Data corruption while downloading from the Net

[neo960]

Recently I started noticing JPEG images that my web browser (opera) downloads appear corrupted. For example, I viewed this page on the NY times today and the image of the car in the web page looks completely mangled: http://www.nytimes.com/2005/01/09/busin ... 9auto.html

The same page when viewed on IE loaded OK.

Similar problems are happening in my Usenet downloads of JPG images. Images decoded by my newsreader (Xnews) come out corrupted 50% of the time. This has never happened to me before in all the years that I have used usenet.

Could this be due to a virus on my system? Or is AVG 7.0 somehow screwing up my downloads while scanning incoming data?

[neo960]

Even IE is doing this now. The images on web pages are loading in a corrupted manner. Is this due to a virus?

[mnosteele52]

It sounds as if it could be some type of malware, have you already scanned with Ad-Aware, SpyBot and tried an online virus scan from F-Secure?

Also please post a HijackThis log.

[Dark_Regent]

Do you happen to have Xp with the sp2 update? And did you download the update called GDI. If so get rid of it if possible. That update will cause those kind of problems.

[neo960]

I did AD-Aware and Spybot so far. There was something called fizzleware which I eliminated. I havent done the f-secure test yet.

I will post the hijack-this log when I get back from work today,

I am running Win2K PRO.

[neo960]

Logfile of HijackThis v1.98.2
Scan saved at 8:28:39 PM, on 1/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\Ati2evxx.exe
E:\Program Files\Sygate\SPF\Smc.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\system32\desk95.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\WINNT\system32\viewport.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Xnews\Xnews.exe
H:\Downloads\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] E:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: ImageFox.lnk = E:\Program Files\ACD Systems\ImageFox\ImageFox.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - E:\Program Files\Altova\xmlspy\spy.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINNT\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\YAHOO!\MESSENGER\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\YAHOO!\MESSENGER\yhexbmes0411.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - E:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - E:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.dvdfile.com/software/eggs/jsLib/IAIEPlay.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f9 ... xIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8192A9A1-ED50-45C4-A848-4D6628F32BAC}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{8192A9A1-ED50-45C4-A848-4D6628F32BAC}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{8192A9A1-ED50-45C4-A848-4D6628F32BAC}: NameServer = 192.168.0.1

[neo960]

Just out of curiosity, I decided to check my AVG test results as of yesterday. AVG had found an infection. Here is what it says:

Java/ByteVerify
This virus abuses the security vulnerability in Java Virtual Machine described in MS03-011, which gives posibility of runing potentially dangerous operation to java program (like working with files).

Trojan horse using this vulnerability changes Internet Explorer Home page.

The fix is available on Microsoft web pages like WindowsUpdate.Microsoft.com

[neo960]

Windows Update does not have any fix for this. I am manually zapping the files identified by AVG. Weird, AVG never warns that there is an infection. I have to manually go to the test results screen to see if there was any infection found.

[neo960]

Image corruption still continues. So it was not that virus that was creating the problem.

Edited to add: Even file downloads are sometimes getting corrupted. I tried to download the new Microsoft Anti Spyware Beta from Windows Update, but every time I get a corrupted download.

Should I reinstall my OS now? Please help!

[neo960]

I guess I would just have to reinstall the OS. The problem is getting worse day by day.

[mnosteele52]

This does sound like a virus, see if you can download the FREE 30-day trial of Kaspersky Personal 5.0 Antivirus and set it up EXACLTY as I have written HERE.

Also, have you tried using Firefox for a browser, if so does this happen with it as well?

[neo960]

This does sound like a virus, see if you can download the FREE 30-day trial of Kaspersky Personal 5.0 Antivirus and set it up EXACLTY as I have written HERE.

Also, have you tried using Firefox for a browser, if so does this happen with it as well?

It has happened with Opera & firefox. It also happens when I download jpeg images from usenet using Xnews.

Funny thing is that it affects only JPG files.

I will try out the kaspersky trial version.

Thanks for the help.

[neo960]

I have tried to download Kaspersky personal edition, but the data corruption prevents me from downloading it. Every time I download it and run it, I get the message that the setup file is corrupted.

So my only option is to reinstall my OS. But what is the guarantee that this virus will not wake up in my newly installed OS and wreak havoc again?

[mnosteele52]

So my only option is to reinstall my OS. But what is the guarantee that this virus will not wake up in my newly installed OS and wreak havoc again?

Install KAV as soon as you reinstall XP.

