I'm sure someone else has it worse lol.

Have you considered performing a system restore to a date earlier than when you tried to clean the virus off your system? 

I must caution you that whenever I'm involved in complex repairs on a system especially when I lack complete information about the problem, I always consider making a backup first because in trying to make it better you can always make it worse.

Having said that, doing a system restore to previous version should keep all your data, and just revert windows and its drivers and subsystems to an earlier configuration.  That might fix the problem.  It can break apps installed after the restore point because shared libraries and registry settings get reverted, but it should keep your own files intact.  If things are working correctly, Windows should also actually make a restore point before reverting to an earlier restore point, so you can jump back to the configuration you have now (broken and all) if things don't go well.  Nothing is foolproof, but this might be a reasonable thing to try.  It is probably the safest thing I can recommend sight unseen.

See here:

http://windows.microsoft.com/en-us/windows/system-restore-faq#1TC=windows-7

Quote from: Arcana on April 02, 2016, 09:23:26 PM
Have you considered performing a system restore to a date earlier than when you tried to clean the virus off your system? 

I must caution you that whenever I'm involved in complex repairs on a system especially when I lack complete information about the problem, I always consider making a backup first because in trying to make it better you can always make it worse.

Having said that, doing a system restore to previous version should keep all your data, and just revert windows and its drivers and subsystems to an earlier configuration.  That might fix the problem.  It can break apps installed after the restore point because shared libraries and registry settings get reverted, but it should keep your own files intact.  If things are working correctly, Windows should also actually make a restore point before reverting to an earlier restore point, so you can jump back to the configuration you have now (broken and all) if things don't go well.  Nothing is foolproof, but this might be a reasonable thing to try.  It is probably the safest thing I can recommend sight unseen.

See here:

http://windows.microsoft.com/en-us/windows/system-restore-faq#1TC=windows-7

I had to limit system restore to 1 restore point, because it was eating up my c drive. problem is this one restore point got updated after the removal.

Quote from: JoshexProxy on April 04, 2016, 03:29:26 AM
I had to limit system restore to 1 restore point, because it was eating up my c drive. problem is this one restore point got updated after the removal.

First rule of backups: one is none.

Quote from: Arcana on April 04, 2016, 08:54:34 AM
First rule of backups: one is none.

found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I've got some time today, I'll be going through the registry backups I've made to see what had been removed that was affiliated with my net and try to restore them. it seems to me that my system may still be infected. I should also run hitman while I'm at it.

Quote from: JoshexProxy on April 05, 2016, 01:50:39 AM
found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

Quote from: Arcana on April 05, 2016, 03:44:35 AM
I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

thing is it started out of nowhere. so I suspect whatever is left of the virus is trying to trigger an internet connection for itself.

I cannot run hitman pro, the old hitman pro I remember did not use a scan cloud, the new one does (which means you need internet to scan) that's a really stupid idea lol.

Some more info I opened a log file for the troubleshooter and it says that "windows couldn't automatically bind the IP protocol stack to the adapter"

that and the netlogon service lsass.exe (which before the infection was running nearly all the time (probably because I was online all the time)) is now refusing to start, attempting to start it causes it to stop immediately, also it had been set to manual, I set it to automatic but still it wont start.

if there is anything you'd like me to do to get more information just ask, I really appreciate the help.

Huge update to this issue.

I wanted to check my friend's computer before I speculated this and I require a third out-of-china perspective as well for validation of the concern.

I got my friend's windows 7 computer which I bought for them in the UK, it has been operating in china as well and it too has netfilter.sys exactly as it was on my machine, it's listed as a driver.

searching about this driver online has turned up several things, it's based on a linux SDK for allowing devices on a network to access your computer, it basically a backdoor driver, a trojan horse as it would be that is only ever installed legitimately for things like teamviewer etc. where you let someone watch and manipulate your desktop and computer from an internet location. adwcleaner flags it as a tracker which allows an internet enabled location to track your browsing habits.

as windows keeps telling me the device driver is missing when I try to connect (and I've verified my driver is the best uptodate version for the device) I'm gathering there might be something built into windows 7 that wont let you online if you don't have the backdoor tracking driver netfilter.sys installed.

to confirm this I need someone who has a windows 7 machine that has never been to china to search C: for netfilter.sys if it's there then it's a microsoft thing. if it's not there then it's a china tracking thing. it's 31.2kb here and in C:windowssystem32drivers and system32driverstorefilerepositorynetsf.inf_amd64_neutral_3841bdc6464ec488.

