Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

What the hell is wrong with M$ paint?

Name: 4tran 2010-01-20 3:23

Every time I try to save something on paint, it tries to connect to some random ip, eg 69.94.107.14, though the last number varies slightly (~10-50).  It would be less annoying if it didn't take 5 minutes for paint to do this.  Strangely, nothing irregular happens if I pull my network cable.  Any idea what's going on?  That ip doesn't seem very suspicious.

Is there a default copy of mspaint.exe I can compare with?

Thanks for your thoughts,
inb4 trojan

Name: Anonymous 2010-01-20 3:24

trojan

Name: Anonymous 2010-01-20 3:32

M$
I'm going to just ignore this thread, and hope that you're a troll.

Name: 4tran 2010-01-20 3:42

>>3
I'm sorry, I'm sorry.  I thought it was a common/comical way to refer to microsoft.

I'm not trolling; this problem has been annoying me for months.  Is there anything at all that infects mspaint?

Name: Anonymous 2010-01-20 4:06

>>4
If your box is already owned by something, it's not hard for some malicious code to inject itself into any random application at runtime. Most of the time the code can reside in any application, such as services and code which runs as SYSTEM. Why it would choose MS Paint, I wouldn't know. It wouldn't be hard for me to debug such an issue if I had access to your system live, but this is hardly /prog/-related. If you have no idea what to do, you could go to /g/ which will probably tell you to delete SYSTEM32, or if you know what to do, go get a usermode dbugger, attach it to MS Paint, set a few breakpoints to the network access APIs, or scan the memory for possible executable code which does not belong to any module, and investigate from there.

tl;dr: not /prog/-related

Name: 4tran 2010-01-20 4:45

>>5
I figured that they might tell me to delete sys32 or something of that nature.

Usermode debugger?  Do I need to know C to know how to use such software?

What else is /prog/ for then?  < 1/3 of the threads here actually involve code, and I doubt the rest are "derp my programming language is better than yours" (to some extent SICP dominates).

Name: Anonymous 2010-01-20 4:48

Whats your OS ? Have you installed MSE ? Use netstat/tracer route. Google the IP.

Name: Anonymous 2010-01-20 5:20

>>6
Usermode debugger?
Something like OllyDBG would do.
Do I need to know C to know how to use such software?
It would help, but, no, you need to know x86 asm, and the win32 api, as well as some things about NT internals.

HIBT?

Name: Anonymous 2010-01-20 6:28

>>8
He doesn't need a debugger, he needs a fucking antivirus (or what >>7 said), and someone who doesn't speak C or know what a debugger is obviously doesn't know the win32 API. Besides, why would you need to know anything about assembly or NT internals?

HIBMT?

Name: Anonymous 2010-01-20 6:38

GIVE IN!!! Let Paint do its job! FIND OUT!!! It's not like you'll die because of it !!!

Name: Anonymous 2010-01-20 6:46

>>9
Some AVs might do the job, but only if it's a known threat. I can't say much about them as I never use them myself. I just pop it up in a debugger and see what it does and if it's bad or not. Let me try and do something more newbie friendly which doesn't require knowledge of internals:
1) Run hijackthis, post log.
2) Run GMER, all settings on, post log.
3) Run Memoryze and generate a log.
4) You may also post a sample of MS Paint, if you suspect the executable has been infected (this might not be the case, if some other process injects code into MS Paint at runtime).
Or don't do any of those as this is not /prog/-related.
OP, how do you know it tries to connect some place when you use MS Paint, and how did you confirm this? Can you reproduce this unusual behaviour?
HIBMMT?

Name: Anonymous 2010-01-20 7:03

Just use GIMP.

Name: 4tran 2010-01-20 7:11

>>7
Windows XP home.  I didn't know that MS upgraded their windows liveonecare (which isn't free); scanning right now.  Spybot/ad aware didn't find anything.

googling the ip was among the 1st things I did; it just goes to some random town in Connecticut.

>>8
I'll look into it, but I probably have a lot to learn.

>>9
I know some java (and basic and scheme), and I recall working with a debugger of some sort, but I didn't know we could debug in the way you're suggesting.  Could be useful when I lrn assembly one of these days...

M = much?

Name: 4tran 2010-01-20 7:25

>>10
>>12's idea sounds better to me...

>>11
I've heard of hijackthis, but not 2) or 3).  By 4) you mean I should post the entire hex contents of mspaint.exe?

Every time I try to save something (ie screenshot) with mspaint, the thing grinds to a halt, and Kerio personal firewall whines at me.  I wonder why it's whining at me - oh look mspaint is trying to connect somewhere.  For some odd reason none of this happens if the network cable is unplugged; it's as if the virus (?) knows when I'm not connected to the internet.  Yes, I can reproduce it, because it happens every fucking time.

Name: Anonymous 2010-01-20 7:31

>>14
Yes, just upload the mspaint somewhere and post a link here, but it would only mean anything if the file was altered somehow, such as a PE file infector, which is a rare occurance these days.

If you can reproduce it, that's good, as it means it would be possible to track down exactly why it happens.

