Windows Serices Keep Stopping

Actually the windows firewall is still turning off. Definitely sounds like a virus to me. I'm sure someone has heard of this before.

Uh...yeah it definatly looks like a virus. AVG and SuperAntiSpyWare aren't exactly the best in the business...I recommend the freeware version of "Malwarebytes Anti-Malware" and "a-squared" ,both are very good, they pretty much demolish any infection in your computer, they dont give realtime protection, they are just scanners.

And here is a link to download malwarebytes:
http://download.cnet.com/Malwareby [...] 04572.html

Here is a link for a-squared:
http://download.cnet.com/A-squared [...] 62215.html

-here is what i recommend, download them, install them, update them. Once done, go into safe mode and scan, do it one at a time, first malwarebytes and then a-squared, whichever one you want. If nothing helps, then we still have a last line of defense, but i will tell you about it later if this does not work

-best of luck

Good, make sure to scan with malwarebytes and a-squared as they are big very similar/competitive and one of them might catch something what the other might not. Make sure to update before the scan also. And again if you still feel you need to then we have TWO more solid lines of defense against the virus that we can do So good luck. Message back if you need anything.

-And if this virus turns out to be a root-kit which i am thinking it might just be, but i am not sure yet until you finish the scans and give me the results, then i know some good anti-rootkit removal tools that specialize in just that

-Best of luck

Does Event Viewer say anything about what's happening?

The event viewer is a tool to see any logs and notes being logged.
Start-->control panel-->administrative tools-->event viewer-->you can view different component logs by time and date. The errors are in red.

The problem with viruses and malware is, once they've done damage, even if you clean them up, the damage can still be there.

^Yes, good points, a bad part of about viruses is that the best way to protect is to prevent them from infecting, once they have infected and been removed there could still be some damage. You said that you scanned with malwarebytes, now scan with that other program i told you "A-Squared". Then after that try Microsoft Malicious Software Removal Tool, it specifically has anti-confikerr databases in it.
-By the way, when scanning, if you open task manager, right click on the scanning application, then click go to process. After that right click on the processes, click priority and make realtime or high. This gives it more processor cycles improving speed

-Best of Luck. If Still nothing then we have two options, either a system restore or something called a rescue system. This is basically a really good virus scanner. What you do is you put it onto a CD, then reboot and boot into the CD. It is kind of like reinstalling windows, you boot into it. Once there, you update it and scan it. The scan is way more thorough since windows is dormant during the scan and it can scan much more files and that can't be scanned when windows is in use. I think thats the best option if a-squared doesn't work. I will give you further instructions on which program to get and how to use it
-If nothing absolutely helps, its no big deal, a system rebuild doesn't hurt once in a while.

-Best of Luck
-If you need anything just message back

If you had conflicker, you wouldn't be able to access websites such as www.norton.com or www.kaspersky.com because conflicker is known to block access to antivirus websites.

"Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[44] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[45] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service."

http://en.wikipedia.org/wiki/Conficker#Self-defense

I don't want to jump the gun or anything, but I downloaded and updated Asquared and did a quick scan involving windows components and it found about 15 things I believe 3 or 4 were alleged serious trojan type items I think it said. After rebooting and quarantining, my computer services haven't failed yet. Usually they were failing within five minutes and it's been about 15 already!! So I'll update after a while.

thanks

Pure awsomeness. It seems its time to redownload a squared, still on their mailing list, but dumped it awhile ago, but since moving off McAfee and going free AV to AVG, looks like the plan

Have you checked the event viewer to see if there are some errors being logged?

Start-->control panel-->administrative tools-->event viewer-->you can view different component logs by time and date. The errors are in red.

These are some of the errors showing up. I'll copy and paste. They are all either DCOM or Services Control Manager. The first ones happened at the bottom of the list here.

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------
The IIS Admin service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------------------
Timeout (30000 milliseconds) waiting for the IIS Admin service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------
DCOM got error "The service did not respond to the start or control request in a timely fashion. " attempting to start the service IISADMIN with arguments "" in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------
The following boot-start or system-start driver(s) failed to load:
Lbd

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The Mhost service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------
The Java Quick Starter service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The IIS Admin service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The DS1410D service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error:
The pipe has been ended.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------
The Ati HotKey Poller service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------------
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------

Here's the most suspicion one to me. It just logged the stoppage of the windows firewall and it says can't restart because "access is denied!"

The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

yeah..I'm on a network. We have a router at our house and I connect to it through a wireless USB Thing. Install what ?? .net?

I heard someone say that these services are run on the same microsoft "thread" ...namely ....svchost, and when one fails, the all fail or something like that. Who knows.

What is .... ".net," is that something that I need to install?

A potential stroke of luck. I stopped the scanning for a few minutes, went into msconfig and analyzed the startup services. I carefully checked all Microsoft and non Microsoft and I removed a few suspicious things from the startup. So far the results seem very promising. My computer suddenly responds like it is supposed to....very fast and responsive.....like butter. So far nothing has failed either after 20 minutes. The unknown things I turned off were:

Mhost
AtiHotkey poller
##Id_String1.6844f930_1628_4223_B5CC_5BB94B879762##
InstalllDriver Table Manager
Windows CardSpace
Java Quick Starter
Microsoft Office Diagnostics Service
Office Source Engine
Messenger Sharing Folder USN Journal Reader service
StarWind AE Service
nprotect gameguard service
LexBCe Server

I'm guessing one or more of these things is illegitimate.

ahh...but if it were only this simple!! I was out again for 3 hours and found the firewall down again.....and the same issues. I'll do more scanning at night.

What does this mean here. My AVG Resident shield alert popped up saying:

c:\System Volume Information\_restore(D03B34BE.........etc23423423423\23434.exe

Threatname Runtime packed fsg
Detected on open.

process name:c\winbest\system 32\svchost.exe
process id: 3252

The only options I have from the Resident shield alert are to:

a) remove threat as power user and or "add to exceptions" and or "Ignore".

(Winbest is my windows directory by the way.)

Finally finished scanning whole computer with asquared and removed lots of stuff. Computer seems healthier except the windows firewall is still getting knocked out and some services are still failing.

My AVG Resident Shield Alert again says that
c:\System Volume Information\_restore(D03B34BE.........etc23423423423\23434.exe

Is a run packed nspack
Detected on open

but the process name is c:\windows\system32\svchost.exe


So..I think that this virus thing in the system volume directory is accessing this windows system file : svchost.exe to do it's damage.

I've tried unsuccessful to delete that file. They sort of seem like temporary files. That is if I go to that directory now. They exist, but without those windows processes running they disappear.

What website will do the hijack this thing?

www.hijackthis.de

for an automated analysis.

Reliable coupled with research.

Well here's a bit of a surprise: I reformatted my computer since it had been so long. Did a fresh install of XP SP3 and guess what? It happened again. Services stopped and firewall was down.

So what I did was install Windows 7 64 bit. And so far no problems. Hope it stays that way.

Thanks for all the advice.