Does not exist on my Win 7 Home Premium desktop or Win 7 Pro laptop.

At this point, you would have saved more time and effort by just reinstalling Windows. *snerk*

I have a windows 7 64 bit alienware laptop.
It has never been to china.
When I search through c:\windows (and subfolders) for netfilter.sys there are 0 results.
Screenshots or directory contents can be provided if you desire.

My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

Quote from: Golden Aurora on April 05, 2016, 08:06:29 PM
My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

Quote from: Arcana on April 05, 2016, 09:00:05 PM
This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

I wish it were that simple, it didn't even pick up the file as a driver on my friends computer, but I know what happens if I delete it, so for now I'll need that net to fix my other computer.

the fact that it didn't see it at all means it is a fictitious driver but it most likely pointed all other net drivers to itself in the registry.

Quote from: Golden Aurora on April 05, 2016, 08:06:29 PM
My advice is to troll through HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

interesting, netfilter does not exist in my friend's computer's registry at all, it must be something that activates when given an impulse from the ISP to do so.

as for my computer I already deleted all the netfilter keys, values and data manually.

I wonder what would happen if I open the driver in notepad..

4   V S _ V E R S I O N _ I N F O     *blah removed* S t r i n g F i l e I n f o    0 0 0 0 0 4 B 0   ^  C o m p a n y N a m e     W i n d o w s   ( R )   W i n   7   D D K   p r o v i d e r     , -  F i l e D e s c r i p t i o n     S a m p l e   N D I S   4 . 0   I n t e r m e d i a t e   M i n i p o r t   D r i v e r     `    F i l e V e r s i o n     6 . 1 . 7 6 0 0 . 1 6 3 8 5   b u i l t   b y :   W i n D D K   < I n t e r n a l N a m e   N E T F I L T E R . S Y S   € .  L e g a l C o p y r i g h t   ©   M i c r o s o f t   C o r p o r a t i o n .   A l l   r i g h t s   r e s e r v e d .   D  O r i g i n a l F i l e n a m e   N E T F I L T E R . S Y S   Z  P r o d u c t N a m e     W i n d o w s   ( R )   W i n   7   D D K   d r i v e r     B  P r o d u c t V e r s i o n   6 . 1 . 7 6 0 0 . 1 6 3 8 5     D    V a r F i l e I n f o     $   T r a n s l a t i o n       *asian font upper period removed*
*unicode blocks removed*
Z0X03
< < < O b s o l e t e > > >0!0 *unicode blocks* 0k1 0 U CN1 0 U

China Telecom1$0" U China Telecom Trust Network1 0 U China Telecom Root CA0
100926023324Z
120925023324Z0z1 0 U CN1 0 U

China Telecom1$0" *MORE UNICODE BLOCKS REMOVED* China Telecom Trust Network1-0+ *UNICODE BLOCKS REMOVED* $China Telecommunications Corporation0
http://localhost/ct.crl0
0S1 US1
VeriSign, Inc.1+0) "VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z01 US1
VeriSign, Inc.1402 *UNICODE BLAH* +VeriSign Time Stamping Services Signer
"http://crl.verisign.com/tss-ca.crl0
0 U ZA1 0 U Western Cape1 Durbanville1 0 U
Thawte1 0 U Thawte Certification1 0 U Thawte Timestamping CA0
031204000000Z
131203235959Z0S1 0 U US1 0 U VeriSign, Inc.1+0)"VeriSign Time Stamping Services CA0,"0
*blah removed*http://ocsp.verisign.com0 *blah removed* :0806 4 2 *cross* 0http://crl.verisign.com/ThawteTimestampingCA.crl0
*blah removed*
*blah removed* US1
Washington1 *blah* Redmond1
Microsoft Corporation1)0 Microsoft Code Verification Root0
060523170129Z
160523171129Z0_1 *blah was here* US1 *blah here* VeriSign, Inc.1705 *blah was here* .Class 3 Public Primary Certification Authority0 *blah removed* C r o s s C A0 *blah* U *blah* N0L0J H F†Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
*paragraphs of blah removed*
China Telecom1$0" *blah* China Telecom Trust Network1 *blah* 0 *blah*U *blah* China Telecom Root CA*paragraphs of blah removed* VeriSign, Inc.1+0)*BLAH removed*"VeriSign Time Stamping Services CA *BLAH removed**BLAHBLAH*
101015090443Z0# *BLAHBLAH*

