Solved Random Adobe update led to Microsoft SE disabled; infected?!

[Layback Bear]

Start/Help and Support and type in remove restore point and it will guide you through it. You could also use Ccleaner to do it under Tools. Using Ccleaner you can also wipe free space for a little more insurance.

 

[DustSailor]

Can you enable the firewall now? You are able to remove java (uninstall), most people don't even use it anymore.

 

[BinkerNate]

Start/Help and Support and type in remove restore point and it will guide you through it. You could also use Ccleaner to do it under Tools. Using Ccleaner you can also wipe free space for a little more insurance.

I have Ccleaner; got it from a previous situation.

Can you enable the firewall now? You are able to remove java (uninstall), most people don't even use it anymore.

I got rid of Java; good idea just in case. I don't even know what exactly I use it for. It can't be for flash.


As for my firewall; it's all confusion. Nothing that I'm seeing is telling me if it's on or off, and even if I wanted to change it, it does tell me that I can and how, without showing me what it's telling me. For example, if I wanted to allow something through firewall:

It's the same for recommended settings, or to turn it off, etc. And this is what it shows if I click advanced settings:

See what I mean? What does it mean? Does it look like my firewall is in trouble and needs to be fixed?

 

[DustSailor]

Yes, have you clicked "use recommended settings"?

Run this fix: http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

 

[BinkerNate]

I did. The first image is exactly ehat it shows.

 

[DustSailor]

I added a bit to my last post. Run that tool to try to fix it

 

[BinkerNate]

Okay, I did it. It said the problem was that it didn't allow me to change its settings, which I already knew, and while it said it was repaired, it really didn't. It's still the same with the same error messages, and confusing screens like the ones I posted before.

 

[DustSailor]

Annnnnnd we're back to the repair install....

 

[BinkerNate]

Yeah, and I looked at that page you linked, and it looks dangerous, right? There were alot of warnings. And the type of Windows 7 with or without SP1, I don't know which I have, or if I have the DVD it mentions.

But, if I were to ask a dumb question: when you're on your computer, internet or not, and something wants to access your computer, and it asks if you want it to do so, isn't that the firewall?

 

[DustSailor]

No, the firewall prevents potentially malicious stuff/devices from going/loading to your computer. What you are talking about is built into your web browser, such as IE9, that warns you not to go to a website or that a download is potentially dangerous. Many types of different built in security for windows that we take advantage of every day.

The repair install should tell you how to find out if you have sp1 installed, and also how to remove it if you do. You will need to install all the updates again, but at least the computer will be fixed. Do make sure you have the right CD before you begin, however.

 

[DustSailor]

If you don't feel comfortable doing the repair install or don't have the right CDthen you can wait for someone else to jump in here with their own advice. Aside from what is below, I have come to my limit. You can try searching for the error you receive at this link or on google: Microsoft Fix it Solution Center: troubleshooting software issues

Make sure once again that you update antivirus software, and scan again (full) for any additional bugs. Let us know if you find any. Very sad the fix-it tool didn't work.

Also update windows! Windows update provides numerous security patches that are critical to have installed.

Can you turn on these services: 1.Security Center (Start, set to automatic[delayed start]) and 2.Windows Firewall (Start, set to automatic).

To get there, type "Services.MSC" without quotes in the start menu search bar. Click the program that pops up. Search through the alphabetized list but don't change anything else. Double-click the item to change it's properties.

 

[DustSailor]

*Above post updated, please re-read it if you have already.

Found some good posts for you to read up on to see if they help with your problem. Be careful, as some posts may apply specifically to a single user rather than for everyone (Start with the link in Bold, and please run that tool):

• http://support.microsoft.com/kb/968002
• http://www.sevenforums.com/system-s...l-missing-services-menu-error-0x80070424.html
• http://www.sevenforums.com/system-security/200214-window-7-firewall-error-code-0x80070424.html
• http://answers.microsoft.com/en-us/...80070424/dcbc15a4-fe0e-4d4f-865e-f9e706fce687
• http://answers.microsoft.com/en-us/...firewall/ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee

 

[BinkerNate]

Okay, thanks.

I think it is SP1, going by what CCleaner says. Though, I just wanted to ask if I was right and it wasn't just something CCleaner had in its window.

I always update my virus scanners, the three I have (Malwarebytes, MSE, and SUPEAntiSupyware). Malwarebytes hasn't found anything at all, and I've been doing virus scans from both that and MSE all day today. So, I guess I'm okay.

