Services/Properties and other crap

By rmday ยท 8 replies
May 11, 2004
  1. Long story but it's needed so you can get an idea what is going on, help would be greatly appreciated!

    I have Windows 2000 operating system.

    The network I'm connected to kicked me off the Internet Sunday night and told me I had to get new antivirus software on my computer, put up a firewall, before they'd put me back on the Internet. My antivirus software had not been updated for about a month.

    I manage to get Symantec's installer on a CD from another computer and try to install it on my machine. My machine is running very slow at this point. It does not install the software from the CD. So a friend helps me go through the Services I have running under Administrative Tools and he disables a lot of the Automatic services he thinks are viruses or are not needed. I'll put up a list when I find the sheet of paper it was on. I went looking on google and found that two of the things listed were the Hong Kong virus and the Blaster virus, but some of the others were just stuff for my machine (DameWare, FireDaemon, System Event Notification, and a couple others). At this point, my computer is running at normal speed, so whatever was making it run really slow was disabled.

    However, I go to Services under Administrative Tools, and click on Properties so I can put back to Automatic the ones I know have nothing wrong with them, and the property pages never come up, so I can't change from Disabled to Automatic. Then, I go to close Services, and it tells me to "Close all property pages before closing Services." The only way I can close Services is by Task Manager and closing it after clicking End Process a couple times.

    I think I need to change some of the processes in Services back to Automatic so I can do the Symantec installer, but I can't get to the Property pages to change them back.

    And the Symantec installer still won't run, and my computer can't get on the internet because I was kicked off the network.
  2. Goalie

    Goalie TS Booster Posts: 616

    To be honest with you, your best idea is to reinstall Windows COMPLETELY after being infected, especially with multiple viruses- depending on what you had, you may have had extra nasty programs (keyloggers, ftp drones, etc) installed during the infection.

    After doing a reinstall, contact your local admin, tell them you have reinstalled to clear out the nastays, and would like internet access so you can update your software. And do so. Patch MS, patch AntiVirus. Then go find yourself a firewall.

    Seriously, I would not attempt to repair this installation after being infected simultaneously with 2 viruses. The chances of you picking up an extra trojan or whatever is small, but why risk it?
  3. Goalie

    Goalie TS Booster Posts: 616

    PS- Welcome to Techspot!
  4. rmday

    rmday TS Rookie Topic Starter

    Hmm, I don't think I have the disks to be honest, maybe I can get with someone else. But if anyone recognizes this problem before I do something that drastic, here's what I'd disabled if anyone recognizes anything that's the center to my flaw:

    config (???)
    DameWare Mini Remote Control
    DameWare NT Utilities 2.6
    FireDaemon Service: spool
    FireDaemon Service: vmn32
    IPSEC Policy Agent
    Print Spooler (I think this is a virus)
    Remote Procedure Call (RPC) (I think this is a virus)
    Remote Registry Service
    Removable Storage
    Routing and Remote Access
    Security Accounts Manager
    Serv-U FTP Server
    Still Image Service
    System Event Notification
    Task Scheduler
    Wi2n loahder (???)
    Windows Management Instrumentation
  5. Liquidlen

    Liquidlen TechSpot Paladin Posts: 1,094

    First It sounds as though you are not logged on as administrator or you are on a workstation with no admin privilidges. Is this true?
    Also exactly how are you connected to the internet?
    You can get more help if you can give accurate info.
    Lastly those items you think are viruses (2nd Post) are critical windows services so you need to get some real help before you proceed.
  6. Goalie

    Goalie TS Booster Posts: 616

    Well.. first of all, you'll need to boot safemode. Then go reenable the following processes as these are critical, as liquidlen says, for Windows to work. The others may be needed as well, but these are the ones I recognize as MS processes, having fought previous wars with each one of them. A few aren't critical, but for example the print spooler would be nice so you can print out our advice before restarting to safe mode. Then shoot the person who disabled them.

    IPSEC Policy Agent
    Print Spooler (I think this is a virus) Heh, no. It's what queues your print jobs.
    Remote Procedure Call (RPC) (I think this is a virus) No, it's not. But it does frequently cause viruses to work.
    Removable Storage
    Routing and Remote Access
    Security Accounts Manager
    Still Image Service
    System Event Notification
    Task Scheduler
    Windows Management Instrumentation
  7. Spike

    Spike TS Evangelist Posts: 2,168

    Whoever it was that disabled those services needs to be kept away from administrative accounts on your machine!!! A little knowledge can cause big problems. That's why you use Google, or some such to find out about something if you don't know what it is. Failing that, a good book, or ask someone who does know. You may be better off attempting to fix your machine yourself, after seeking advice elsewhere if needs be.
  8. Spike

    Spike TS Evangelist Posts: 2,168

    IPSec Policy Agent - The IPSec Policy Agent is a mechanism that resides on each Windows 2000 computer, that appears in the list of system services. The Policy Agent retrieves the active IPSec policy information, and passes it to the other IPSec mechanisms which require that information to perform security services.
    Print Spooler - Queues print jobs
    Remote Procedure Call (RPC) -

    OK, lets do a little less typing. :D
  9. Goalie

    Goalie TS Booster Posts: 616

    If you *really* wish to keep RPC from behaving badly block port 135 from outside of your network. Or even better, from every machine.

    Do note that this *might* cause MS Outlook to misbehave. I know exchange servers need the RPC Endpoint port open, but I dunno about Outlook.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...