that says a lot right there, it makes itself out to be an official microsoft driver claiming to be a DDK driver made by microsoft corporation for windows 7, however in the dependencies at the bottom the real developer is blatantly obvious; china telecom etc.

this explains why every time I go out of china and wipe all my viruses off the machine then go back I cannot connect to china's networks for a few days.

so it's an ISP tracking virus, if you don't got it; you are forbidden from connecting to china's internet networks.

Why hasn't it wormed it's way into this computer and replaced all the devices with netfilter devices?, simple;

*removed some code that was cutting off my post* d:backupwork江西天翼livendispassthrudriver_chapobjfre_win7_amd64amd64netfilter.pdb *removed some code here too*

this computer does not have a D:/ drive, it requires that drive to fully activate whereby it creates and runs the file d:backupwork江西天翼livendispassthrudriver_chapobjfre_win7_amd64amd64netfilter.pdb then when finished taking complete control of your net devices it most likely deletes said file to avoid detection.

what does it do?



*removed huge amounts of unreadable code* ÌÌÌÌÌÌÿ%f  ÌÌÌÌÌÌÌÌÌÌÌÌÌÌ D e v i c e  n e t f i l t e r   ÌÌÌÌÌÌÌÌÌÌÌÌ D o s D e v i c e s  n e t f i l t e r   ÌÌÌÌU p p e r B i n d i n g s   ÌÌÌÌN d i s V e r s i o n   ÌÌÌÌÌÌÌÌPtSendComplete free my packet ÌÌ0123456789abcdef ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌData Lenth:%d ÌÌProxy-Connection: Keep-Alive
ÌFilterReceive copy ChallengePAck ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌFilterReceive find Proxy-Connection: Keep-Alive
  ÌÌÌÌÌÌÌÌÌÌÌÌÌIP: %d.%d.%d.%d!
ÌÌÌÌÌÌÌÌÌÌÌÌÌÌFilterReceivePacket  in ÌÌÌÌÌÌÌÌFilterReceivePacket find Proxy-Connection: Keep-Alive
  Ô´ip: %d.%d.%d.%d!
ÌÌ̹ýÂËip°ü,Ïà¹ØIP g_CurentProxyCount:%d ÌÌÌÌÌÌÌÌÌÌsetdata g_nLimitCount
ÌÌÌÌÌÌÌÌsetdata g_LocalIP
ÌÌÌÌÌÌÌÌÌÌÌÌIOCTL_SETIPLIST setdata g_LocalIP
ÌÌÌÌÌÌÌÌÌÌÌÌLogLevel:%d ÌÌÌÌIOCTL_BUFFER inLen:%d outLen:%d
ÌÌÌÌÌÌÌÌÌÌÌÌÌÌProxyCount:%lu ÌIOCTL_SETPROXYFLAG
ÌÌÌÌÌÌÌÌÌÌÌIOCTL_SETCHAPFLAG
ÌÌÌÌÌÌÌÌÌÌÌÌIOContrl happened exception. ÌÌÌIOControl leave.... ÌÌÌÌÌÌÌÌÌÌÌÌFilterSendPacket ADSL¶ÏÏß
ÌÌÌÌFilterSendPacket »ñÈ¡IP
ÌÌÌÌÌÌFilterSendPacket chap
ÌÌÌÌÌÌÌÌFilterSendPacket g_ChallengeRePack
ÌÌÌÌÌÌÌÌÌÌÌFilterSendPacket    g_ChallengeRePack after SecondMd5 v1.7
ÌÌÌFilterReceivePacket  chap ÌÌÌÌÌÌFilterReceivePacket  g_ChallengePack ÌÌÌÌÌÌ@UHƒì0H‹êHƒÄ0]Ã




make proxy connection, keep it alive!!!! (don't let them disconnect no matter what till this process completes!)

upperbindings; your devices = are all mine.

then followed by a whole slew of data filtering commands for various network types based on huge masses of proxy connection requests.

