need computer help

[Arcana]

I had to limit system restore to 1 restore point, because it was eating up my c drive. problem is this one restore point got updated after the removal.

First rule of backups: one is none.

[JoshexProxy]

First rule of backups: one is none.

found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I've got some time today, I'll be going through the registry backups I've made to see what had been removed that was affiliated with my net and try to restore them. it seems to me that my system may still be infected. I should also run hitman while I'm at it.

[Arcana]

found SMsvchost running yesterday, that's microsoft .net, why would it suddenly run? especially when I have no net.

I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

[JoshexProxy]

I don't think network connectivity is required for the .Net tcp port sharing service to properly start.

thing is it started out of nowhere. so I suspect whatever is left of the virus is trying to trigger an internet connection for itself.

I cannot run hitman pro, the old hitman pro I remember did not use a scan cloud, the new one does (which means you need internet to scan) that's a really stupid idea lol.

Some more info I opened a log file for the troubleshooter and it says that "windows couldn't automatically bind the IP protocol stack to the adapter"

that and the netlogon service lsass.exe (which before the infection was running nearly all the time (probably because I was online all the time)) is now refusing to start, attempting to start it causes it to stop immediately, also it had been set to manual, I set it to automatic but still it wont start.

if there is anything you'd like me to do to get more information just ask, I really appreciate the help.

[JoshexProxy]

Huge update to this issue.

I wanted to check my friend's computer before I speculated this and I require a third out-of-china perspective as well for validation of the concern.

I got my friend's windows 7 computer which I bought for them in the UK, it has been operating in china as well and it too has netfilter.sys exactly as it was on my machine, it's listed as a driver.

searching about this driver online has turned up several things, it's based on a linux SDK for allowing devices on a network to access your computer, it basically a backdoor driver, a trojan horse as it would be that is only ever installed legitimately for things like teamviewer etc. where you let someone watch and manipulate your desktop and computer from an internet location. adwcleaner flags it as a tracker which allows an internet enabled location to track your browsing habits.

as windows keeps telling me the device driver is missing when I try to connect (and I've verified my driver is the best uptodate version for the device) I'm gathering there might be something built into windows 7 that wont let you online if you don't have the backdoor tracking driver netfilter.sys installed.

to confirm this I need someone who has a windows 7 machine that has never been to china to search C: for netfilter.sys if it's there then it's a microsoft thing. if it's not there then it's a china tracking thing. it's 31.2kb here and in C:windowssystem32drivers and system32driverstorefilerepositorynetsf.inf_amd64_neutral_3841bdc6464ec488.

[Aggelakis]

Does not exist on my Win 7 Home Premium desktop or Win 7 Pro laptop.

At this point, you would have saved more time and effort by just reinstalling Windows. *snerk*

[Golden Aurora]

I have a windows 7 64 bit alienware laptop.
It has never been to china.
When I search through c:\windows (and subfolders) for netfilter.sys there are 0 results.
Screenshots or directory contents can be provided if you desire.

[Golden Aurora]

My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

[Arcana]

My advice is to troll through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

[JoshexProxy]

This might be simpler:

http://www.downloadcrew.com/article/27494-kernel_mode_drivers_manager

I wish it were that simple, it didn't even pick up the file as a driver on my friends computer, but I know what happens if I delete it, so for now I'll need that net to fix my other computer.

the fact that it didn't see it at all means it is a fictitious driver but it most likely pointed all other net drivers to itself in the registry.

[JoshexProxy]

My advice is to troll through HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices as per this http://www.installmate.com/support/im9/kb/kb50017.htm
When I look through mine, I see .sys files registered there. You might be able to delete the key hosing it up.
If you cant get to the registry, time to reinstall.
Good luck!

interesting, netfilter does not exist in my friend's computer's registry at all, it must be something that activates when given an impulse from the ISP to do so.

as for my computer I already deleted all the netfilter keys, values and data manually.

I wonder what would happen if I open the driver in notepad..

[JoshexProxy]

Code Select Expand

4   V S _ V E R S I O N _ I N F O     *blah removed* S t r i n g F i l e I n f o    0 0 0 0 0 4 B 0   ^  C o m p a n y N a m e     W i n d o w s   ( R )   W i n   7   D D K   p r o v i d e r     , -  F i l e D e s c r i p t i o n     S a m p l e   N D I S   4 . 0   I n t e r m e d i a t e   M i n i p o r t   D r i v e r     `    F i l e V e r s i o n     6 . 1 . 7 6 0 0 . 1 6 3 8 5   b u i l t   b y :   W i n D D K   < I n t e r n a l N a m e   N E T F I L T E R . S Y S   € .  L e g a l C o p y r i g h t   ©   M i c r o s o f t   C o r p o r a t i o n .   A l l   r i g h t s   r e s e r v e d .   D  O r i g i n a l F i l e n a m e   N E T F I L T E R . S Y S   Z  P r o d u c t N a m e     W i n d o w s   ( R )   W i n   7   D D K   d r i v e r     B  P r o d u c t V e r s i o n   6 . 1 . 7 6 0 0 . 1 6 3 8 5     D    V a r F i l e I n f o     $   T r a n s l a t i o n       *asian font upper period removed*
*unicode blocks removed*
Z0X03
< < < O b s o l e t e > > >0!0 *unicode blocks* 0k1 0 U CN1 0 U

