netfilter.sys

[Joshex]

firstly, I am in China, so google is blocked that makes it impossible to register here or contact you because all your captchas are google captchas. I managed to get a friend to help me make this account.

secondly, because I am in china, if you have any questions about the log files attached please do ask, I have had to install a lot of chinese malware just to get 'clearance' to access their internet services.

Next, I usually have no problems removing malware, in-fact I've even done some manual removals and SYSTEMUSER removals of null value registry keys.

several years ago I encountered some wifi connectivity problems with the wifi device on my computer, after exhaustive work trying to fix it including trying an failing to remove a null value registry key associated with the problem in controlset01 I found that it was a hardware problem, where the wifi device had been fried from overheating (because I opened and closed the laptop in a rush and put it into a suitcase while it still hadn't gone to sleep) It will connect to wifi for a few seconds or minutes but then after loading one URL it immediately goes to limited connectivity. and that's when I got my USB wifi device to replace it and that has worked fine for years.

yesterday, I got a java popup in firefox from china telecom, I could not read it because I don't know chinese (being from the USA), but I was not happy that they could produce that add in my browser and recent scans with my normal antivirus software (viprerescue, tdsskiller and malwarebytes) turned up blank. So I deicided to use adwcleaner (which I had never used before). it found a file called netfilter.sys in windows system32 and I thought "ah ha, that has to be it", so I went along with the removal.

But now both devices are giving me the same error, where they say there was a problem connecting to the wifi and thus have limited connectivity. I ran my normal antimalware and added in roguekiller they found and flagged some net hooks associated with netfilter, and some registry entries for netfilter, so I got rid of them all. I still cannot connect to wifi. I am using a different computer to get online to post this.

after all that I searched for netfilter.sys and found an official microsoft.com page explaining that it may be a network SDK driver supplied with windows 7 based on a linux netfilter device SDK.

So it looks like I may be wrong, it wasn't a virus, but now I can't find an official installer to repair it. I've still got the netfilter.sys in system32/drivers/driverstore.

anyways I have never dealt with this sort of virus before or if it isn't a virus I have never done something this stupid before as to remove a valid file or net hooks, I have no idea how to install replacement net hooks etc.

please help.

 

[TwinHeadedEagle]

Hello,


Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

 

[Joshex]

Hello,


Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

Zemana wants to connect to it's own scan server, but the computer can't get online. I will try to see if I can connect directly via the ethernet cable but as far as I know no one remembers the username or password for the account, and or china telecom may have placed a restriction on what devices can connect to their network this way.

 

[TwinHeadedEagle]

Let's try this then:

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyclsid;
  emptyalltemp;
  ipconfig /flushdns >>"%temp%\log.txt";b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Upload it in your next reply.

 

[Joshex]

Let's try this then:

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyclsid;
  emptyalltemp;
  ipconfig /flushdns >>"%temp%\log.txt";b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Upload it in your next reply.

Ok uploaded the results, I read through them myself too, it found more netfilter stuff, that and it had a problem flushing the dns, I went into cmd and checked, I tried ipconfig -renew and it said no device is in a state that can accept this action but it allowed me to do ipconfig /flushdns. Whatever happened I seem to be without TCP/IP services which is probably why my wifi devices can't connect "connection failed"

anyways, thanks for your help so far I really appreciate it, I hope we can fix this issue. Awaiting your next instruction.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[Joshex]

some stuff is working better, I now get a popup when unmounting zip drives saying it's safe to remove them.

logs attached

 

[TwinHeadedEagle]

Do you know anything about these files?

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\Joshex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Joshex]

Do you know anything about these files?

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\Joshex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boot.vbs [2010-09-26] ()

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

I have seen those files on a few manual virus removal sweeps but always thought they were valid boot configuration files. and as no antivirus had flagged them, and I never see them running in task manager when it open, I assumed they were clean. However I should have searched their name as per usual, all the search results say they are a virus. shall i save them to a zip drive and delete them manually on the machine to see if it helps or hurts anything?

Log attached, all wifi devices still can't connect, they can see all the wifi hotspots, they can try to connect but it always ends in "taking longer than usual" then "the connection was unsuccessful, the computer currently has limited connectivity"

 

[TwinHeadedEagle]

Can you open one of these .vbs files in notepad and copy the content here?

 

[Joshex]

Can you open one of these .vbs files in notepad and copy the content here?

sure, they are a simple write file command followed by a delete file command.

set ws=wscript.createobject("wscript.shell")
ws.run "C:\WINDOWS\system\boot3.cmd /start", 0
ws.run "C:\WINDOWS\system\ADSL.cmd"
CreateObject("Scripting.FIleSystemObject").DeleteFile WSH.ScriptFullName, True

all files are identical, I'm a bit worried by the UpdatusUser as I never made such a user. And Default User is access denied as normal admin.

Not sure any of this would effect my wifi devices though, it may be a separate yet related issue.

 

[TwinHeadedEagle]

Scan with Farbar Service Scanner

Download Farbar Service Scanner by Farbar and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Make sure all of the options are checked!
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool is run.

Please include that log in your next reply.

 

[Joshex]

Scan with Farbar Service Scanner

Download Farbar Service Scanner by Farbar and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Make sure all of the options are checked!
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool is run.

Please include that log in your next reply.

one log file, not sure what to make of this one.

More indepth information, Every time I run the repair tool on my wifi adapter (or if I run it on all network adapters) it says "there may be a problem with the driver for this device" but as I said earlier I just installed a fresh driver for one device and it didn't help.

is there an overall network driver in windows that it's possible got deleted when netfilter was caught?

 

[TwinHeadedEagle]

Let's try this:

• Download this archive and unpack it --> winsock.zip
• You will find two files inside.
• Right click on each of them and select Merge.
• Allow merging. Restart your PC and let me know how is the situation now.

 

[Joshex]

Let's try this:

• Download this archive and unpack it --> winsock.zip
• You will find two files inside.
• Right click on each of them and select Merge.
• Allow merging. Restart your PC and let me know how is the situation now.

Merged them but nothing has changed, I'm guessing it wasn't a winsock problem.

netfilter had a load of nethooks with it, I'm guessing these nethooks replaced valid ones and once removed took down my net drivers (or corrupted them). I'm guessing it's the driver for the network controller.

I'm using an HP pavilion g4 notebook pc I am no longer able to read the sticker that says exactly which model and dxdiag was not any more helpful.

 

[TwinHeadedEagle]

Can you reinstall your network drivers?

 

[Joshex]

Can you reinstall your network drivers?

I'm having a hard time finding the right one(s)

I would like to try reinstalling them

I searched yesterday but only on yahoo, I should probably search directly on hp.com

 

[Joshex]

HP pavilion g4-1118tx
finally found the model number now I can search for drivers, but will have to do so when I get back from work in 14 hours...

 

[Joshex]

ok I'm going through drivers on HP.com but nothing is looking promising, it's all drivers for individual network devices not the network controller.

 

[Joshex]

What is a nethook? I've never heard of them before this. I suppose it might help me to know what I was dealing with.