Got a blue screen and now I'm paranoid

Jrt_233

So I have a kind of weird question...

I have F-secure installed. I know that Windows Defender does not work 

with F-secure. But I did a full scan of my computer with Windows 

Defender because I got a blue screen earlier and wanted to do a scan 

with another program too just in case.

Background:

I was using Microsoft Edge (on a website some that might have suspicious 

adds but I never clicked on anything and the page has always been safe 

when I don't click on any adds and I have F-secure installed so I have 

never been worried). I had exited the "website with adds" and I was 

simply typing something to google search box when suddenly my PC's mouse 

stopped moving, Keyboard stopped working and my PC crashed to a blue 

screen and gave me some kind of memory error it was maybe Memory 

management or something else (I can't remember the exact one.) I don't 

know if being on that one website could be connected to this blue screen 

or if it was simply an error out of nowhere ( which my pc has never got 

before in the over 2 years I have had it).

If my PC is fine and nothing is wrong I'll still never visit any website 

with "too" many adds again AV installed or not.

Windows Defender keeps telling me about PUA: Win32/NetFilter

Location:

containerfile: C:\Recovery\Customizations\usmt.ppkg

file: C:\Recovery\Customizations\usmt.ppkg->\ICB\MachineSpecific\File\C$\Program Files (x86)\ASUS\GameFirst IV\Driver\tdi\i386\netfilter2.sys

file: C:\Recovery\Customizations\usmt.ppkg->\ICB\MachineSpecific\File\C$\Windows\System32\drivers\netfilter2.sys

Now when I pressed delete it "spins around"/does the process for a long 

time then it is gone and says that there are no current threats.

When I restart my computer or do another scan with Windows Defender it 

gives the same PUA notification again.

F-secure scan does not find anything.

I can't find the folder where the supposed PUA is located at.

(Also does Malware bytes work with F-secure installed?) I did a scan 

with it too and it at least didn't find anything either.

I would just want some clarification...is my PC safe? PUA is not a virus 

according to Microsoft support and it is not harmful (they told me 

this).

Is this true? Do I not need to worry about this notification? I just 

cancelled the Windows Defender scan last time it saw the supposed PUA 

again. But I'm still worried if it still exists. Is here some kind of 

way to be sure that it no longer exists without needing to disable 

F-secure in order to Windows Defender to maybe work properly?

This is really confusing because like I said earlier I know that Windows 

Defender does not work with F-secure so I can't even see protection 

history and I don't know if the delete option got rid of the program or 

not. And like I said earlier F-secure never notified me about the/any 

PUAs.

I'm just really paranoid about this. Even if the other scans don't find 

anything and even if Windows Defender finds something are my PC and 

accounts safe?

I need to confirm this...otherwise I will not feel safe using my PC 

anymore. I don't want to reset my whole PC and I have a lot of important 

files but no back ups.

Help is greatly appreciated!

My questions in short for clarification:

1. Windows Defender full scan keeps finding PUA but other AV scans 

don't. Does this mean that I'm safe?

2. Does Windows Defender do the "delete" option even with F-secure 

installed? And even if it does not is the program still gone since 

F-secure has not notified me about it?

3. Is the notification fine to ignore since the other scan don't find 

it?

4. Is PUA really not harmful? It is not a virus? It won't do any damage 

to my PC or privacy?

5. Why can't I find the location where the program is located at? (I'm 

not sure I have hidden files shown or not...they should be but I'm not 

sure.)

Once again help and opinions/suggestions are greatly appreciated.

Ukko

Hello,

Sorry for the delay with my response!

I also can't find this "recovery" folder. I have hidden files shown so maybe it truly is just some folder that user cant directly access.

So, besides "hidden files shown" option, probably, you may need to modify also the next option: "Hide protected operating system files". By default, it should be checked. So, need to uncheck it and maybe the mentioned folder will be visible. Rough way to do so is ("Control Panel" - "Folder Options" - "View" tab - check list of options against one with wording around "Hide protected operating system files" and uncheck it). However, "checked" state is a recommended one. Also, even if it will be visible - access to it can be restricted anyway.

