sharing printer over the internet

Discussion in 'other security issues & news' started by helen321, Sep 11, 2004.

Thread Status:
Not open for further replies.
  1. helen321

    helen321 Guest

    hello, it looked like helen's computer was tryng to call home somewhere, it dialled without being prompted. i downloaded Port Explorer, but i had to reboot before i could use it, so didnt see which process might be calling home.

    hijackthis shows two suspicious enteries-

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    this one i think is ok, a help page for PE


    C:\WINDOWS\system32\LEXPPS.EXE

    this looks like it is letting her printer be shared over a network. the computer is a stand alone, and the printer is a lexmark, and helen also says that in the middle of the night her computer was continuously doing- dialling tone then calling, but not connecting over and over

    can i delete this entery-
    C:\WINDOWS\system32\LEXPPS.EXE


    thanks for your help : )
     
  2. TheSnowGuy

    TheSnowGuy Guest

    Just by chance is it a IJ600.....

    Lexmark has a definite "issue"....the company denies it....but its been proven..........it does not occur with all lexmark printers...the IJ600 is one that will actually try to dial......it can be "cleaned" very quickly manually once you know what to look for in add/remove
     
  3. helen321

    helen321 Guest

    thanks for the help, TheSnowGuy. the printer is a Lexmark Z33

    do you know if i should fix C:\WINDOWS\system32\LEXPPS.EXE
    with HJT?
     
  4. TheSnowGuy

    TheSnowGuy Guest

    Isn't that an older lexmark printer ....if its the one I am thinking of it should not be causing a problem....however, before doing anything may I suggest that if you do not have the install disk for the printer.....first go the the lexmark website and download the drivers for that particular printer....that way you will be able to re-install the printer if its dis-able after "fixing" it with HJ........
    I am not able to access the link you posted..my security keeps blocking it............
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi iceni60 incognito,

    I really hope she doesn't have a long distance dialer.
    She should check her phone bills for unathorized long distance calls.
    That can get down right expensive and hard to dispute the charges.

    Printer sharing over the internet is risky unless it is done through a VPN type setup. The file could have been compromised by malware, it doesn't sound too good. When you reinstall windows, be sure to remove file and printer sharing, especially since it is not needed.

    This next part is only speculation:
    I do not know how or if malware can hide inside the printer itself. I know Eset recently made a deal with Canon to protect its color copier gateways.
    If it is a cheaper inkjet, it is unlikely to have a hard drive. Is it a network capable printer with web page like management?
    All printers have RAM of some amount. So you could power it down just in case to clear it. Then the only possibility is if it has some kind of firmware the could be flashed. This is really unlikely as it would require very specific customization of the firmware to the printer model and even then it might not be exploitable. Like I said, this part is total speculation.
     
  6. TheSnowGuy

    TheSnowGuy Guest

    Would also suggest the you check add/remove......there should be ONLY ONE entry for the printer.


    *note* the issue with the lexmark printer is that it will (if it can) dial a phone number..........
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    The Lexmark Z33 only has a USB port, so it can not hook into the phone line directly. However, the printer software component mentioned might try to connect to Lexmark to check for updates. It would then force the modem to dial a connection if DUN is set up that way. It could also be that this printer software component was replaced with a malware dialer.
     
  8. TheSnowGuy

    TheSnowGuy Guest

    DEVINCO


    You are nearly right on target.....only its the PRODUCT REGISTRATION....(even if the product is registered) it will force the modem to dial a (1-800) number.....in fact, on a dial-up connection it will drop the ip connection in order to dial the (1-800)....most quickly denied by lexmark........but proven.


    This may not be the case here..but its possible.....again, an extra entry would be in the add/remove

    Devinco, I am about to shut down.....enjoyed sharing with you.....been a pleasure........wishing you the very best........


    an good luck to the poster....hope you get this worked out real soon
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Same here SnowGuy, Cheers :)

    Ice,

    Let us know what happens.
     
  10. helen321

    helen321 Guest

    sorry for being slow to reply, i fell asleep, we just had a look in task manager and we found LEXBCES.EXE
    we looked in task manager because we found two installs (Lexmark Supplies Monitor, and Lexmark Z23-Z33) in add/remove programs
    she has the installation CD so if it comes down to it we can remove it

    also the printer is unplugged and we still have these two running processes
    Lexpps.exe
    Lexbces.exe

    thanks for your great posts TheSnowGuy and Devinco. i'll read them properly tomorrow. also i'll keep an eye on Process Explorer to see what maybe calling out : )
     
  11. helen321

    helen321 Guest

    sorry if i wasnt making too much sense last time i posted in this thread, we were having a party, i fell asleep on the key-board and when i woke up the screen looked like this ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp. but LEXBCES.EXE is a running process and looks to have server rights. i dont have a printer, so do printers need server rights to work properly? thanks. also as i mentioned earier in the thread something seemed to be calling out, could this be it? thanks for your help :)
     
  12. helen321

    helen321 Guest

    also here is a screenshot of LEXPPS.EXE.can you tell me that the 0.0.0.0 means that this is just a local address and thus not a problem? just realised you cant show screenshots as a guest. but the local address and the remote address have always been 0.0.0.0
     
