Corrupted Installation?

  • Thread starter Thread starter Freewheeling
  • Start date Start date
F

Freewheeling

Hi:

I appear to have a corrupted XP installation and I'm not sure what to do
about it. Lots of strange behavior, including scripting errors when I
click on "Related Topics" under "Help;" problems where it won't boot
properly, unpredictable behavior in IE6 including frequent need to refresh a
page that just won't load on an ADSL connection, and attempts by some
strange program with a list of special characters as a name to establish an
outgoing connection. (It's not a virus, because I've had the drive checked
numerous times by up to date software run from an uninfected machine.) I'm
also unable to install some software, which starts odd behavior and forgets
part of my setup (Netscape). I have none of these problems from a Linux box
on the same computer. Is there a way to fix a corrupted installation, or do
I need to reformat and reinstall? Is there a diagnostic I can run that will
check for corrupted files? If I do an "update" with the original XP Pro
installation disk, will it fix any corrupted files it encounters?

I think some stuff may have gotten corrupted after I had neglected
defragging the drive, and chkdsk has indicated that there were errors. I
defragged and ran chkdsk with the repair option, but am still having
problems. And I can't back up to a previous installation, because I think
things have beeen bad for quite a long time. I just thought it was normal,
until I began to get much better performance out of my Linux box. I need to
use XP-Pro for lots of reasons, so can't afford to drop it for Linux, but
this installation looks to be in a lot of trouble.

I don't know, maybe this program that tries to call "home" is a virus, but
it's apparently a virus no one has identified yet. Any ideas?
 
Did you start to notice this behavior after a recent
windows update installation? There are about 4-5 people
who have problems similar to yours after doing just that.
I am one of that group and am not a great believer in
coincidence.
 
Chuck said:
Did you start to notice this behavior after a recent
windows update installation?

To tell the truth, Chuck, a lot of these strange behaviors have been around
a long time. There appears to be some sort of spyware with a program name
of the form:

?õw©õw?Ûüwoeõ##

Where only the last two digits, marked by the # sign, change from time to
time. The program name is false. It attempts connections to Genuity.com
and some other sites identified as in the Hotmail domain, but for all I know
thore are forgeries. It has recently disappeared though, so I may have done
something to get rid of it. I am also pretty sure that my installation of
IE6 is corrupted. Either that, or it's just sort of a crappy program. But
I've been unable to install Netscape, which seems to work fine in my Linux
box and seems superior to IE6. (Especially the tabbed bowsing.) But I
can't seem to get Netscape to work under XP-Pro.

I have also noticed that when my browser is identified in web forums Windows
also, rather stupidly, blurts out my NET id. Wish I could figure out how to
put a stop to that nonsense.

I'm actually fairly happy with my Linux setup (Lycoris Desktop/LX), except
for a couple of things. It doesn't seem to be able to play DVDs very well
(lots of herky jerky even though I have all the right codecs) and there's no
way to get Windows Medial Files to play. They're apparently working on both
issues. There are also a couple of programs that apparently will only work
under Windows, my Garmin MapSource program and some other dedicated fitness
stuff. Except for that, I could almost wave goodbye to Windows.

There's another thing I can't quite figure out. There's something called
"Generic Host Process for Win 32 Services" that's constantly listening to
UDP ports 1030 and 1031 as well as TCP port 5000. It is VERY active, and I
have no idea what the heck it's doing. However, I think that this activity
is what's interfering with and breaking my browsing and usenet connections,
so that I have to keep reloading pages that get "stuck." When I block the
process, however, Windows Media Player doesn't seem to work.

I really see no reason for this constant listening activity (or whatever
it's doing) and wish I could put a stop to it. It's all incoming activity
though. Nothing going out.
 
