Random Adobe update led to Microsoft SE disabled; infected?!

DustSailor · 09 Jul 2012

If you don't feel comfortable doing the repair install or don't have the right CDthen you can wait for someone else to jump in here with their own advice. Aside from what is below, I have come to my limit. You can try searching for the error you receive at this link or on google: Microsoft Fix it Solution Center: troubleshooting software issues

Make sure once again that you update antivirus software, and scan again (full) for any additional bugs. Let us know if you find any. Very sad the fix-it tool didn't work.

Also update windows! Windows update provides numerous security patches that are critical to have installed.

Can you turn on these services: 1.Security Center (Start, set to automatic[delayed start]) and 2.Windows Firewall (Start, set to automatic).

To get there, type "Services.MSC" without quotes in the start menu search bar. Click the program that pops up. Search through the alphabetized list but don't change anything else. Double-click the item to change it's properties.

DustSailor · 09 Jul 2012

*Above post updated, please re-read it if you have already.

Found some good posts for you to read up on to see if they help with your problem. Be careful, as some posts may apply specifically to a single user rather than for everyone (Start with the link in Bold, and please run that tool):

BinkerNate · 09 Jul 2012

Okay, thanks.

I think it is SP1, going by what CCleaner says. Though, I just wanted to ask if I was right and it wasn't just something CCleaner had in its window.

I always update my virus scanners, the three I have (Malwarebytes, MSE, and SUPEAntiSupyware). Malwarebytes hasn't found anything at all, and I've been doing virus scans from both that and MSE all day today. So, I guess I'm okay.

I've also checked Windows Update, and I'am up to date.

Can you turn on these services: 1.Security Center (Start, set to automatic[delayed start]) and 2.Windows Firewall (Start, set to automatic).

They don't even appear on the list at all. The only thing with Security in the name is Security Accounts Manager, and that's okay.

The first link posted, and bolded; that was the fix it I used earlier. I did it again, with no luck.

I'll check around, but if anything, I'll ask the others who helped me here and/or you if I find something and I want to ask first before I try it out. Perhaps I could call someone at Windows or Microsoft, like Microsoft Consumer Security Support Center. BTW, what do you, or anyone watching, think of using any of these?

Method 3 from this:
http://support.microsoft.com/kb/2530126
Or ESET Scanner:
ESET :: Get a FREE Online Virus Scan

Let me know. Thanks

DustSailor · 09 Jul 2012

Sure, do them both. Don't think "Method 3" will work for you though, and it is looking more and more like a repair install is your only option. Might as well try it though. If a complete reinstall is an option, consider it (for perfect cleanliness and a fresh beginning).

If you have the CD, you can tell me what it says on it and I can tell you if you can use it to reinstall or repair windows. You might have recovery disks on hand somewhere that can come in handy if you don't have a full retail disk.

Golden · 09 Jul 2012

ESET is well regarded - it won't hurt to give that a try.

Regards,
Golden

Layback Bear · 09 Jul 2012

Hit the Windows Flag key and the Pause key and Windows will tell you if SP-1 is installed

BinkerNate · 09 Jul 2012

I do have SP1, but as for the disc, I don't have it nor seem to find it.

Anyway, an important update: it seemed like ESET didn't do anything, saying that I wa cleaned, until later on when I checked services.msc again out of random, and there it is: Windows Firewall. I checked it, and it looks like it isn't on (Start type is automatic) and when I clicked "Start", it stated that it couldn't, and I should check System Event Log, if this is non-Microsoft, contact vendor on service specific error 5.

Okay, it's back (I guess thanks to ESET), but can't turn it on. What should I do now?

DustSailor · 09 Jul 2012

look through your event viewer and tell what it says. In it, go to Custom Views>Administrative Events

BinkerNate · 09 Jul 2012

Yeah, I found it and was checking it before you posted, Dustsailor.

Anyway, I was looking at System and going back to when it all started. It all started on 7/6 at 2:46am with Adobe, which I quickly stopped at the same time. Malwarebytes found Sirefef.P at 3:08am, where at the same time, the following occured: Microsoft Antimalware (Malwarebytes?) was disabled; so was Defender (I guess I already had it), IP Helper, Security Center, IP Helper then just stopped, Firewall was disabled then stopped, Security Center stopped, etc.

Then at Admins, I'm just going to list the things that happened after 3:08am when the trojan was first found by Malwarebytes. Some of what I will list might seem important, even some probably aren't, but just in case. I don't know, I can't remember what and when on that day.

3:10am:
The Computer Browser service terminated with the following error:
The specified service does not exist as an installed service.
The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891
The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
\SystemRoot\SysWow64\DRIVERS\ithsgt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
The ithsgt service failed to start due to the following error:
This driver has been blocked from loading
\SystemRoot\SysWow64\DRIVERS\lilsgt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
The lilsgt service failed to start due to the following error:
This driver has been blocked from loading
The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891
The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

3:24am:
Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.

4:50am:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-274942078-2301801399-3379666533-1000:
Process 592 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-274942078-2301801399-3379666533-1000

That appeared again at 4:57am, and 5:00am

Again, might be nothing since we took care of alot of things since then, but just in case.

Also, I went to Security and searched Firewall, and the Firewall Driver was started successfully at 1:00pm today; that was when I turned on my computer. ??? After reading that, I went to services.msc and it's the same. There, but not on. What's stopping it from turning on?

DustSailor · 09 Jul 2012

A repair install.

But seriously, you've done an sfc scan which didn't fix anything. You might try sfc again, but without some kind of CD, you're looking at downloading an ISO and doing a complete reinstall. The virus corrupted a lot of stuff that you will need. I don't know how to fix it manually, and I doubt it is that easy. Might have to come to terms with saving your work and doing a clean install: Clean Install Windows 7 - created by Brink

Best of luck to ya though, mate. If you want to download the ISO, i need this info:
Do you have 32bit or 64 bit windows. If I had to guess, I'd think it was 64... am I right?