Services Disabled

[David Kelsey]

Norton AV advises me that 'some product settings have been changed, which
can indicate that an attacker or a virus is attempting to disable your
protection'. What happens is that all services are disabled, among other
things. I can manually re-enable and start the services, but this doesn't
stick, and after a restart, they are disabled again. Restore has been
switched off, and all previous restore points have been lost, leaving just
one on the current date. Again I re-enable it, and again it doesn't stick.
I have reinstalled Norton after first uninstalling the original load, and
reinstalled Office over the existing one. This was because the Office
programs had slowed to a crawl. It looks as if I have no option but to
format and reinstall XP and SP2, but I wonder if anyone has some knowledge
of this situation, and can suggest an alternative. For instance, is there
any way to lock down the services settings so they cannot be altered? Is
there an anti-virus program that is known to deal with this, as Norton
obviously can't? Even after reinstalling Norton, the program takes about
thirty seconds to open the main screen or to do anything else. Office
returns to full speed, but not for long, and then reverts to treacle. For
the purpose of understanding what is going on, I am reluctant to reinstall
XP if anyone can shed any light.

David Kelsey

 

[David Kelsey]

I should add that I have weekly Norton scans, and have done two additional
ones, all with nothing specific found, and no suggestions for recovery,
since Symantec don't support Norton AV 2003 now. When I update Norton, it
fails to update the System Integrator, in spite of repeated attempts. The
current W32 does not show up on my machine.

David Kelsey

 

[R. McCarty]

Norton/Symantec has internal monitors to watch for changes to itself.
They refer to it as Anti-Tampering. I've seen several cases of this. It
is basically a tangled mess. NAV & other Symantec products from
2003 forward are just way too problematic. Users end up spending
time just keeping them running & updated.
I wouldn't undertake a full re-install, but suggest you Image your XP
as it stands now. Then start uninstalling all Norton/Symantec products.
There are better alternatives that don't cause the level of issues you
describe. After all a computer is a tool to do what you want. Not a
constant debug platform for Symantec's convoluted software.

 

[Galen]

In David Kelsey <[email protected]> had this to say:

My reply is at the bottom of your sent message:

I should add that I have weekly Norton scans, and have done two
additional ones, all with nothing specific found, and no suggestions
for recovery, since Symantec don't support Norton AV 2003 now. When
I update Norton, it fails to update the System Integrator, in spite
of repeated attempts. The current W32 does not show up on my machine.

David Kelsey

From the sounds of things your problem isn't viral, it's Norton. AVG and
AntiVir are free for instance. Actually both are very good. If you want to
spend money then Kaspersky is what I use (and never have a problem in the 10
years or so I've used their products) and I'd also recommend NOD...
Research, downloads, and the like can all be found with a search engine
using the above names. They should, I think, support my findings. While
Norton does seem to have a great detection rate it causes too many system
problems as does McAfee. Just some insight for you.

Galen

 

[David Kelsey]

Thanks guys. I have to say I have never had any problems with Norton
Antivirus, although the more elaborate suites seem a bit problematical. My
current problem is that Norton doesn't detect the actual virus or whatever,
and Trend Micro scans seem to bog down when they meet an archived .dbx file,
so I can't find a way of removing or even identifying the culprit. I'm
resigned to doing a format and reinstall, but the backups I have may be
carrying the virus if I can't find out what and where it is.

David

 

[R. McCarty]

Try Panda ActiveScan, it tends to find & remove things that some
other Anti-Virus omits.
http://www.pandasoftware.com/activescan/
It does an excellent job on email stores. It found an old virus in a
Outlook PST that was from my wife's former work place.

 

[Guest]

Norton AV advises me that 'some product settings have been changed, which
can indicate that an attacker or a virus is attempting to disable your
protection'. What happens is that all services are disabled, among other
things. I can manually re-enable and start the services, but this doesn't
stick, and after a restart, they are disabled again. Restore has been
switched off, and all previous restore points have been lost, leaving just
one on the current date. Again I re-enable it, and again it doesn't stick.
I have reinstalled Norton after first uninstalling the original load, and
reinstalled Office over the existing one. This was because the Office
programs had slowed to a crawl. It looks as if I have no option but to
format and reinstall XP and SP2, but I wonder if anyone has some knowledge
of this situation, and can suggest an alternative. For instance, is there
any way to lock down the services settings so they cannot be altered? Is
there an anti-virus program that is known to deal with this, as Norton
obviously can't? Even after reinstalling Norton, the program takes about
thirty seconds to open the main screen or to do anything else. Office
returns to full speed, but not for long, and then reverts to treacle. For
the purpose of understanding what is going on, I am reluctant to reinstall
XP if anyone can shed any light.

