Discovery ok but sharing settings won't stick. Possible malware?

Phil Lloyd · 24 Mar 2015

Windows 7 Professional SP1
Security: Microsoft Security Essentials & Windows Firewall
On the problem computer I can enable network discovery, but I can't turn on File and Printer Sharing or Public Folder Sharing.
The problem is the same using either a USB wireless device or using a CAT5 to the router.

I WAS unable to change the WORKGROUP NAME or the COMPUTER DESCRIPTION,
or to change the network type to WORK from PUBLIC, but partly corrected this using Microsoft Fixit.
Although i can't change the COMPUTER DESCRIPTION, I was able to change the network to "WORK",
and change the workgroup name as i like, although in System Properties page the Computer Description and Workgroup both remain listed as "Unavailable".
(Workgroup name seems to not matter, as one of the computers is still using my old workgroup name, so i see two workgroups, and it does not affect file sharing etc.)
I still cannot change the computer description, and THINK i read that it's not involved with networking issues, and have not tried the registry work on that.

As i began to work on this computer i saw suspicious programs, and figured i'd be best working on a test copy,
so I backed up the drive and restored to an empty one so i can feel free to make changes and use agressive scanners etc.
I booted to the backup and ran MBAM which found a few malware and i quarantined them.

I began checking services and found that SERVER service was not running, and wouldn't start,
as it depends on SAMSS service which would not start.
The error window states:
Windows could not start the SAMSS service on the Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion.

I look and see that SAMSS is the Security Accounts Manager and Depends on:
DCOM Server Process Launcher - OK STARTS on auto
RPC endpoint mapper - OK STARTS on auto
SAMSS uses C:\Windows\System32\lsass.exe

I found this post:
Services - Restore Default Services in Windows 7
and downloaded all reg files, moving them into 3 folders, "successful", "failed" and "failed but run ok"
as I merged each one or failed to, testing the service already installed as I went.

All failures report this in the error window:
Cannot import XXXXXXXXX.reg: Not all data was sucessfully written to the registry.
Some keys are open by the system or other processes.

24 services failed to merge but run ok - those i can list if needed.

Into my "failed" folder (failed to merge AND will not start) went:
Diagnostic_System_Host.reg
Distributed_Link_Tracking_Client.reg
HomeGroup_Listener.reg

and... i found one that was NOT listed by the same name in my computers services, and failed to get merged and will not start, but looking inside it seems that might be due to naming, but it is:
Security_Accounts_Manager.reg

Here is the reg branch from Shawn's tutorial:
===================================
Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; https://www.sevenforums.com
; Tutorial: Services - Restore Default Services in Windows 7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SamSs]
"DisplayName"="@%SystemRoot%\\system32\\samsrv.dll,-1"
"Group"="MS_WindowsLocalValidation"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,\
00,73,00,61,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\samsrv.dll,-2"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SamSs\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,18,00,8d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
==================================================================

and here is that key exported from my registry:
=============================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SamSs]
"DisplayName"="SamSs"
"Group"="1"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,\
00,73,00,61,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\samsrv.dll,-2"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Type"=dword:00000010
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"Tag"=dword:0000000a
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SamSs\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,18,00,8d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
===========================================================

I am not sure if i am on the right track, and I will be doing more work on this,
but I thought i would post this while i wait for Windows Defender Offline to scan.
Any help is greatly appreciated!
...actually I already appreciate SevenForums so much for all the tutorials and help i have read for problems i don't even have!
It's helped me tweak my own PC GUI-wise like i've only dreamed about in the past!

EDIT: I have also looked into the firewall settings and it seems to be set to allow incoming on File and Printer Sharing, disabled the firewall and attempted to set them again via Advanced Sharing Settings, but still they won't stick. The one difference i see in this compared to a few other threads is that Discovery does work - that has never been a problem.

Phil Lloyd · 27 Mar 2015

Update: On this testing copy which i switch to manually by removing cables from the working system drive and connecting this one to ensure no mistakes on the existing system.
I have uninstalled most 3rd party programs, and continue to run scans that give user friendly results with no malware seeming to remain, and removed lots of old and seemingly unneeded registry entries and reset services firewall scanned system files and can't figure what has caused the problem, so i am going to do a fresh install on this drive and install only trusted 3rd party software, eventually switching over once it's all set, so i'll mark this as solved, although the problem remains:
Discovery works always , but File and Printer Sharing, and Public Folder Sharing cannot be enabled.
I have the nagging feeling that it is some registry entry, but i am not going to try registry fixers or going through a HJT process. I'd like to know, but it's just not worth it, considering the age of this install. I did a fresh install on my own W7 computer and it's so nice, with all the tweaks i have learned here on these forums, and want to avail myself of the Clean install tutorials. Thanks to all the people here who give their time and knowledge... I've learned a lot! (not about THIS problem, but for this overall Win7 / XP network. I will , once this new system drive is set up, do some comparing and perhaps importing policies etc, and If i DO realize what was going on i will post it!