China Telecom1$0" U China Telecom Trust Network1 0 U China Telecom Root CA0
100926023324Z
120925023324Z0z1 0 U CN1 0 U

China Telecom1$0" *MORE UNICODE BLOCKS REMOVED* China Telecom Trust Network1-0+ *UNICODE BLOCKS REMOVED* $China Telecommunications Corporation0
http://localhost/ct.crl0
0S1 US1
VeriSign, Inc.1+0) "VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z01 US1
VeriSign, Inc.1402 *UNICODE BLAH* +VeriSign Time Stamping Services Signer
"http://crl.verisign.com/tss-ca.crl0
0 U ZA1 0 U Western Cape1 Durbanville1 0 U
Thawte1 0 U Thawte Certification1 0 U Thawte Timestamping CA0
031204000000Z
131203235959Z0S1 0 U US1 0 U VeriSign, Inc.1+0)"VeriSign Time Stamping Services CA0,"0
*blah removed*http://ocsp.verisign.com0 *blah removed* :0806 4 2 *cross* 0http://crl.verisign.com/ThawteTimestampingCA.crl0
*blah removed*
*blah removed* US1
Washington1 *blah* Redmond1
Microsoft Corporation1)0 Microsoft Code Verification Root0
060523170129Z
160523171129Z0_1 *blah was here* US1 *blah here* VeriSign, Inc.1705 *blah was here* .Class 3 Public Primary Certification Authority0 *blah removed* C r o s s C A0 *blah* U *blah* N0L0J H F†Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
*paragraphs of blah removed*
China Telecom1$0" *blah* China Telecom Trust Network1 *blah* 0 *blah*U *blah* China Telecom Root CA*paragraphs of blah removed* VeriSign, Inc.1+0)*BLAH removed*"VeriSign Time Stamping Services CA *BLAH removed**BLAHBLAH*
101015090443Z0# *BLAHBLAH*

that says a lot right there, it makes itself out to be an official microsoft driver claiming to be a DDK driver made by microsoft corporation for windows 7, however in the dependencies at the bottom the real developer is blatantly obvious; china telecom etc.

this explains why every time I go out of china and wipe all my viruses off the machine then go back I cannot connect to china's networks for a few days.

so it's an ISP tracking virus, if you don't got it; you are forbidden from connecting to china's internet networks.

Why hasn't it wormed it's way into this computer and replaced all the devices with netfilter devices?, simple;

Code Select Expand

*removed some code that was cutting off my post* d:backupwork江西天翼livendispassthrudriver_chapobjfre_win7_amd64amd64netfilter.pdb *removed some code here too*

this computer does not have a D:/ drive, it requires that drive to fully activate whereby it creates and runs the file d:backupwork江西天翼livendispassthrudriver_chapobjfre_win7_amd64amd64netfilter.pdb then when finished taking complete control of your net devices it most likely deletes said file to avoid detection.

what does it do?

Code Select Expand

*removed huge amounts of unreadable code* ÌÌÌÌÌÌÿ%f  ÌÌÌÌÌÌÌÌÌÌÌÌÌÌ D e v i c e  n e t f i l t e r   ÌÌÌÌÌÌÌÌÌÌÌÌ D o s D e v i c e s  n e t f i l t e r   ÌÌÌÌU p p e r B i n d i n g s   ÌÌÌÌN d i s V e r s i o n   ÌÌÌÌÌÌÌÌPtSendComplete free my packet ÌÌ0123456789abcdef ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌData Lenth:%d ÌÌProxy-Connection: Keep-Alive
ÌFilterReceive copy ChallengePAck ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌFilterReceive find Proxy-Connection: Keep-Alive
  ÌÌÌÌÌÌÌÌÌÌÌÌÌIP: %d.%d.%d.%d!
ÌÌÌÌÌÌÌÌÌÌÌÌÌÌFilterReceivePacket  in ÌÌÌÌÌÌÌÌFilterReceivePacket find Proxy-Connection: Keep-Alive
  Ô´ip: %d.%d.%d.%d!
ÌÌ̹ýÂËip°ü,Ïà¹ØIP g_CurentProxyCount:%d ÌÌÌÌÌÌÌÌÌÌsetdata g_nLimitCount
ÌÌÌÌÌÌÌÌsetdata g_LocalIP
ÌÌÌÌÌÌÌÌÌÌÌÌIOCTL_SETIPLIST setdata g_LocalIP
ÌÌÌÌÌÌÌÌÌÌÌÌLogLevel:%d ÌÌÌÌIOCTL_BUFFER inLen:%d outLen:%d
ÌÌÌÌÌÌÌÌÌÌÌÌÌÌProxyCount:%lu ÌIOCTL_SETPROXYFLAG
ÌÌÌÌÌÌÌÌÌÌÌIOCTL_SETCHAPFLAG
ÌÌÌÌÌÌÌÌÌÌÌÌIOContrl happened exception. ÌÌÌIOControl leave.... ÌÌÌÌÌÌÌÌÌÌÌÌFilterSendPacket ADSL¶ÏÏß
ÌÌÌÌFilterSendPacket »ñÈ¡IP
ÌÌÌÌÌÌFilterSendPacket chap
ÌÌÌÌÌÌÌÌFilterSendPacket g_ChallengeRePack
ÌÌÌÌÌÌÌÌÌÌÌFilterSendPacket    g_ChallengeRePack after SecondMd5 v1.7
ÌÌÌFilterReceivePacket  chap ÌÌÌÌÌÌFilterReceivePacket  g_ChallengePack ÌÌÌÌÌÌ@UHƒì0H‹êHƒÄ0]Ã




