Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: normski- on December 28, 2008, 12:13:53 AM
-
I have had Paint Shop Pro 7 since 2000.
In 2000 I got a virus which distorts any graphics files saved by PSP7.
No virus checkers were able to detect the virus.
I transferred some of the files to new PC & had been working on them without incident ... until I tried to open one of the old pspbrwse files which generated an unusual message. This file seems to have contained the virus which as before distorts files when they are saved. I tried uninstalling then reinstalling PSP & being careful to delete all pspbrwse files. However the virus has taken up residence & these measures were ineffective. None of this is detected by Avast. I took a note of the date the virus reappeared.
Any thoughts on how to identify & eradicate this virus?
Thanks, in anticipation.
-
Hi normski-,
There is a patch for this: http://www.corel.com/servlet/Satellite/us/en/Content/1157481830100?pid=1153321346184
polonus
-
Thanks, I'll try that
-
OK I've tried it and the problem is, that Corel patch doesn't recognise the application.
There's another patch which might do the trick though.
-
However, it doesn't.
The version I'm using was last updated in 2001.
The GDI+ patch was created in 2004 & looks for Paint Shop Pro Studio. I'm using PSP 7 which the GDI patch doesn't recognise.
There are some interesting comments on the patch screen
'As you may have become aware, a new breed of virus has been released into the public domain that affects your digital pictures, or in other words, is capable of destroying the memories you have saved on your computer. This virus attacks the GDI+ system file that ships with Microsoft Windows and is used by many programs to display JPEG images and other graphic files. While this sounds terrible, we at Jasc want to let you know that we take great measures to keep you safe while using our products. Jasc products use the GDI+ technology, but not in a way that makes you vulnerable as a user. This patch will aid in the safety of your pictures and protect against future GDI+ security breeches. While this patch solidly protects you while using Jasc products, we cannot guarantee that you are safe while using other products, so after installing this patch we suggest that you read the Jasc Knowledge Base article on this issue for further suggestions on protecting your computer and your memories.'
SO even if the GDI patch works, it might not protect other programs using the GDI+ file.
I suppose one way around this is to redplace the GDI+ file with the original GDI+ file at least as a temorary fix. But it's not a cure.
-
Another option, I would see if you can get a cheap legit copy of an older version of PSP (ebay, etc.) that the patch can be applied to. I know that involves a cost, but better/less than losing your images.
-
Thanks DavidR
The thing is, as far as I can see the the images are ok until I edit them and it is the saved images which are then corrupted.
I suppose the main thing about the virus is that it lurks in a PSP file and once activated it resides somewhere in Windows, where it potentially interferes with any program using Windows graphic capabilities.
I got rid of the symptoms previously by reformatting my hard drive and then recovering all the files that weren't irretrievably deleted by that. Sadly this did not eradicate the virus.
The gdi patch only works on PSP Studio. I am still considering purchasing an up to date version of PSP, however am concerned that this might prevent the virus from acting on PSP without however removing it from Windows.
-
All I can suggest is trying more tools, to see if anything more can be detected.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
-
OK I had a crack at those. Malwarebytes found nothing.
Superantispyware wouldn't run in safe mode and it seems it will only run when it is connected to the internet.
The other thing I thought of is, the pspbrwse file which apparently triggered the current attack is a copy of a file on the original hard drive from 2001.
So although I deleted that file immediately, I still have the original of it somewhere on the old hard drive.
It is possible that the original contains the virus.
If I could send this off to be analysed then maybe the virus could be identified.
My next question is, who would I send it to?
NB. I can confirm that the virus affects more than PSP. I tried editing and saving problem files using Paint and the same problems occur: the virus writes extra data into the saved file in one way or another.
A further effect is that the wysiwyg features are distorted so that images appear squashed or elongated, as I found out by rotating them through 90°.
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
-
I sent the suspect pspbrwse file to VT which found nothing.
https://www.virustotal.com/analisis/9ed0b1e64396b1b696a045cc51779cc8
Ho hum
The folder had 4 tga images in it which I also sent to VT.
Found nothing.
https://www.virustotal.com/analisis/c83656439e7b505e6febbd940ffd1f10
https://www.virustotal.com/analisis/6005b6e8afdaed606fafa1a25df94b0a
https://www.virustotal.com/analisis/a30b4177202c1a0d6e518b733df766de
https://www.virustotal.com/analisis/f62de1fd696eb0a0811d20bb18e53be8
-
Weird, so what exactly was this weird message you referred to in your original post as we really don't know much about this ?
<snip>
In 2000 I got a virus which distorts any graphics files saved by PSP7.
No virus checkers were able to detect the virus.
I transferred some of the files to new PC & had been working on them without incident ... until I tried to open one of the old pspbrwse files which generated an unusual message.
What message ?
This file seems to have contained the virus which as before distorts files when they are saved.
Exactly what file, presumably the PSPBRWSE.JBF you sent to VT or were there others ?
I tried uninstalling then reinstalling PSP & being careful to delete all pspbrwse files. However the virus has taken up residence & these measures were ineffective. None of this is detected by Avast. I took a note of the date the virus reappeared.
<snip>
How do you know this virus is there if nothing else detects anything ?
I'm really at a loss as to what else to suggest, having run multiple scans and tested against 39 scanners at VT and come up empty is a bit of a mystery. This isn't helped by my knowing nothing about PSP and how these browser cache files work or if they should/could be set to be emptied on shutdown.
TrID..: File type identification
Jasc PSP Browser Cache (100.0%)
-
The 'unusual message' when trying to open the pspbrwse file was to the effect 'cannot open file, this is not a psp file'.
But I didn't take an exact note of it at the time, perhaps a mistake, with hindsight.