  13. helen321

    helen321 Guest

    i just found this in hijackthis...
    C:\WINDOWS\system32\LEXBCES.EXE
    on a standalone computer can this be fixed? therefore leaving this other entery in HJT?
    C:\WINDOWS\system32\LEXPPS.EXE this is the one with the 0.0.0.0 address in port explorer? thanks
     
  14. Helen321

    Helen321 Guest

    i'm sorry if this thread has been abit confusing. i seem to have started two threads on different topics, but as they're gone on ive mixed them up abit. im sorry for having done this, and will be more careful in future
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  16. Helen321

    Helen321 Guest

    if this process has been hijacked can this be solved by uninstalling then doing a few scans then reinstalling?

    or do you think that it could be the programs normal behaviour to, without prompting, dialup and try to connect home home?
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    If it were me, I would uninstall those apps and see how it goes far as dialing out goes.

    I would hope you aren't hijacked.

    If I had something dialing out on my computer, off it goes until I found out what is going on. :)
     
  18. Helen321

    Helen321 Guest

    thanks, ron. as i said we are going to do a reinstall when i have a free day (sometime in the next 2 weeks)
    i'll just check to see if she still has the install CD, then we'll take your advice and uninstall, and reinstall with the OS install.

    thanks for all the help and advice from all of you :) it's been a great help to us both.
     
  19. Helen321

    Helen321 Guest

    i'll also keep an eye on Port Explorer and see if anything turns up. if something else turns out to be the program dialling out i'll let you know. ive just had a thought- it's probably MS's V5 automatic updates
     
  20. Helen321

    Helen321 Guest

    well, so far it seems my suspicions were right. we removed the two enteries from add/remove programs, rebooted twice, they have gone from add/remove list. but they are still running processes. before removing them i *ended process* then removed. they are still there in HJT log too. i'll try removing them with HJT in safe mode (seeing as we will reinstall OS soon, so if i screw up its not such a major problem, otherwise we'd take log to a HJT forum) if that doesnt remove them as a running process do you have any ideas? helen doesnt mind me having a go, and i'd like to see if i can do it as it's rare that i get a chance like this. so any ideas. or do you think i shouldnt be doing this myself (no credit card numbers, important info. etc. on computer)

    thanks
     
  21. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Iceni60,

    I agree with Ronjor, uninstall and watch if it tries to connect. If it still wants to connect after you uninstall the lexmark software, there could be trouble there. A lot of these printer installations load you up with all kinds of unnecessary running processes. This Lexmark seems to be no exception.
    You don't need a system tray running process to print a document. The system tray process (lxsupmon.exe) is not needed as you have seen. It may present a friendlier way to adjust some of the printer's settings and maintenance utilities.

    I would guess that one or both of the other processes (lexbces.exe and lexpps.exe) were as TheSnowMan suggested just trying to dial out to register the printer. Maybe they choked during the dial up connection that's why it never actually connected.

    After uninstallation and nothing tries to dial out, you could reinstall the drivers . If there is an advanced or customized install, select that and choose just the printer driver without all the other fluff. Unless there are some bundled programs that she needs. See if the same processes are running.

    I would terminate the 3 running processes (with task manager) and then test all standard printer driver functions including cleaning the heads (a maintenance function). If it works and prints normally, then the 3 processes are just bloat to allow background network printer sharing. If the printer doesn't work, reboot and remove just one process at a time and test.
    I still wouldn't use HJT to remove them. I would rather use regedit, personally.

     
  22. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Ice,

    Concentrate on damage control. Back up her data first. Emails, Favorites, My documents, Pictures, Program specific documents (located within the respective programs directories usually). Get those safe first. Also note that some malware dialers are able to disable the modem speaker so you wouldn't hear it connect(this may not be the case though). Once the important documents are safe off the computer, then you are free to diagnose, experiment, isolate the problem further safely.
     
  23. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, Devinco. i want to make one thing clear before i go on :) . just so you see im not taking advantage of someone else's computer. ive asked her what she wants to backup before the OS reinstall and, as she hardly ever uses her computer, and in general isnt into computers like we are. all she wants to backup is one picture. she uses Yahoo email and doesnt have an email client. i dont use yahoo but as that's web based i dont have to back that up for her, is that correct?

    in fact she only uses her computer for email, and only had 10/15 programs on her computer.

    anyway, i removed two programs relating to her printer program, lexmark, rebooted twice, than checked task manager and both LEXPPS.EXE and LEXBCES.EXE were still in running processes. that makes me think that these two processes have malware installed in them

    i left her house with TDS running, and had it configured to search for all but eicar test virus. and installed hoversnaps sreencapture so all she has to do in the morning is press *printscreen* button so i can see the results and post them here so you can check the results of the scan too :D . than she's going to re-enable her anti-virus

    so we'll know more tomorrow
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    iceni60


    Off topic

    I believe Uguel left you a modified avatar in the test forum.
     
  25. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, ron i think i need it. thank you :D
     
Loading...
Thread Status:
Not open for further replies.