make proxy connection, keep it alive!!!! (don't let them disconnect no matter what till this process completes!)

upperbindings; your devices = are all mine.

then followed by a whole slew of data filtering commands for various network types based on huge masses of proxy connection requests.

I can see why adwcleaner flagged it as it did. but without it I can't connect to the internet in china. this computer is safe because it has no D:/ drive and the programmers of the virus made their virus rely on a D:/ drive to activate fully. Hence why all Chinese-made computers I've seen have drives upto F:/. I'm guessing china telecom etc. only check to see if their driver is there on your machine and just assume it's running but if it's not there "the connection was unsuccessful" because the ISP is sending some sort of info down the pipeline that requires an additional driver to handle the operation, hence why windows troubleshooter says it's a device driver problem.

I'm guessing there is absolutely nothing wrong with my net, I'm guessing if I were in the UK or USA right now I'd be able to connect flawlessly.

I saw news recently that suggested that china telecom is considering becoming an international ISP by providing services in other countries. I can now see why, so they can filter everything everyone in the world is looking at through their servers, collect data and do God knows what with it.

as for resolving the net problem on my computer, It would seem the only 'fix' if we can call it that, is to install the virus china telecom is looking for.

there are some other files with it in the same folder, I did not delete those but I'll have a look through them and see if I can make heads or tails of what they do.

why did it attack my machine? I was running tor to get to facebook, googlemaps, youtube and all the other banned places. till I got that java popup from china telecom that I couldn't read (probably said: you have been flagged as performing suspicious behavior and your net is now being monitored) and everything went down quick.

the flaw here of their practice is a skilled user can remove their tracker, flush their dns and refresh drivers etc. to get a completely new computer identity then reinstall their virus and act like nothing happened. aka, you can't track me I'm now a new user unrelated to any data previously collected.

I'm going to try reintroducing the virus where it was on my computer (now that I have another copy) and see if I can get online. if I can then I'm right, if not then I messed something else up (possibly "as well"). I did uninstall a Windows TAP adapter V9 that I believe was installed by netfilter as after searching about it I found people saying; "it must have been installed by some VPN service you were using that used it for proxy connections"

had to remove alot of what appears to be chinese unicode blocks, some I labelled others I just removed with a space others I just removed speedily otherwise this post was not displaying correctly.

[Arcana]

I wonder what would happen if I open the driver in notepad..

You sure this isn't a component of some proxy something or other you loaded in China?

[JoshexProxy]

You sure this isn't a component of some proxy something or other you loaded in China?

100% positive. I'm trying to edit the above post give me a minute it explains everything or at least I think it does.

[JoshexProxy]

finished editing the code post so it will display.

[JoshexProxy]

the question now is if I should add the file back and if I need to perform any other actions to get china telecom's server to see it during connection?

I'll wait for a reply before continuing as I'm hesitant that this will solve anything and hesitant whether it's a good idea.

[Hyperstrike]

I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

[JoshexProxy]

I'd recommend you get yourself a cheap, disposable laptop for your visits to China.
Grab a good clean system image.
Then use something like Deep Freeze to prevent them from screwing up your system too hard.

yeah.

I spent some time messing with the computer today, adding the files wont work and the netfilter inf files don't support "right-click > install" probably because I removed all the registry keys, but that proposes the question of how did this thing get on and install itself in the first place, it must have come over the line from the ISP or installed with some chinese software.

I'm hoping to get it online so I can use reimage to repair any damages done. I've secured the logs of what was removed to cause the problem to a zip drive. and may upload the logs here if anyone is willing to review them.

maybe reinstalling all the chinese software will reinstall netfilter and get it online again.

the ZTE modem driver (for a china telecom USB internet device) is probably the best culprit, I can't remember if it was even used on this computer though *goes to check* yes, yes it was.

this is a mess lol. I really need internet on my dev computer, I can't use this one because the left mouse button was broken and certain someone wont let me get it repaired or buy an external mouse. that and I'd have to transfer all my files and install all my software, and that's a lot.