I can see why adwcleaner flagged it as it did. but without it I can't connect to the internet in china. this computer is safe because it has no D:/ drive and the programmers of the virus made their virus rely on a D:/ drive to activate fully. Hence why all Chinese-made computers I've seen have drives upto F:/. I'm guessing china telecom etc. only check to see if their driver is there on your machine and just assume it's running but if it's not there "the connection was unsuccessful" because the ISP is sending some sort of info down the pipeline that requires an additional driver to handle the operation, hence why windows troubleshooter says it's a device driver problem.

I'm guessing there is absolutely nothing wrong with my net, I'm guessing if I were in the UK or USA right now I'd be able to connect flawlessly.

I saw news recently that suggested that china telecom is considering becoming an international ISP by providing services in other countries. I can now see why, so they can filter everything everyone in the world is looking at through their servers, collect data and do God knows what with it.

as for resolving the net problem on my computer, It would seem the only 'fix' if we can call it that, is to install the virus china telecom is looking for.

there are some other files with it in the same folder, I did not delete those but I'll have a look through them and see if I can make heads or tails of what they do.

why did it attack my machine? I was running tor to get to facebook, googlemaps, youtube and all the other banned places. till I got that java popup from china telecom that I couldn't read (probably said: you have been flagged as performing suspicious behavior and your net is now being monitored) and everything went down quick.

the flaw here of their practice is a skilled user can remove their tracker, flush their dns and refresh drivers etc. to get a completely new computer identity then reinstall their virus and act like nothing happened. aka, you can't track me I'm now a new user unrelated to any data previously collected.

I'm going to try reintroducing the virus where it was on my computer (now that I have another copy) and see if I can get online. if I can then I'm right, if not then I messed something else up (possibly "as well"). I did uninstall a Windows TAP adapter V9 that I believe was installed by netfilter as after searching about it I found people saying; "it must have been installed by some VPN service you were using that used it for proxy connections"

had to remove alot of what appears to be chinese unicode blocks, some I labelled others I just removed with a space others I just removed speedily otherwise this post was not displaying correctly.

Quote from: JoshexProxy on April 06, 2016, 02:18:17 AMI wonder what would happen if I open the driver in notepad..

You sure this isn't a component of some proxy something or other you loaded in China?

Quote from: Arcana on April 06, 2016, 03:45:23 AM
You sure this isn't a component of some proxy something or other you loaded in China?

100% positive. I'm trying to edit the above post give me a minute it explains everything or at least I think it does.

finished editing the code post so it will display.

the question now is if I should add the file back and if I need to perform any other actions to get china telecom's server to see it during connection?

I'll wait for a reply before continuing as I'm hesitant that this will solve anything and hesitant whether it's a good idea.

I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

Quote from: Hyperstrike on April 11, 2016, 09:43:38 PM
I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

yeah.

I spent some time messing with the computer today, adding the files wont work and the netfilter inf files don't support "right-click > install" probably because I removed all the registry keys, but that proposes the question of how did this thing get on and install itself in the first place, it must have come over the line from the ISP or installed with some chinese software.

I'm hoping to get it online so I can use reimage to repair any damages done. I've secured the logs of what was removed to cause the problem to a zip drive. and may upload the logs here if anyone is willing to review them.

maybe reinstalling all the chinese software will reinstall netfilter and get it online again.

the ZTE modem driver (for a china telecom USB internet device) is probably the best culprit, I can't remember if it was even used on this computer though *goes to check* yes, yes it was.

this is a mess lol. I really need internet on my dev computer, I can't use this one because the left mouse button was broken and certain someone wont let me get it repaired or buy an external mouse. that and I'd have to transfer all my files and install all my software, and that's a lot.