David Kelsey

The free version of process guard will prevent one process from
altering(shut down) another one without your permission.
http://www.diamondcs.com.au/processguard/

I strongly suggest that you go for the registered one for added protection
like rootkit/driver downloads not to mention it will stop "cool web search"
which is the topic of many posts in this group.

 

[MoiMeme]

If you just start a service manually, then nothing changes after next boot !
You have to select "automatic" in order to allow autostart of a service.
Have you tried this ?

Phil

 

[David Kelsey]

Thanks Phil. Yes, I set them all to automatic, and start any that will
start. This leaves the setting at auto. One small problem is that since
some services depend on others, it can be necessary to go back and start
some earlier ones. I figure if they start, they won't do any harm, but will
just stop if not required, but at least I know they have started so I can
use the ADSL etc. Unfortunately, after a boot, they all revert to disabled.
This may be because the automatic save is not working, or because some
malign force is trashing them. There is no way to save manually, and no
quick way to reset them to auto other than perhaps restore, provided that
hasn't also been trashed, since it is one of the services. Additionally,
opening Word and Excel takes much longer than usual, and Norton takes
forever. I reinstalled Office, and they went like rockets for a while, but
gradually slowed down again. All this seemed to start when I tried to open
a Word.doc attachment in Outlook Express from my son a few days ago. It was
just a copy of a letter he had written, and certainly didn't have anything
nasty in it, but it would not open beyond the blank Word page in layout
view. I subsequently opened it in safe mode. Since then, everything has
gone down hill.

David

 

[David Kelsey]

Thanks MAP. Does this prog work on processes or on services? I can't see
how it can control a service, which needs to start and stop all the time.

David

 

[MoiMeme]

If you double click on a service you have the dependencies on a
"dependencies" tab
That way you should be able to better restore.
Phil

 

[David Kelsey]

Thanks Phil. RPC seems to be the boss service, not unreasonably. I use the
double click to set the auto and start. Currently I set as many as I can to
auto and start, apart from the messenger service, which I never run, and one
or two others. I don't suppose there could be anything in the BIOS that
could have this effect, is there? It must happen either at shut down or
startup, because things work until shutdown, and things don't work from
startup!

David

 

[MoiMeme]

Nothing in BIOS can affect services.
Do you mean that when you restart the services you have set on automatic and
started are no more active when you reboot ?

Phil

 

[David Kelsey]

Yes, exactly that. Everything is 'disabled'.

David

 

[David Kelsey]

I've just done another scan, this time by Panda, so I have now had two by
Norton, one by Panda, and a partial one by Trend Micro, and nothing has come
up. I'm beginning to think this is either a brand new attack that no-one
has recognised yet, or it is a simple screw up by XP with the aid of Norton.
But I'd still like to discover the mechanism by which all services are
disabled at a stroke.

David

 

[MoiMeme]

I have no idea : neither had such problem, nor ever read about it ! this is
very strange. I doubt it is a virus however.
Phil

 

[MoiMeme]

Take a look here for info : http://www.blackviper.com/WinXP/servicecfg.htm
detailled info on services.

Try to apply the "AllServicesAutoSP1a.zip" ( contains a .reg file :
double-click it) from the bottom of the page here :
http://www.blackviper.com/WinXP/Archive/registry.htm to see if it works.

 

[David Kelsey]

That looks very interesting - thanks. I'll study it at leisure.

David

 

[David Kelsey]

Excellent site, Phil. Thanks for pointing me to it.

David

 

[David Kelsey]

Another surprise! With ADSL running, Word takes 32 seconds to open,
including a virus scan, and Excel takes 18 seconds. With ADSL stopped, Word
opens in 3.5 seconds, and Excel in 2.3 seconds. Further, the icons in the
status tray take about 20 seconds to open with ADSL running, and are
instantaneous when it is stopped.

What is happening here? Task Manager CPU usage shows 99% and 66% peaks for
Word with ADSL, and just one 99% peak immediately on clicking without ADSL.
I have e-mailed my ISP, Metronet, for their comments. I have 1.1 mbps.

David