[neo960]

Install KAV as soon as you reinstall XP.

I booted into the other OS that I have set up as a dual boot and downloaded Kaspersky. Then I logged into the corrupt OS and installed it. I had a hard time getting the updates for Kaspersky as every time the app tried to get updates, it aborted due to data corruption. But I persisted and lept retrying until I got all the updates successfully and then ran a full system scan.

It found a virus infected javascript file but complained that it couldnt delete it and aborted. I ran it again, but this time it gave my system a clean bill of health.

[neo960]

My current XP installation is an upgrade version ( I used to have ME before). To install the XP upgrade I need to install ME again and then use the upgrade disc to upgrade to XP. I also have Win2K as a dual boot option.

I want to reinstall both XP and win2K, but when I run the setup disc for ME, it complains that another OS is already there on the HD and aborts. Is there a way I can clean up all traces of the currently installed OSs and reinstall them fresh? Will just getting rid of the WinNT & Windows directories do? Or do I have to get rid of any other files in the boot drive?

Thanks.

[mnosteele52]

You do not need to install ME in order to install XP with an upgrade cd. Just insert your XP cd and set your BIOS to boot from cd first, when it prompts you for ME just insert your ME disc and it will confirm you own ME then it will tell you to put your XP disc back in. You can then delete the entire partition and format your drive with NTFS and do a clean install of XP.

[neo960]

You do not need to install ME in order to install XP with an upgrade cd. Just insert your XP cd and set your BIOS to boot from cd first, when it prompts you for ME just insert your ME disc and it will confirm you own ME then it will tell you to put your XP disc back in. You can then delete the entire partition and format your drive with NTFS and do a clean install of XP.

Thanks Steele!

Formatting the partition is not an option for me as I have a lot of files there which I cannot move anywhere else. Can I remove files like boot.ini and autoexec.bat and hope that setup will not detect a pre-existing OS?

[neo960]

I formatted the C: drive and then realized that my XP cd is not bootable. I tried to install ME and it went on scan disk for 1 and half hours and finally aborted saying that I have a newer version of windows already installed. I do not know how it can detect an OS after I had formatted my C drive. Do I have to erase the entire contents of both my hard drives? I have more than 110 GB of files on my HD which I dont have backups for.

I prefer win2k to XP anyway. Even though I have XP, I have always been using w2kPRO. I made the 4 boot floppies from the makeboot command and tried to boot my PC with it. But every time the PC says "Disk I/O Error" upon readingh the floppy and exits! I have tried with different floppies and get the same error. Now my PC is just a non bootable piece of junk in which I cannot install any OS anymore and I cannot boot anymore as I have formatted the C: drive.

I am now using my 9 year old pentium pro 200MHz PC to type this message. What do I do now? Please help!

[mnosteele52]

Is this one hard drive that is partitioned or 2 seperate drives?

[neo960]

Is this one hard drive that is partitioned or 2 seperate drives?

Hiya Steele! I am happy to find you here at this time of night!

I have 2 HDs with multiple partitions on each of them.

My PC came with Win2K Server CD also which I never used because I did not need it. Luckily it is bootable and I am installing W2K server right now with minimal services. Once it is installed, I will run the W2K PRO setup CD from within it and install it. Is there any way I can get rid of W2K server after I install W2kPRO? Can I just delete the Winnt dir where I installed the W2K server?

[neo960]

Hiya Steele! I am happy to find you here at this time of night!

I have 2 HDs with multiple partitions on each of them.

My PC came with Win2K Server CD also which I never used because I did not need it. Luckily it is bootable and I am installing W2K server right now with minimal services. Once it is installed, I will run the W2K PRO setup CD from within it and install it. Is there any way I can get rid of W2K server after I install W2kPRO? Can I just delete the Winnt dir where I installed the W2K server?

I have finally finished installing W2K PRO from the W2k Server installation.

Few points:

1. The trial version of Kaspersky never found the virus that was causing my data corruption problem. So I am not going to buy it.

2. AVG did not find the virus either. But it is free. So I will keep it.

3. Is there a better anti-virus program than Kaspersky?

4. Tha data corruption problem that started as a minor annoyance that garbled only the image files on web pages, steadily became worse and corupted even the html pages until I reached the point where my browser started complaining "Cannot display the page as the data is corrupted".

5. I had also downloaded anti trojan software trial versions (TDS3, trojan hunter etc), Ad-Aware, Spybot. None of them were able to find anything.

6. Could this have been a hardware problem?