Is it normal that F-secure and Windows Defender never gave me notification about the PUA. I got the notification about it after doing full scan with Windows Defender? F.secure scan or quick scan with Windows Defender found nothing.

Yes, it is normal. So, both solutions are not found it by real-time scanning. Because "no access" to items, "no launch" state. It is just static 'suspicious' items. Even inside "container" (kind of limited possibilities to go out). When you scan it (full scan) - Windows Defender discovered that this item looked suspicious and maybe a certain 'pattern' that is known for its 'signature logic base'.

Quick scans are usually about the most critical system places and paths where malware can to be. Mostly against "active" ones.

If F-secure never told me about the PUA was Windows Defender able to handle the PUA either quarantine or delete/block it even with F-secure enabled?

If both solutions are enabled (mentioned "periodic scanning" feature of Windows Defender) and there are no some troubles (mentioned discussion under Microsoft Community "Windows Defender Identifies The SAME PUP As A Threat Repeatedly") - then it should be done after then scan event when them item is detected and the 'action' is adjusted.

By default (Windows 10), if F-Secure AV/IS/SAFE enabled/active - then Windows Defender is disabled (off). And there is no 'good' way to use both of them with real-time scanning (at least, it is not recommended and may be tricky). Windows Defender can be used as on-demand scanner and Windows Defender can handle own findings.

Again, PUA only means that it is a potentially unwanted application, which under some circumstances can be dangerous. Or, which is undesirable since of a hidden installation. That is, if the user did not install this software on his own. Instead it was "bundle" from another installation.

In this case, it is more likely "leftovers" or inactive remained things (because was there as 'initial' state of your system / packaged PC applications). Pre-installed game on your PC.

For example, certain network driver (based on its name) need for the game. It is located under game files. Maybe during installation or launch - driver is 'copied' to System folder (System32) for its wide use. So, it can be different places - but based on provided paths by you - it is anyway somewhat pinned to ASUS GameFirst IV.

Actually, there are some topics on their community about detections against their files / drivers:

• GameFirst IV - Flagged as malware by McAfee (asus.com)
• ASUS ROG Game First III driver detected as Adware (NetTool / NetFilter) [Archive] - ASUS Republic of Gamers [ROG] | The Choice of Champions – Overclocking, PC Gaming, PC Modding, Support, Guides, Advice

the average conclusion was that it was a false positive. Since of its 'design' - unknown network driver - looks as a somewhat that can interfere with user's network (suspicious).

So basically my question is can Windows Defender still quarantine or delete files even with F-secure. SInce the F-secure never had notification about detecting the PUA.

By default - not. I mean - Windows Defender should be with an option to perform scan OR be enabled. Otherwise - Windows Defender can not to detect/handle something.

If your concern is about - will F-Secure prevent trying to quarantine / delete file by Windows Defender. I think that - no. Should be fine. At least, if F-Secure did not think that this is critical file OR also think that this is malicious item.

In addition, F-Secure never had notification about this item (detected as PUA by Windows Defender) - because, for example, these files are not dangerous or rogue. Instead legit, valid ones. That can not be PUA since of its normal design. F-Secure, basically, detect something as PUA based on this policy matter: https://www.f-secure.com/v-descs/guides/classification_guide_pua.shtml

Sorry for asking so many questions again but I just feel a bit paranoid since my PC usually never crashes and I havent had many notifications from any AVs before

It is OK. Actually, based on provided information - situation is quite normal and nothing really to be concerned.

Two detected items (netfilter2.sys) are placed under Recovery directory. As part of initial state of PC. So, static. And perhaps about safe files from certain game. And only Windows Defender (of tried scanners) think about them something. What is more looks like as a false positive.

It is not removed/deleted/quarantined - because inside container (not possible to modify / repack it).

Good step is somehow contact Microsoft and to inform them about situation - maybe their Labs can to analyzing items (files) and whether drop detection or to provide more information abut risks

Thanks!

Ukko

Hello,

Sorry for my reply. I am only an F-Secure user (their home solutions).

