zip download/save picture as problem

Discussion in 'malware problems & news' started by dags, Oct 8, 2003.

Thread Status:
Not open for further replies.
  1. dags

    dags Registered Member

    Joined:
    Aug 6, 2003
    Posts:
    15
    Not sure if this is virus related or not.
    My apologies if I've put this in the wrong forum.
    The last few days, "save picture as" through both IE & netscape is not working. Appears to work ok, but file doesn't save or gets corrupted. When I browse the directory, I can't find the saved file.
    When I do a system search on the file name it finds it in the correct directory, but when I try to open it, it comes up with "problem with shortcut" The name 'C:\Documents and settings\dad\My Documents\filename.jpg' specified in the target box is not valid.
    Also noticed tonight, that I can't download Zip files.
    I get the following error
    C:Docume~\dad\locals~1\variousfilenames.zip could not be saved, because the source could not be read.

    Tried downloading a few different zips from different place & all failed same on different zip files.

    Suspect there is a temp file problem causing both errors.

    Ran hijackthis & got the following

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\Vet\VetTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Documents and Settings\dad\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_ct.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://members.optusnet.com.au/sdag1"); (C:\Documents and Settings\dad\Application Data\Mozilla\Profiles\default\9dg6f2i4.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\dad\Application Data\Mozilla\Profiles\default\9dg6f2i4.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll
    O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\Program Files\Comet\Bin\csietb.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Exif Initializer Ver.1.0] C:\Program Files\FUJIFILM\Exif Initializer Ver.1.0\EXIFINIT.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
    O8 - Extra context menu item: IE_Speakster - C:\Windows\IE_Speakster.htm
    O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
    O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
    O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SurfSaver (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.6168287037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B29E62-33E5-48CC-A4D8-78FD66BAC1BC}: NameServer = 198.142.0.51 203.2.75.132

    I noticed a mslhig.dll in my temp directory listed in the hijackthis log. Is this a problem? o_O
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dags,

    Let's first get you cleaned out and see if that solves your problem.
    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_ct.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/

    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\dad\LOCALS~1\Temp\mslhig.dll
    O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - (no file)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\Program Files\Comet\Bin\csietb.dll

    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe

    O16 - DPF: Win32 Classes -

    Add any O8 and O9 items to that list that belong to programs you no longer use. ( Atomica, IE_Speakster, Surfsaver)

    Then reboot and download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Let us know if that did the trick.

    Regards,

    Pieter
     
  3. dags

    dags Registered Member

    Joined:
    Aug 6, 2003
    Posts:
    15
    Hi Pieter,
    Cleaned up the suggested entries from Hijackthis, but ran into a problem trying to download both spybot & Adaware.
    Looks like I can't download exe files either.
    adaware download attempts failed with

    c:/docume~1\dad\locals\temp\a8yxzkr7.exe could not be saved, because the source file could not be read.

    Spybot failed same, but different exe file.

    I actually already had an old version of adaware (version 5.0) that comes back clean.

    Is it safe & worth a try to delete and reallocate that temp file?

    Thanks
    Steve
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dags,

    You were very lucky that old version of AdAware did not pick up on NewDotNet. It could have ruined your internet connection.

    Here's a trick that is being used by spyware.
    Copy and paste the text in bold below into notepad and save the file as dlandrunSSD.vbs


    Dim BinaryData
    Dim xml
    set xml = CreateObject("Microsoft.XMLHTTP")
    xml.Open "GET", "http://www.umich.edu/~hsw/spybotsd12.exe", False
    xml.Send
    BinaryData = xml.ResponseBody
    Const adTypeBinary = 1
    Const adSaveCreateOverWrite = 2
    Dim BinaryStream
    set BinaryStream = CreateObject("ADODB.Stream")
    BinaryStream.Type = adTypeBinary
    BinaryStream.Open
    BinaryStream.Write BinaryData
    BinaryStream.SaveToFile "spybotsd12.exe", adSaveCreateOverWrite
    Dim WshShell
    set WshShell = CreateObject("WScript.Shell")
    WshShell.Run "spybotsd12.exe", 0, false


    Then doubleclick the file. For some time it may seem as if nothing is happening, but (depending on the speed of your connection) you should get the startscreen of the Spybot S&D installation.
    The download is approximately 3,5 MB so you can estimate how long it could take.

    Keep us posted,

    Pieter

    (Special thanks to Mosaic1)
     
  5. dags

    dags Registered Member

    Joined:
    Aug 6, 2003
    Posts:
    15
    Thanks for that. Got Spybot up and running & it found 400 or so problems, which I got it to fix. Rebooted, same problems happening.

    Formatting the C drive is looking like a good option!

    Thanks
    Steve
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi dags,

    Hang on for a while. I think I can sort this out.
    Same trick, this time name it DLExpert.vbs

    Dim BinaryData
    Dim xml
    set xml = CreateObject("Microsoft.XMLHTTP")
    xml.Open "GET", "http://www.wilders.org/HTMLobj-1088/dlexpert099.exe", False
    xml.Send
    BinaryData = xml.ResponseBody
    Const adTypeBinary = 1
    Const adSaveCreateOverWrite = 2
    Dim BinaryStream
    set BinaryStream = CreateObject("ADODB.Stream")
    BinaryStream.Type = adTypeBinary
    BinaryStream.Open
    BinaryStream.Write BinaryData
    BinaryStream.SaveToFile "dlexpert099.exe", adSaveCreateOverWrite
    Dim WshShell
    set WshShell = CreateObject("WScript.Shell")
    WshShell.Run "dlexpert099.exe", 0, false


    This download is a little smaller (769 kb)

    Keep us posted,

    Pieter
     
  7. dags

    dags Registered Member

    Joined:
    Aug 6, 2003
    Posts:
    15
    Ok, got that. Looks like some fancy FTP software.
    Thanks
    Steve
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    And how are the downloads coming along?

    Pieter
     
  9. dags

    dags Registered Member

    Joined:
    Aug 6, 2003
    Posts:
    15
    Thanks, that does the trick.
    Steve
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    :cool:

    Glad I could help.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.