Author Topic: Malware / virus attacking Paint Shop Pro  (Read 15800 times)

0 Members and 1 Guest are viewing this topic.

normski-

  • Guest
Malware / virus attacking Paint Shop Pro
« on: December 28, 2008, 12:13:53 AM »
I have had Paint Shop Pro 7 since 2000.

In 2000 I got a virus which distorts any graphics files saved by PSP7.

No virus checkers were able to detect the virus.

I transferred some of the files to new PC & had been working on them without incident ... until I tried to open one of the old pspbrwse files which generated an unusual message. This file seems to have contained the virus which as before distorts files when they are saved. I tried uninstalling then reinstalling PSP & being careful to delete all pspbrwse files. However the virus has taken up residence & these measures were ineffective. None of this is detected by Avast. I took a note of the date the virus reappeared.

Any thoughts on how to identify & eradicate this virus?

Thanks, in anticipation.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware / virus attacking Paint Shop Pro
« Reply #1 on: December 28, 2008, 12:56:10 AM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #2 on: December 28, 2008, 11:18:13 AM »
Thanks, I'll try that

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #3 on: December 28, 2008, 11:34:46 AM »
OK I've tried it and the problem is, that Corel patch doesn't recognise the application.

There's another patch which might do the trick though.

« Last Edit: December 28, 2008, 11:51:23 AM by normski- »

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #4 on: December 30, 2008, 07:47:31 PM »
However, it doesn't.

The version I'm using was last updated in 2001.

The GDI+ patch was created in 2004 & looks for Paint Shop Pro Studio. I'm using PSP 7 which the GDI patch doesn't recognise.

There are some interesting comments on the patch screen

'As you may have become aware, a new breed of virus has been released into the public domain that affects your digital pictures, or in other words, is capable of destroying the memories you have saved on your computer. This virus attacks the GDI+ system file that ships with Microsoft Windows and is used by many programs to display JPEG images and other graphic files. While this sounds terrible, we at Jasc want to let you know that we take great measures to keep you safe while using our products. Jasc products use the GDI+ technology, but not in a way that makes you vulnerable as a user. This patch will aid in the safety of your pictures and protect against future GDI+ security breeches. While this patch solidly protects you while using Jasc products, we cannot guarantee that you are safe while using other products, so after installing this patch we suggest that you read the Jasc Knowledge Base article on this issue for further suggestions on protecting your computer and your memories.'

SO even if the GDI patch works, it might not protect other programs using the GDI+ file.

I suppose one way around this is to redplace the GDI+ file with the original GDI+ file at least as a temorary fix. But it's not a cure.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware / virus attacking Paint Shop Pro
« Reply #5 on: December 30, 2008, 08:05:13 PM »
Another option, I would see if you can get a cheap legit copy of an older version of PSP (ebay, etc.) that the patch can be applied to. I know that involves a cost, but better/less than losing your images.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #6 on: January 03, 2009, 03:37:22 PM »
Thanks DavidR

The thing is, as far as I can see the the images are ok until I edit them and it is the saved images which are then corrupted.

I suppose the main thing about the virus is that it lurks in a PSP file and once activated it resides somewhere in Windows, where it potentially interferes with any program using Windows graphic capabilities.

I got rid of the symptoms previously by reformatting my hard drive and then recovering all the files that weren't irretrievably deleted by that. Sadly this did not eradicate the virus.

The gdi patch only works on PSP Studio. I am still considering purchasing an up to date version of PSP, however am concerned that this might prevent the virus from acting on PSP without however removing it from Windows.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware / virus attacking Paint Shop Pro
« Reply #7 on: January 03, 2009, 04:03:10 PM »
All I can suggest is trying more tools, to see if anything more can be detected.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #8 on: January 04, 2009, 01:11:12 PM »
OK I had a crack at those. Malwarebytes found nothing.

Superantispyware wouldn't run in safe mode and it seems it will only run when it is connected to the internet.

The other thing I thought of is, the pspbrwse file which apparently triggered the current attack is a copy of a file on the original hard drive from 2001.