I will try to suggest something about your worries. But would it also be nice to know which version of Windows you have? Is it Windows 10?

I have F-secure installed. I know that Windows Defender does not work with F-secure.

Yes, and actually with the latest versions - Windows Defender should be automatically disabled (turned off) when F-Secure AV/IS/SAFE is active.

But, in addition to above, you can configure limited periodic scanning by Windows Defender. In a way, as a scanning system on demand (no real-time protection and limited possibilities). Perhaps, there is a reference to this feature: Enable the limited periodic Microsoft Defender Antivirus scanning feature - Windows security | Microsoft Docs

This is, in a sense, a "designed" way to brief scan the system with Windows Defender, even with an active F-Secure solution.

In addition, Windows Security has a number of other options and functionality that work regardless of the AV solution used (and with Windows Defender off state). It is good to keep them on (although this can sometimes be inconvenient).

I was using Microsoft Edge (on a website some that might have suspicious adds..

Some (or all) Chromium-based (Webkit-,Blink-,Chrome-based) and some alternative browsers with built-in filtering for certain types of ads. This functionality can be defined and found in the following place (Microsoft Edge chromium): Settings-logo (three dots, for example) -- Settings -- Cookies / Site permissions -- there can be different options including Pop-ups and redirects / Ads and so. It is possible to "off" (block) it. There may be less questionable advertisements as a result.

You could also try to use something like Adblockers (however, good to choose only trusted ones and good ones - but it is tricky to find so). It can be like a browser addon / extension for browser. Although this will be an effective solution against "advertising", it quite often affects the speed of browsing and in some ways can lead to illogical situations.

when suddenly my PC's mouse stopped moving, Keyboard stopped working and my PC crashed to a bluescreen and gave me some kind of memory error it was maybe Memory management or something else

If there was no very long interval between freeze and crash (Blue Screen), then this may not be connected with something very dangerous. Instead, it could be just due to overheating of the system or too high (multi-threaded) load on one of the layers (network, for example). In principle, this can also include the hardware point. Anyway, you can only make sure that all the latest available system / third-party drivers are installed and that things like hard drives are functioning properly.

Blue Screen situations usually create a dump file with additional information. So there is a conditional opportunity to find out the specific cause of the crash (and what was involved in it). But if the situation does not repeat itself, then you maybe can ignore this fact.

Windows Defender keeps telling me about PUA: Win32/NetFilter

However, this already sounds more suspicious.

Their reference about: PUA:Win32/NetFilter threat description - Microsoft Security Intelligence

In general, this could mean the presence of installed suspicious software or browser extension (for example). In addition to some changes made in the system and already the absence of suspicious software. So, good to check list of installed applications in system and browser addons against "unknown" for you.

But based on your further information, perhaps, situation is not so critical.

C:\Recovery\Customizations\usmt.ppkg

Sounds as about Windows 'backup' place with an ability to recover your system to its initial view. For example, with all pre-installed applications on your PC. For instance, """ICB\MachineSpecific\File\C$\Program Files (x86)\ASUS\GameFirst IV\Driver\tdi\i386\netfilter2.sys"""

Sounds as a game directory. Probably, this file and other (of game) fil are famous trigger of detection by some security solutions. Maybe false positive event. And this ".sys" (driver) just looks suspicious for them.

When I restart my computer or do another scan with Windows Defender it gives the same PUA notification again

Perhaps, this discussion can be useful about: Windows Defender Identifies The SAME PUP As A Threat Repeatedly - Microsoft Community

Also does Malware bytes work with F-secure installed

You can try to use it, but both solutions can be with limitations or interruptions. And this is not officially supported or recommended.

Even if the other scans don't find anything and even if Windows Defender finds something are my PC and accounts safe?

Based on provided paths to detected items - most likely - situation is normal.

