need computer help

[Arcana]

I had to limit system restore to 1 restore point, because it was eating up my c drive. problem is this one restore point got updated after the removal.

First rule of backups: one is none.

[JoshexProxy]

First rule of backups: one is none.

found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I've got some time today, I'll be going through the registry backups I've made to see what had been removed that was affiliated with my net and try to restore them. it seems to me that my system may still be infected. I should also run hitman while I'm at it.

[Arcana]

found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

[JoshexProxy]

I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

thing is it started out of nowhere. so I suspect whatever is left of the virus is trying to trigger an internet connection for itself.

I cannot run hitman pro, the old hitman pro I remember did not use a scan cloud, the new one does (which means you need internet to scan) that's a really stupid idea lol.

Some more info I opened a log file for the troubleshooter and it says that "windows couldn't automatically bind the IP protocol stack to the adapter"

that and the netlogon service lsass.exe (which before the infection was running nearly all the time (probably because I was online all the time)) is now refusing to start, attempting to start it causes it to stop immediately, also it had been set to manual, I set it to automatic but still it wont start.

if there is anything you'd like me to do to get more information just ask, I really appreciate the help.

[JoshexProxy]

Huge update to this issue.

I wanted to check my friend's computer before I speculated this and I require a third out-of-china perspective as well for validation of the concern.

I got my friend's windows 7 computer which I bought for them in the UK, it has been operating in china as well and it too has netfilter.sys exactly as it was on my machine, it's listed as a driver.

searching about this driver online has turned up several things, it's based on a linux SDK for allowing devices on a network to access your computer, it basically a backdoor driver, a trojan horse as it would be that is only ever installed legitimately for things like teamviewer etc. where you let someone watch and manipulate your desktop and computer from an internet location. adwcleaner flags it as a tracker which allows an internet enabled location to track your browsing habits.

as windows keeps telling me the device driver is missing when I try to connect (and I've verified my driver is the best uptodate version for the device) I'm gathering there might be something built into windows 7 that wont let you online if you don't have the backdoor tracking driver netfilter.sys installed.

to confirm this I need someone who has a windows 7 machine that has never been to china to search C: for netfilter.sys if it's there then it's a microsoft thing. if it's not there then it's a china tracking thing. it's 31.2kb here and in C:windowssystem32drivers and system32driverstorefilerepositorynetsf.inf_amd64_neutral_3841bdc6464ec488.

[Aggelakis]

Does not exist on my Win 7 Home Premium desktop or Win 7 Pro laptop.

At this point, you would have saved more time and effort by just reinstalling Windows. *snerk*

[Golden Aurora]

I have a windows 7 64 bit alienware laptop.
It has never been to china.
When I search through c:\windows (and subfolders) for netfilter.sys there are 0 results.
Screenshots or directory contents can be provided if you desire.

[Golden Aurora]

My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

[Arcana]

My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

[JoshexProxy]

This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

I wish it were that simple, it didn't even pick up the file as a driver on my friends computer, but I know what happens if I delete it, so for now I'll need that net to fix my other computer.

the fact that it didn't see it at all means it is a fictitious driver but it most likely pointed all other net drivers to itself in the registry.

[JoshexProxy]

My advice is to troll through HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

interesting, netfilter does not exist in my friend's computer's registry at all, it must be something that activates when given an impulse from the ISP to do so.

as for my computer I already deleted all the netfilter keys, values and data manually.

I wonder what would happen if I open the driver in notepad..

[JoshexProxy]

[Arcana]

I wonder what would happen if I open the driver in notepad..

You sure this isn't a component of some proxy something or other you loaded in China?

[JoshexProxy]

You sure this isn't a component of some proxy something or other you loaded in China?

100% positive. I'm trying to edit the above post give me a minute it explains everything or at least I think it does.

[JoshexProxy]

finished editing the code post so it will display.

[JoshexProxy]

the question now is if I should add the file back and if I need to perform any other actions to get china telecom's server to see it during connection?

I'll wait for a reply before continuing as I'm hesitant that this will solve anything and hesitant whether it's a good idea.

[Hyperstrike]

I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

[JoshexProxy]

I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

yeah.

I spent some time messing with the computer today, adding the files wont work and the netfilter inf files don't support "right-click > install" probably because I removed all the registry keys, but that proposes the question of how did this thing get on and install itself in the first place, it must have come over the line from the ISP or installed with some chinese software.

I'm hoping to get it online so I can use reimage to repair any damages done. I've secured the logs of what was removed to cause the problem to a zip drive. and may upload the logs here if anyone is willing to review them.

maybe reinstalling all the chinese software will reinstall netfilter and get it online again.

the ZTE modem driver (for a china telecom USB internet device) is probably the best culprit, I can't remember if it was even used on this computer though *goes to check* yes, yes it was.

this is a mess lol. I really need internet on my dev computer, I can't use this one because the left mouse button was broken and certain someone wont let me get it repaired or buy an external mouse. that and I'd have to transfer all my files and install all my software, and that's a lot.