Sign in with
Sign up | Sign in
Your question

Windows Serices Keep Stopping

Last response: in Windows XP
Share
August 25, 2009 5:02:29 PM

Hi there! I've noticed on my computer that several windows services seems to be stopping. First I noticed the "Themes", then Windows Audio, then Firewall, and I think it was called DNS Internet service.

Anyways, I keep restarting them after they crash, however, I can't usually restart the firewall. I may fixed that one, which is critical. But whatever bug it is I'm experiencing, it's still influencing my computer.

Does this sound like a known virus. Is there any fix it tool? I get nothing when I scan with AVG and SuperAntiSpyWare.

Thanks
August 25, 2009 5:04:57 PM

Actually the windows firewall is still turning off. Definitely sounds like a virus to me. I'm sure someone has heard of this before.
August 25, 2009 5:06:00 PM

Lastly....when I try to restart the firewall service, it won't work!
Related resources
August 25, 2009 5:06:33 PM

Uh...yeah it definatly looks like a virus. AVG and SuperAntiSpyWare aren't exactly the best in the business...I recommend the freeware version of "Malwarebytes Anti-Malware" and "a-squared" ,both are very good, they pretty much demolish any infection in your computer, they dont give realtime protection, they are just scanners.
August 25, 2009 5:09:10 PM

Thanks very kindly.. I will try and find them. do you have download links?
August 25, 2009 5:09:50 PM

And here is a link to download malwarebytes:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000...

Here is a link for a-squared:
http://download.cnet.com/A-squared-Free/3000-2239_4-102...

-here is what i recommend, download them, install them, update them. Once done, go into safe mode and scan, do it one at a time, first malwarebytes and then a-squared, whichever one you want. If nothing helps, then we still have a last line of defense, but i will tell you about it later if this does not work ;) 

-best of luck
August 25, 2009 5:50:16 PM

Thanks buddy! I quite appreciate it. I downloaded zonealarm for the meantime as well, because whatever virus or malware on my computer was knocking out the windows firewall 5 minutes after loading windows. It ran through it's set up and pointed out a number of internal processes that were doing weird things!! (of course they try and scare you into buying their program). I got the first malwarebytes program going. I'll scan in safemode too at night.

I really appreciate the advice. It's a cool website.

thanks,

Jamz
August 25, 2009 7:21:33 PM

Good, make sure to scan with malwarebytes and a-squared as they are big very similar/competitive and one of them might catch something what the other might not. Make sure to update before the scan also. And again if you still feel you need to then we have TWO more solid lines of defense against the virus that we can do :)  So good luck. Message back if you need anything.

-And if this virus turns out to be a root-kit which i am thinking it might just be, but i am not sure yet until you finish the scans and give me the results, then i know some good anti-rootkit removal tools that specialize in just that :) 

-Best of luck
August 25, 2009 7:21:40 PM

The best method is to boot into safe mode with networking, download the programs, update them, and do comprehensive scans. If your computer is infected, anything you install or update in normal windows also can be infected, specially AV's.

Malwarebytes is real good. NOD32 is another good program that has a 30 day full version trial.
August 25, 2009 9:29:51 PM

Does Event Viewer say anything about what's happening?
August 27, 2009 4:06:34 AM

Hi...here's an update: I did a safemode Malwarebytes scan. It caught 15 different items and cleaned them. I rebooted to windows and yet my Windows Services (themes and firewall) continue to turn off. The firewall I can't restart either.

I will try that other scanner and virus scan as well. I've got enormous drives, though, so it takes a very long time!!

I'm not sure want the even viewer is. But I'm willing to try all things. Man...I can't believe how many cool people are on this site willing to help.
August 27, 2009 4:39:55 AM

The event viewer is a tool to see any logs and notes being logged.
Start-->control panel-->administrative tools-->event viewer-->you can view different component logs by time and date. The errors are in red.

The problem with viruses and malware is, once they've done damage, even if you clean them up, the damage can still be there.
August 27, 2009 5:01:27 AM

Conficker messes with the services. Check out the different AV sites, they have free tools to use as well.Macafee, etc
August 27, 2009 1:34:55 PM

^Yes, good points, a bad part of about viruses is that the best way to protect is to prevent them from infecting, once they have infected and been removed there could still be some damage. You said that you scanned with malwarebytes, now scan with that other program i told you "A-Squared". Then after that try Microsoft Malicious Software Removal Tool, it specifically has anti-confikerr databases in it.
-By the way, when scanning, if you open task manager, right click on the scanning application, then click go to process. After that right click on the processes, click priority and make realtime or high. This gives it more processor cycles improving speed :) 

-Best of Luck. If Still nothing then we have two options, either a system restore or something called a rescue system. This is basically a really good virus scanner. What you do is you put it onto a CD, then reboot and boot into the CD. It is kind of like reinstalling windows, you boot into it. Once there, you update it and scan it. The scan is way more thorough since windows is dormant during the scan and it can scan much more files and that can't be scanned when windows is in use. I think thats the best option if a-squared doesn't work. I will give you further instructions on which program to get and how to use it :) 
-If nothing absolutely helps, its no big deal, a system rebuild doesn't hurt once in a while.

-Best of Luck
-If you need anything just message back :) 
August 27, 2009 5:28:56 PM

Man i'm enjoying the advice here. Do you blackhawk work at this website? Or is it just made up a cool tech savvy volutenteers?

I tried the conflicker removal tool by symantic to see if it was the cause, but it said it wasn't on the computer. I"ll do a-squared.

thanks
August 27, 2009 5:59:35 PM

If you had conflicker, you wouldn't be able to access websites such as www.norton.com or www.kaspersky.com because conflicker is known to block access to antivirus websites.

"Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[44] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[45] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service."

http://en.wikipedia.org/wiki/Conficker#Self-defense
August 27, 2009 8:54:03 PM

No,i don't work here on this website. Just pretty good with computers i guess :) 
-BTW Tosh9i is right, you most likely don't have conflicker...unless you are experiencing the problems he described.

-Good Luck
August 27, 2009 11:43:55 PM

I don't want to jump the gun or anything, but I downloaded and updated Asquared and did a quick scan involving windows components and it found about 15 things I believe 3 or 4 were alleged serious trojan type items I think it said. After rebooting and quarantining, my computer services haven't failed yet. Usually they were failing within five minutes and it's been about 15 already!! So I'll update after a while.

thanks
August 28, 2009 1:33:55 AM

nice...thats a good sign, it doesn't meaning much yet but its a good sign. I would (at night) do the "Thorough Scan" of your entire system. Just incase anything happens to be lurking there.

-BTW...before you do any kind of scan with malwarebytes or A-squared always be sure to update it just incase, because they have an update at least once a day and sometimes 2-3 times a day (its what makes these two programs good). So update and do a thorough scan with a-squared. Then if you feel you want which i would recommend you, then make the bootable CD anti-virus to finish the job :) 
August 28, 2009 8:00:05 AM

Pure awsomeness. It seems its time to redownload a squared, still on their mailing list, but dumped it awhile ago, but since moving off McAfee and going free AV to AVG, looks like the plan
August 28, 2009 5:37:33 PM

Hi...just an update. I had gone out for 3 hours last night and came home and apparently the computer's services had turned off again. So it may be very deep in fact it may even be inside some of the windows system files. I'm guessing it may have overwritten a windows system file. But what the heck do I know? Hahha.

I set up a full scan with Asquared last night, but my computer is so huge, it only completed 4% in the morning and found nothing. I think I'll just do one drive at a time.

Another idea is, is it possible that there are some device conflicts on my computer and that could be causing the window services to fail? At first I was using two sound cards, one internal and the other external for music recording. I've disconnect the external and stopped using it for a long time. It used to be that the windows audio service failed, then the themes. I had reinstalled sounds drivers and uninstalled and reinstalled a number of things in case there were those IRQ Resource conflicts. Sound is working fine now. But the other services firewall, themes and who knows what else still shut down, though it does seem to be happening later than before. Mind you last night I rebooted once and the windows firewall was already disabled.

One question, if this is some malicious code on my computer, is it most likely residing in my windows folder somewhere or could just be sitting anywhere?