Jim:

Thanks. I ran that process as you suggested. When I rebooted the display
had gone all haywire, so I reinstalled my Asus video drivers and things
seemed OK. There one sort of odd consequence though. When MSN Messenger
starts up the splash page for MSN Today results in two error messages:

Can't open kernel driver asLM75.sys, and
Can't load AsmiltwIo.dll

So I just disabled the MSN Today launch. But maybe there are broader
implications.

The browser still seems funky, so I may need to remove and do a clean
install of that. But I have no idea how. I gather it's so integral to the
Windows environment that a completely clean install may be impossible.
 
Freewheeling said:
To tell the truth, Chuck, a lot of these strange behaviors have been
around
a long time. There appears to be some sort of spyware with a program
name of the form:

?õw©õw?Ûüwoeõ##

Where only the last two digits, marked by the # sign, change from time
to
time. The program name is false. It attempts connections to
Genuity.com and some other sites identified as in the Hotmail domain,
but for all I know
thore are forgeries. It has recently disappeared though, so I may
have done
something to get rid of it. I am also pretty sure that my
installation of
IE6 is corrupted. Either that, or it's just sort of a crappy program.
But I've been unable to install Netscape, which seems to work fine in
my Linux
box and seems superior to IE6. (Especially the tabbed bowsing.) But
I can't seem to get Netscape to work under XP-Pro.

I have also noticed that when my browser is identified in web forums
Windows
also, rather stupidly, blurts out my NET id. Wish I could figure out
how to put a stop to that nonsense.

(snip) I actually read through this post twice to make sure I didn't
miss something. You've identified that you've got a trojan running and
you don't think to scan with a current antivirus using updated
definitions? Get rid of the trojan!

Malke
 
Malke said:
(snip) I actually read through this post twice to make sure I didn't
miss something. You've identified that you've got a trojan running and
you don't think to scan with a current antivirus using updated
definitions? Get rid of the trojan!

OF COURSE I scanned, with a Trend Micro program (with updated virus files)
located on a different computer in the network, isolated from the infected
computer and therefore not infected (and with none of the symptoms, either).
I don't know what this thing is, but it's not a trojan that is known by any
of the conventional antivirus software.

It also seems to have disappeard, though it might be laying low. But I
recently uninstalled some stuff that I didn't want or need, and it may have
been part of that. So far no new activity, other than the Generic Process
stuff, which bugs me but may very well be legit. Aren't 1030 and 1031 the
ports used by Netmeeting?

--Scott
 
Freewheeling said:
OF COURSE I scanned, with a Trend Micro program (with updated virus
files) located on a different computer in the network, isolated from
the infected computer and therefore not infected (and with none of the
symptoms, either). I don't know what this thing is, but it's not a
trojan that is known by any of the conventional antivirus software.

It also seems to have disappeard, though it might be laying low. But
I recently uninstalled some stuff that I didn't want or need, and it
may have
been part of that. So far no new activity, other than the Generic
Process
stuff, which bugs me but may very well be legit. Aren't 1030 and
1031 the ports used by Netmeeting?

--Scott

Note: if this gets posted twice, I'm sorry. Naturally there are problems
with the newsreader or the newsserver whenever I write a lengthy reply!
Anyway, no, ports 1030 and 1031 aren't used for Netmeeting. Here's the
url from Microsoft (split on two lines for the newsreader):

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/
support/kb/articles/q158/6/23.asp&NoWebContent=1

And here's an url for information on ports 1030 and 1031:

http://dspace.dial.pipex.com/regday/zportlist.htm

Here's the information from that site for ports 1030 and 1031:

1030 TCP Gibbon; 1030 TCP KWM
1031 TCP KWM; 1031 TCP Little Witch
1031 TCP Xanadu; 1031 TCP Xot; 1031 UDP Xot

So you may still have a Trojan, or the problem may have been connected
with the software you installed/uninstalled as you suspected. IMHO, the
only way to be 100% sure your box is clean is to format and reinstall
the os.

HTH and good luck,

Malke
 
Back
Top