First, it still looks like a static threat. Secondly, PUA (that is, only potentially unwanted). You could read, for example, how F-Secure identify Potentially Unwanted Applications: https://www.f-secure.com/v-descs/guides/classification_guide_pua.shtml

All in all, Windows Defender can not to clean it since of 'tricky' place of detected item (inside package under "Recovery" part of system partition). Probably, it is even false positive detection (you can try to reach Microsoft Support and to transfer 'quarantined'/detected item information about subject of potential false positive detection). At least, because other security solutions did not find anything about it. However, I can to recommend check F-Secure scanning settings (to open F-Secure main screen by click on tray logo or doubleclick on desktop logo - "Settings" - allow changes by related button - switch tab to "Manual scanning" settings and to choose option like scan inside compressed files and uncheck scan only known file types to be dangerous).

Windows Defender full scan keeps finding PUA but other AV scans don't. Does this mean that I'm safe?

Likely yes. At least, based on provided information about detected items.

Because, located under "C:\Recovery" folder. So, somewhat involved in preset or 'initial' state of system. For example, general information: https://en.wikipedia.org/wiki/Windows_Preinstallation_Environment#Windows_Recovery_Environment

Then, it is "Customizations" subfolder. And container ".ppkg" (general quote about it is next one: ""This package "provisioning package (.ppkg)", stores updates, and applications installed and even used by Windows system since a factory installation""). Then it contains "ASUS\GameFirst IV". Perhaps, if your PC is powered by ASUS - then this game was preinstalled / packaged with PC. And the game itself contains drivers for their work. Which are looks suspicious for Windows Defender. Others either do not scan this part of the system. Or the files are considered safe (they ignore the false positive event). Anyway, files are static (from this partition/directory/folder). So, not used.

Since of important / critical / restricted place of detected items - maybe there is no way to safely delete it. Thus, Windows Defender detect it after each scan. However, I provided URL to discussion about another possibility above.

It is also, probably, protected against manual access to it by user.

4. Is PUA really not harmful? It is not a virus? It won't do any damage to my PC or privacy?

Not, it is potentially can be harmful. Based on certain PUA - can be different result. This detection is more looks like as a false positive. Otherwise, can be more like an adware. However, this is just speculation without any additional information.

Thanks! Sorry for the large reply and sorry if it does not about something helpful. You can to ask additional things further.

Jrt_233

Thank you for the reply and sorry it took me so much time to reply.

I have WIndows 10.

I also can't find this "recovery" folder. I have hidden files shown so maybe it truly is just some folder that user cant directly access.

Is it normal that F-secure and Windows Defender never gave me notification about the PUA. I got the notification about it after doing full scan with Windows Defender? F.secure scan or quick scan with Windows Defender found nothing.

If F-secure never told me about the PUA was Windows Defender able to handle the PUA either quarantine or delete/block it even with F-secure enabled?

I also had notification about the netfilter2.sys (I'm not sure if it was the same one) but I managed to find that folder. Under the ASUS Game FIrst IV and the file was no longer there. But I think that was different than this notification. I might remember wrong tho.

So basically my question is can Windows Defender still quarantine or delete files even with F-secure. SInce the F-secure never had notification about detecting the PUA.

Sorry for asking so many questions again but I just feel a bit paranoid since my PC usually never crashes and I havent had many notifications from any AVs before.

Jrt_233

Thank you so much again for the reply and detailed answers to my questipns I think after hearing all of this I believe my pc is fine. I will check the windows defender notification PUA discussion and try it to get rid of the repeating notification. Thank you for your help.

Ukko

by the way,

In any case, it is good to keep most of the important files in a backup. Another hard drive (removable) or something like this. There are many ways to make a backup with smooth flow, different designs and so. At least, to do so from time to time (better than not doing it at all).

And general security point is to make sure that installed applications (software), browsers addons are known for you and with up-to-date state. And of course, stay vigilant while browsing.

Other than that, strong/unique passwords (securely stored), configured security solution and occasional 'for sure' manual full scans.

// Most often, some kind of impact requires launching a suspicious file. For example, attachment to an email. Or download. Good to avoid unnecessary ones. Furthermore, even for fraudulent schemes and some similar things, user's interaction is required. Try to keep control over the things.