So although I deleted that file immediately, I still have the original of it somewhere on the old hard drive.

It is possible that the original contains the virus.

If I could send this off to be analysed then maybe the virus could be identified.

My next question is, who would I send it to?

NB. I can confirm that the virus affects more than PSP. I tried editing and saving problem files using Paint and the same problems occur: the virus writes extra data into the saved file in one way or another.

A further effect is that the wysiwyg features are distorted so that images appear squashed or elongated, as I found out by rotating them through 90°.
« Last Edit: January 04, 2009, 01:16:52 PM by normski- »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware / virus attacking Paint Shop Pro
« Reply #9 on: January 04, 2009, 04:48:46 PM »
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

normski-

  • Guest
« Last Edit: January 17, 2009, 02:37:19 PM by normski- »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware / virus attacking Paint Shop Pro
« Reply #11 on: January 17, 2009, 02:56:23 PM »
Weird, so what exactly was this weird message you referred to in your original post as we really don't know much about this ?

<snip>
In 2000 I got a virus which distorts any graphics files saved by PSP7.

No virus checkers were able to detect the virus.

I transferred some of the files to new PC & had been working on them without incident ... until I tried to open one of the old pspbrwse files which generated an unusual message.

What message ?

This file seems to have contained the virus which as before distorts files when they are saved.

Exactly what file, presumably the PSPBRWSE.JBF you sent to VT or were there others ?

I tried uninstalling then reinstalling PSP & being careful to delete all pspbrwse files. However the virus has taken up residence & these measures were ineffective. None of this is detected by Avast. I took a note of the date the virus reappeared.
<snip>

How do you know this virus is there if nothing else detects anything ?

I'm really at a loss as to what else to suggest, having run multiple scans and tested against 39 scanners at VT and come up empty is a bit of a mystery. This isn't helped by my knowing nothing about PSP and how these browser cache files work or if they should/could be set to be emptied on shutdown.

Quote from: From VT Results page
TrID..: File type identification
Jasc PSP Browser Cache (100.0%)
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #12 on: January 18, 2009, 04:27:54 PM »
The 'unusual message' when trying to open the pspbrwse file was to the effect 'cannot open file, this is not a psp file'.

But I didn't take an exact note of it at the time, perhaps a mistake, with hindsight.

'How do you know this virus is there if nothing else detects anything '

I don't know if it's in that specific file. But after trying to access that file, when I save graphics files they are distorted. So suppose I have a jpg or tga file and paint a block of white pixels all the exact same colour. Then I save it. When I open the saved file, there is not a block of white pixels all the exact same colour; there is a block of white pixels some of which are off-white. Plus the rest of the image is also distorted in a similar way - edges have random pixels added to them & colour blocks have random pixels coloured a different colour to produce a mottled effect. And so on.

I'd say that is the effect of a virus.

Furthermore the virus effects occur when using other software than psp - for example, Paint.

I think the virus was triggered by the pspbrwse file but I suppose it might never have resided there. There were 4 tga files in the folder so I ran VT on them as an afterthought, but with no result.

I suppose i should run VT on the folder as well.  Who knows, that might throw something up.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware / virus attacking Paint Shop Pro
« Reply #13 on: January 18, 2009, 05:01:56 PM »
Re the message, that error could well be down to file corruption as much as actual infection.

I can't really see a virus infecting image files just to mess with the quality of the image (just my opinion), typically it will be trying to infect/hack images which can be exploited like the known jpeg exploit.

We have seen in the forums detections of .jpg file on a web page, where the users says they aren't infected, but when examined with say a text editor shows code has been injected into the image file, typically this has been an iframe tag to run code from another URL.

My problem is having scanned against VT with 39 scanners nothing is found and to my mind what is the purpose of a virus/trojan/malware but normally that is to make money.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

normski-

  • Guest
Re: Malware / virus attacking Paint Shop Pro
« Reply #14 on: January 18, 2009, 09:05:42 PM »
Well to be fair, it's not really your problem as you don't have the virus screwing up your graphic files.

But, excuse my flippant response.

How do you suggest I progress this?