I've also checked Windows Update, and I'am up to date.

Can you turn on these services: 1.Security Center (Start, set to automatic[delayed start]) and 2.Windows Firewall (Start, set to automatic).

They don't even appear on the list at all. The only thing with Security in the name is Security Accounts Manager, and that's okay.

The first link posted, and bolded; that was the fix it I used earlier. I did it again, with no luck.

I'll check around, but if anything, I'll ask the others who helped me here and/or you if I find something and I want to ask first before I try it out. Perhaps I could call someone at Windows or Microsoft, like Microsoft Consumer Security Support Center. BTW, what do you, or anyone watching, think of using any of these?

Method 3 from this:
http://support.microsoft.com/kb/2530126
Or ESET Scanner:
ESET :: Get a FREE Online Virus Scan

Let me know. Thanks

 

[DustSailor]

Sure, do them both. Don't think "Method 3" will work for you though, and it is looking more and more like a repair install is your only option. Might as well try it though. If a complete reinstall is an option, consider it (for perfect cleanliness and a fresh beginning).

If you have the CD, you can tell me what it says on it and I can tell you if you can use it to reinstall or repair windows. You might have recovery disks on hand somewhere that can come in handy if you don't have a full retail disk.

 

[Golden]

ESET is well regarded - it won't hurt to give that a try.

Regards,
Golden

 

[Layback Bear]

Hit the Windows Flag key and the Pause key and Windows will tell you if SP-1 is installed

 

[BinkerNate]

I do have SP1, but as for the disc, I don't have it nor seem to find it.

Anyway, an important update: it seemed like ESET didn't do anything, saying that I wa cleaned, until later on when I checked services.msc again out of random, and there it is: Windows Firewall. I checked it, and it looks like it isn't on (Start type is automatic) and when I clicked "Start", it stated that it couldn't, and I should check System Event Log, if this is non-Microsoft, contact vendor on service specific error 5.

Okay, it's back (I guess thanks to ESET), but can't turn it on. What should I do now?

 

[DustSailor]

look through your event viewer and tell what it says. In it, go to Custom Views>Administrative Events

 

[BinkerNate]

Yeah, I found it and was checking it before you posted, Dustsailor.

Anyway, I was looking at System and going back to when it all started. It all started on 7/6 at 2:46am with Adobe, which I quickly stopped at the same time. Malwarebytes found Sirefef.P at 3:08am, where at the same time, the following occured: Microsoft Antimalware (Malwarebytes?) was disabled; so was Defender (I guess I already had it), IP Helper, Security Center, IP Helper then just stopped, Firewall was disabled then stopped, Security Center stopped, etc.

Then at Admins, I'm just going to list the things that happened after 3:08am when the trojan was first found by Malwarebytes. Some of what I will list might seem important, even some probably aren't, but just in case. I don't know, I can't remember what and when on that day.

3:10am:
The Computer Browser service terminated with the following error:
The specified service does not exist as an installed service.
The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891
The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
\SystemRoot\SysWow64\DRIVERS\ithsgt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
The ithsgt service failed to start due to the following error:
This driver has been blocked from loading
\SystemRoot\SysWow64\DRIVERS\lilsgt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
The lilsgt service failed to start due to the following error:
This driver has been blocked from loading
The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891
The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

3:24am:
Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.

4:50am:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-274942078-2301801399-3379666533-1000:
Process 592 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-274942078-2301801399-3379666533-1000

That appeared again at 4:57am, and 5:00am

Again, might be nothing since we took care of alot of things since then, but just in case.

Also, I went to Security and searched Firewall, and the Firewall Driver was started successfully at 1:00pm today; that was when I turned on my computer. ??? After reading that, I went to services.msc and it's the same. There, but not on. What's stopping it from turning on?

 

[DustSailor]

A repair install.


But seriously, you've done an sfc scan which didn't fix anything. You might try sfc again, but without some kind of CD, you're looking at downloading an ISO and doing a complete reinstall. The virus corrupted a lot of stuff that you will need. I don't know how to fix it manually, and I doubt it is that easy. Might have to come to terms with saving your work and doing a clean install: http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html - created by Brink

Best of luck to ya though, mate. If you want to download the ISO, i need this info:
Do you have 32bit or 64 bit windows. If I had to guess, I'd think it was 64... am I right?