Should I do one of those "system loading capture" things that I see people do a lot..which I kinda show what's happening on the computer. I think Hijack this does something like that. I don't know what all the files are related to and what are natural and which are malicious.
August 28, 2009 5:40:36 PM

Have you checked the event viewer to see if there are some errors being logged?
August 28, 2009 5:44:41 PM

Tell me how to do the even viewer and I will do it!
August 28, 2009 5:48:18 PM

Start-->control panel-->administrative tools-->event viewer-->you can view different component logs by time and date. The errors are in red.
August 28, 2009 6:03:04 PM

Yes..I'm seeing quite a few errors in the system category. Still i'm not sure what to do about it.
August 28, 2009 6:12:56 PM

These are some of the errors showing up. I'll copy and paste. They are all either DCOM or Services Control Manager. The first ones happened at the bottom of the list here.

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------
The IIS Admin service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------
Timeout (30000 milliseconds) waiting for the IIS Admin service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------
DCOM got error "The service did not respond to the start or control request in a timely fashion. " attempting to start the service IISADMIN with arguments "" in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------
The following boot-start or system-start driver(s) failed to load:
Lbd

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The Mhost service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------
The Java Quick Starter service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The IIS Admin service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The DS1410D service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------
The Ati HotKey Poller service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------------
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------
August 28, 2009 6:29:01 PM

Well I would first use A-Squared to scan your Windows Folder on your local C drive. Then I would do a full scan. And are you scanning in safe mode? A-squared scans horrible slow in safe mode, do it in normal mode, it scans processes anyway so it should be fine. Normal mode way faster.

-Next you can also (i forgot) do a system repair. Its basically you take your operating system installation disk and boot into it and instead of hitting reinstall windows, you can do a system repair, it doesn't erase data but it fixes your registry and OS which can fix your problem. But you will have to redo windows updates and some drivers I think! (its really easy)

-Here is what you should next though, before system repair, Do the Rescue System!
-Here is what to do:

-Go to this link http://www.avira.com/en/support/support_downloads.html
-Next Download the File
"Avira AntiVir Rescue System"
There are two rescue systems, download the ISO file!!
-Click on it and it will start download.
-After download, burn it onto a CD
-Put the CD into your cd/dvd drive and reboot
-Boot into the CD
-It will give you instructions on how to get it going.
-Next once you are inside the actual application, you will see a nice looking gooey interface.
-It will give self explanatory options for your scan, choose which ones you feel you want, I would make sure it gives the most thorough scan possible.
-Then update it
-Then launch your scan, it could take a while, but I would wait as it could "rescue" your system."

-Best of luck
-If you have any questions, post em :) 
August 28, 2009 6:32:58 PM

Here's the most suspicion one to me. It just logged the stoppage of the windows firewall and it says can't restart because "access is denied!"

The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
August 28, 2009 6:35:52 PM

Are you on a network?

You may need to install .net
August 28, 2009 6:38:33 PM

yeah..I'm on a network. We have a router at our house and I connect to it through a wireless USB Thing. Install what ?? .net?
August 28, 2009 6:44:09 PM

Ya, I saw that SMTP is failing and ended the pipe. Looks like it cascaded to other services. They are timing out.
August 28, 2009 7:10:28 PM

I heard someone say that these services are run on the same microsoft "thread" ...namely ....svchost, and when one fails, the all fail or something like that. Who knows.

What is .... ".net," is that something that I need to install?
August 28, 2009 7:22:49 PM

http://en.wikipedia.org/wiki/.NET_Framework
.net is usually found on business networks, which is why I asked. I should've specified the business part.

It has tools to promote network communications. You shouldn't need it on a home network. You can give it a try to see if it resolves the connection issues. If it doesn't, it can be uninstalled.
August 28, 2009 10:01:07 PM

A potential stroke of luck. I stopped the scanning for a few minutes, went into msconfig and analyzed the startup services. I carefully checked all Microsoft and non Microsoft and I removed a few suspicious things from the startup. So far the results seem very promising. My computer suddenly responds like it is supposed to....very fast and responsive.....like butter. So far nothing has failed either after 20 minutes. The unknown things I turned off were:

Mhost
AtiHotkey poller
##Id_String1.6844f930_1628_4223_B5CC_5BB94B879762##
InstalllDriver Table Manager
Windows CardSpace
Java Quick Starter
Microsoft Office Diagnostics Service
Office Source Engine
Messenger Sharing Folder USN Journal Reader service
StarWind AE Service
nprotect gameguard service
LexBCe Server

I'm guessing one or more of these things is illegitimate.