'How do you know this virus is there if nothing else detects anything '
I don't know if it's in that specific file. But after trying to access that file, when I save graphics files they are distorted. So suppose I have a jpg or tga file and paint a block of white pixels all the exact same colour. Then I save it. When I open the saved file, there is not a block of white pixels all the exact same colour; there is a block of white pixels some of which are off-white. Plus the rest of the image is also distorted in a similar way - edges have random pixels added to them & colour blocks have random pixels coloured a different colour to produce a mottled effect. And so on.
I'd say that is the effect of a virus.
Furthermore the virus effects occur when using other software than psp - for example, Paint.
I think the virus was triggered by the pspbrwse file but I suppose it might never have resided there. There were 4 tga files in the folder so I ran VT on them as an afterthought, but with no result.
I suppose i should run VT on the folder as well. Who knows, that might throw something up.
-
Re the message, that error could well be down to file corruption as much as actual infection.
I can't really see a virus infecting image files just to mess with the quality of the image (just my opinion), typically it will be trying to infect/hack images which can be exploited like the known jpeg exploit.
We have seen in the forums detections of .jpg file on a web page, where the users says they aren't infected, but when examined with say a text editor shows code has been injected into the image file, typically this has been an iframe tag to run code from another URL.
My problem is having scanned against VT with 39 scanners nothing is found and to my mind what is the purpose of a virus/trojan/malware but normally that is to make money.
-
Well to be fair, it's not really your problem as you don't have the virus screwing up your graphic files.
But, excuse my flippant response.
How do you suggest I progress this?
-
I know it isn't my problem, but I'm just expressing it is a strange action for malware to do and it isn't one that I have heard of before.
You mentioned "In 2000 I got a virus which distorts any graphics files saved by PSP7."
Was this the same effect as you are now describing ?
What was that virus called ?
And how did you deal with it back then if you can recall.
Other than the above I honestly don't know what you can do if there is no detections with these files, it would effectively have to be whatever file that is responsible for the creation or modification of the image that could be the one you need to find.
-
'You mentioned "In 2000 I got a virus which distorts any graphics files saved by PSP7."
Was this the same effect as you are now describing ?'
Yes.
'What was that virus called ?'
No idea. None of the virus checkers I used at that time could detect it.
'And how did you deal with it back then if you can recall.'
I reformatted the hard drive.
Then used a data recovery program to retrieve whatever was left after that.
Then left it alone for several years until I got a new system & new virus checker.
Btw I transferred the virus to a laptop recently. It survives system restore.
I am probably going to nuke the laptop but am holding off doing that, as would prefer to have the virus detected and dealt with.
I could attach images here (after VT-ing them) to display what it does but it wouldn't really add anything to my previous description. Plus for all I know the images themselves may be infected.
-
Well the end result, if only (I know, it isn't effecting me) messing with the physical image quality that is saved as you are seeing, then it wouldn't show any sign of virus infection. Which is why I suggested checking some of the files at VT (to basically confirm this) or as I suggested later to view the file with a text editor to see if there is anything say text string to open a and execute a file, etc.
However, I don't think that is likely as that hacking of an image file would certainly ring alarm bells in avast and probably several other AVs. It is this lack of a payload that I find very strange, whilst in the old days (2000) perhaps there were people who only wanted to see just how widely they could spread a piece of malware or announce their so called abilities. Again if that were the case why target paint shop pro with a restricted audience.
So we keep getting back to the how is it determined to be a virus if nothing found it then and nothing finds it now, with none of the usual malware symptoms other than this graphic quality issue (which no doubt makes having that version of PSP worth very little).
So I honestly don't know what else to suggest, perhaps it is time to try a later version of PSP.
System restore is far from perfect and it isn't something I would pin any hopes on as it doesn't monitor all files nor is it a backup tool. I prefer using drive imaging software, that makes and exact copy of the partition, which you can restore.
-
'Well the end result, if only (I know, it isn't effecting me) messing with the physical image quality that is saved as you are seeing, then it wouldn't show any sign of virus infection. '
Evidently not.
'in the old days (2000) perhaps there were people who only wanted to see just how widely they could spread a piece of malware or announce their so called abilities.'
Well it is an old problem dating back to 2001.
'Again if that were the case why target paint shop pro with a restricted audience.' It's just a bit of vandalism as far as I can see, for someone's amusement.
'how is it determined to be a virus if nothing found it then and nothing finds it now'
By its behaviour.
That the diagnostic tools don't know what to look for or where or how to look for it is annoying but irrelevant to its definition as a piece of malware.
'perhaps it is time to try a later version of PSP.'
That's on my list.
Your comments about system restore and drive imaging are appreciated & will be explored.
I'm no expert in this but was hoping I could just send some boffin a series of files which probably contain the virus so they could enjoy cracking it.
-
I'm sorry to drag this out as it really isn't going anywhere positive, we could talk about this for a long time, but the action of distorting images isn't a symptom of anything that I have come across.
So I'm sorry but there is no clear indication this is malware.
When you are manipulating or creating an image in PSP you could try to see what files are active (task manager cpu%, etc.) as 'if and I think it a big if' this were a virus then it would be that file which needs to be checked out (as I mentioned earlier).
Other tools FileMonitor (filemon.exe) from MS http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx (http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx).
-
Sorry to jump in a such long thread now... but did you run on-line scanning?
Kaspersky (http://www.kaspersky.com/virusscanner) (very good detection rates)
ESET NOD32 (http://www.eset.com/onlinescan/)
Trendmicro housecall (http://www.trendmicro.com/hc_intro/default.asp)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender (http://www.bitdefender.com/scan8/ie.html)