I have .tif files showing imbedded images (WRONG)

K

knc

Active Member
Reaction score
43
Location
Kingston, Ny
Has anyone seen where ALL tif files display "Other" images stored on the pc? Client showed me when they open a .tif image it shows the original image PLUS other images stored on this PC... How can that be?

I ran superpc and Malware numerous times in complete mode found a few minor bugs but never got rid of the problem.

I don't know where to begin on this one..

just so you know I forwarded one of the tif files to my office pc and the only image on it was the original fax image (obviously these are faxes receive in their office and then sent through email to this workstation)..
 
Last edited:
Sounds a bit like Steganography. Only not encrypted.

TIFF/.tif
"For example, a TIFF file can be a container holding compressed (lossy) JPEG and (lossless) PackBits compressed images."
 
Last edited:
knc said:
Has anyone seen where ALL tif files display "Other" images stored on the pc? Client showed me when they open a .tif image it shows the original image PLUS other images stored on this PC... How can that be?

I ran superpc and Malware numerous times in complete mode found a few minor bugs but never got rid of the problem.

I don't know where to begin on this one..

just so you know I forwarded one of the tif files to my office pc and the only image on it was the original fax image (obviously these are faxes receive in their office and then sent through email to this workstation)..
Click to expand...

I feel like I'm dealing with one of my customers here...

What program are they using to "open" the TIF? Is it that program that is displaying the "other" images? Are all the images in the same root folder?

More info, please.

Rick
 
The program is microsoft picture and faxe viewer.. however I installed a couple other viewers (like irfinview) and the results were the same... No the images aren't all in the same folder... as some of the images cant be found on the pc, but some are..
 
Last edited:
Have you tried reasoiating everything

It may help the issue but this is a strange one. in xp at least of you save this as a reg key it will do the trick I believe. I cant answer questions about the code as I am not 100% sure how it does it sorry

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.tiff]
"Content Type"="image/tiff"
"PerceivedType"="image"
@="TIFImage.Document"

[HKEY_CLASSES_ROOT\.tiff\OpenWithProgids]
"TIFImage.Document"=hex(0):

[HKEY_CLASSES_ROOT\.tiff\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.tif]
"Content Type"="image/tiff"
"PerceivedType"="image"
@="TIFImage.Document"

[HKEY_CLASSES_ROOT\.tif\OpenWithProgids]
"TIFImage.Document"=hex(0):

[HKEY_CLASSES_ROOT\.tif\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\TIFImage.Document]
"EditFlags"=dword:00010000
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,73,00,68,00,69,00,6d,00,67,00,76,00,77,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,33,00,30,00,36,00,00,00
"ImageOptionFlags"=dword:00000000

[HKEY_CLASSES_ROOT\TIFImage.Document\DefaultIcon]
@="shimgvw.dll,4"

[HKEY_CLASSES_ROOT\TIFImage.Document\shell]

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\open]
"MuiVerb"="@shimgvw.dll,-550"

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\open\command]
@="rundll32.exe C:\\WINDOWS\\System32\\shimgvw.dll,ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\open\DropTarget]
"Clsid"="{E84FDA7C-1D6A-45F6-B725-CB260C236066}"

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\printto]

[HKEY_CLASSES_ROOT\TIFImage.Document\shell\printto\command]
@="rundll32.exe C:\\WINDOWS\\System32\\shimgvw.dll,ImageView_PrintTo /pt \"%1\" \"%2\" \"%3\" \"%4\""
 
knc said:
The program is microsoft picture and faxe viewer.. however I installed a couple other viewers (like irfinview) and the results were the same... No the images aren't all in the same folder... as some of the images cant be found on the pc, but some are..
Click to expand...

My guess at this moment is that you are looking at files in a cache or temp folder. Grab the name of one of those files, and do a search on the machine. Chances are it will show up in a temp folder somewhere, especially if they were originally attachments or off the web.

Rick
 
Well I applied the registry patch tigertoes mentioned, and I used ccleaner to cleat the temp files... my test image still has the additional image attached, but my thought is to wait for a new .tif (fax) to come in and verify at that point.

Ran combofix as well just for good measure and it didnt find anything.
 
I inadvertently deleted any of the files associated so I cant send a screen shot.. When they get a new fax in, if it persists I will screen shot them..
 
You must log in or register to reply here.

Similar threads

HCHTech
Gear View Basic and Windows 11
Replies
2
Views
772
HCHTech
HCHTech
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
2K
trevm999
trevm999
frase
SD CARD RECOVERY OPTIONS
Replies
10
Views
1K
frase
frase
frase
[SOLVED] Samsung USB Partition issue
Replies
4
Views
829
frase
frase
HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
732
callthatgirl
callthatgirl
Back
Top