August 29, 2009 12:47:28 AM

I guessing also. There are websites online that have a entire dictionary of services from all programs, you type in the name of the service and it tells you what it is, does, author, and if its good or if its malware.
August 29, 2009 3:01:14 AM

ahh...but if it were only this simple!! I was out again for 3 hours and found the firewall down again.....and the same issues. I'll do more scanning at night.

What does this mean here. My AVG Resident shield alert popped up saying:

c:\System Volume Information\_restore(D03B34BE.........etc23423423423\23434.exe

Threatname Runtime packed fsg
Detected on open.

process name:c\winbest\system 32\svchost.exe
process id: 3252

The only options I have from the Resident shield alert are to:

a) remove threat as power user and or "add to exceptions" and or "Ignore".

(Winbest is my windows directory by the way.)
August 29, 2009 3:06:40 AM

svchost.exe is a common virus, it basically mimics the real svchost.exe and is harmful, I would try to remove it as a power user. I hope it isn't a false detection but looks pretty real to me.
August 30, 2009 7:17:02 PM

Finally finished scanning whole computer with asquared and removed lots of stuff. Computer seems healthier except the windows firewall is still getting knocked out and some services are still failing.

My AVG Resident Shield Alert again says that
c:\System Volume Information\_restore(D03B34BE.........etc23423423423\23434.exe

Is a run packed nspack
Detected on open

but the process name is c:\windows\system32\svchost.exe


So..I think that this virus thing in the system volume directory is accessing this windows system file : svchost.exe to do it's damage.

I've tried unsuccessful to delete that file. They sort of seem like temporary files. That is if I go to that directory now. They exist, but without those windows processes running they disappear.

August 30, 2009 8:26:05 PM

I really think its time to use hijackthis and find a suitable site thatll have someone there to walk you thru it all.
May be your best option at this point. Download hijackthis, and go to one of those sites
September 2, 2009 7:34:22 PM

What website will do the hijack this thing?
September 2, 2009 11:23:40 PM

www.hijackthis.de

for an automated analysis.

Reliable coupled with research.
September 2, 2009 11:27:36 PM

The infection in your system restore is calling svchost to perform its mischief.

You can do one pass with combofix to see if it sorts out 23434.exe (likely a randomly named malware), but only one pass is adviseable.
September 6, 2009 10:30:53 PM

Well here's a bit of a surprise: I reformatted my computer since it had been so long. Did a fresh install of XP SP3 and guess what? It happened again. Services stopped and firewall was down.

So what I did was install Windows 7 64 bit. And so far no problems. Hope it stays that way.

Thanks for all the advice.
September 7, 2009 1:35:17 PM

The infection in your system restore is calling svchost to perform its mischief.

You can do one pass with combofix to see if it sorts out 23434.exe (likely a randomly named malware), but only one pass is adviseable.

....
January 9, 2013 9:16:35 PM

blackhawk1928 said:
^Yes, good points, a bad part of about viruses is that the best way to protect is to prevent them from infecting, once they have infected and been removed there could still be some damage. You said that you scanned with malwarebytes, now scan with that other program i told you "A-Squared". Then after that try Microsoft Malicious Software Removal Tool, it specifically has anti-confikerr databases in it.
-By the way, when scanning, if you open task manager, right click on the scanning application, then click go to process. After that right click on the processes, click priority and make realtime or high. This gives it more processor cycles improving speed :) 

-Best of Luck. If Still nothing then we have two options, either a system restore or something called a rescue system. This is basically a really good virus scanner. What you do is you put it onto a CD, then reboot and boot into the CD. It is kind of like reinstalling windows, you boot into it. Once there, you update it and scan it. The scan is way more thorough since windows is dormant during the scan and it can scan much more files and that can't be scanned when windows is in use. I think thats the best option if a-squared doesn't work. I will give you further instructions on which program to get and how to use it :) 
-If nothing absolutely helps, its no big deal, a system rebuild doesn't hurt once in a while.

-Best of Luck
-If you need anything just message back :) 



ok so you said speed up my processing power for my antivirus correct ???? well when i try to do that it blocks me and says access denied what do i do ?
!