Name: 4tran 2010-01-20 7:46

>>15
http://rapidshare.com/files/338240600/mspaint.exe.html
Thanks again

Name: Anonymous 2010-01-20 7:53

>>16
Looks clean to me, doesn't seem to do anything unusual, and looks like it was compiled using the usual compiler settings MS uses.
I happen to have an older version of MS Paint, so I did a binary compare, and it was almost identical, differences were in the version number, and IAT offsets which are platform specific. It seems MS did not even change anything in the code or text/data as it all matched perfectly.
So it's probably not MS Paint's fault, however, it could be something like a shell extension that is at fault. Did you try saving other things in other applications besides MS Paint, and did you get similar results?

Name: 4tran 2010-01-20 8:25

>>17
Aw crap, that probably means there is malicious code elsewhere...

The only thing that I know of that can save/edit images is mspaint, so I haven't seen other strange behavior.  I'll try getting the GIMP the guy above recommended and see if anything strange happens.  I'll also test with notepad/wordpad just in case.

Name: Anonymous 2010-01-20 8:27

Some AVs might do the job, but only if it's a known threat. I can't say much about them as I never use them myself. I just pop it up in a debugger and see what it does and if it's bad or not.

So every time you use a new program on Windows you inspect it in a debugger? How does that even work? How could you see in the debugger that the program is made to wipe your files on Oct. 31, 2010?

Before vista I spent most of my time without AV so I know it's doable, but that was just common sense and calculated risk. I don't see a debugger improving much on that unless you like playing your games one OS call at a time.

Also, AVs/firewalls also detect unknown threats. Rootkits and keyloggers will at least pop a warning.

Name: Anonymous 2010-01-20 8:28

1) use ollydbg or similar program to dump loaded modules (libraries).
2) compare to someone else's dump and look for the ones you have that they don't

Name: Anonymous 2010-01-20 8:39

use paint.net

Name: 4tran 2010-01-20 9:00

MSE found and purged:
TrojanClicker:ASX/Wimad.gen!I is a generic detection for malicious Windows media files that are used to open a browser to certain Web sites with adult content.
It arrives in the system as a malicious Advanced Streaming Format (ASF) file, which when opened by Windows Media Player, visits the following adult Web site...

but this seems rather innocuous (given what it could have done), and doesn't solve the problem

*bang head against wall*

Name: Anonymous 2010-01-20 9:12

>>19
So every time you use a new program on Windows you inspect it in a debugger?  How does that even work? How could you see in the debugger that the program is made to wipe your files on Oct. 31, 2010?

I try to analyze it statically first by disassembly(when possible, otherwise, I'll run it in a VM, and possibly unpack it if it's packed...) . Debuggers are useful, but in this case it's more something you use to locate something malicious that's already running. You should never even get in this state, but if you do, a debugger is the quickest way to locate what it is.

In practice, I don't really run that much new software to which I don't have the source code to (yes, even on Windows), so it's not that much effort to at least do a superficial audit. Beside that, the windows box doesn't have direct access to the internet, so even if it ever gets compromised(it hasn't been), it wouldn't cause too much damage.

Name: Anonymous 2010-01-20 9:16

When you open the "save dialog", it's a shell dialog from another DLL which will load all the COM object/extensions/etc, so all bets are off (maybe list the linked modules and see what it loads).

This can also be used to own the system from UAC-privileged processes: all that crap runs with the same privileges of the calling application (even the thumbnail generators I think, that's a huge attack surface).

Name: Anonymous 2010-01-20 9:28

ITT: butthurt faggots

Name: Anonymous 2010-01-20 9:54

>>25
ITT: Why idiots should never be allowed to touch a computer.

FTFY

Name: Anonymous 2010-01-20 10:15

>>22
You can thank me later. And I'm a lounger.

Name: Anonymous 2010-01-20 13:17

Yet another reason why the Gimp is better than Photoshop.

Name: Anonymous 2010-01-20 13:23

>>28
non sequitir

Name: Anonymous 2010-01-20 13:30

>>29
MY ANUS

Name: Anonymous 2010-01-20 13:31

>>30
Did you mean: MY ANIS?

Name: Anonymous 2010-01-20 15:28

>>29
Photoshop prevents you from scanning Dollar bills. That's why. It's common knowledge really.

Name: Anonymous 2010-01-20 15:34

>>29
Quality Latin there, sport.

Name: Anonymous 2010-01-20 17:43

Every time I get a new program on Windows I open it in a plaintext editor with wordwrap enabled and see if there's anything suspicious. If it's packed with something nontrivial (read: not UPX or similar), then unless the software is really special, I'm just going to find an alternative.

It's surprising to a lot of people, even programmers, how much info you can get by just reading what looks like gibberish at first -- the strings, the API names that it uses, the "texture" of the code (compiler output looks different from handwritten Asm, you can even see the difference between x86, IA64, Z80, etc. if you look at enough binary, encrypted/compressed data feels really different, etc.) And of course, there are the less important but still fun things to find, such as debug symbols and source file paths (complete with username).

...I should go back to REchan now.

Name: Anonymous 2010-01-20 20:28

>>34

I was about to respond to your post with something even more ludicrous, but I realized you'd pretty much whittled it down as far as it'd go.

Name: Anonymous 2010-01-20 21:12

>>34
Yes, sure, though I usually view it in some form of hex dump instead of a text viewer. If I were shown random dumps of an executable, I could probably tell apart things like x86 code, compiler mode user(release/debug depending on alignment), what compiler was used depending on sections and general layout of the file, relocations, imports, data, etc. To a skilled reveser, these patterns are easily recognizable without having to use more advanced tools, but to actually find out what it really does or confirm your guesses, you'll have to use more advanced tools.
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -