sharing printer over the internet

Ice,

I did not mean that you are taking advantage in any way, shape, or form. You are helping her solve a difficult problem, and that is a very nice thing to do.

As for the Web based email, how does she check her email and write her emails?
Does she only log in to the website? Or does she use Outlook Express or another email client? IMAP (web based email) can be used either way. If she only checks and writes mail from the Yahoo web page, then all her mail is most likely online (unless the Yahoo lets you download emails for backup).
If she uses an email client, then that client connects to Yahoo and downloads the email to her computer. In that case the email is on her computer and should be backed up (unless she told you she really doesn't care).

 

Hi Ice.

To make a long story short, there is no need for any printer service to be running in TM unless it's actually being used, certainly not on Windows general start-up, and most certainly not trying to call out or run as a server. [Not unless you specifically want to check for any driver updates, if that's possible]

I just tested mine... it starts CNMSM47.exe in TM [Canon i330 Printer] and once it finished printing, the process stopped and exited from TM.

Now, seeing as you know the filenames, and path I presume, why don't you simply upload each .exe to JOTTI'S ONLINE MALWARE SCAN as it's scanned by 10 AVs, including KAV [with lots of trojan/malware defs] and it should be enough for verification of each file.

See what you can find.

Cheers, TAS

 

the reason i said i wasnt taking advantage wasnt because of you. it was mainly because that's just the way i felt, she has no knowledge of what i'm doing, thats why the other night i asked wilders' members to agree with me that she needs to do a reinstall. i just know how much a computer means to me and i feel she deserves the best for her, but because it involves my taking all the decisions i just feel im taking over

she has no idea what an email client is. her home page is yahoo, and thats the only way she knows how to use it, no email client, all online. so i suppose there's no worries there?

tomorrow im going to use all my limited knowledge to search for rootkits
rkrootdetector
lots of auto runs type things
autostarter
filmon
process explorer
taskinfo2003
regdatxp
etc. etc.
do you know of something which shows which dlls are used by each program? and might be able to show if a dll looks out of place?
well anyway i'm going to take the opportunity to see if i can learn something, so any ideas will be appreciated. thanks
i'll let you know

 

No worries. All her email is online. Just make sure she has all the passwords she needs to access all her favorite websites (that require passwords).

By autostarter, do you mean DCS autostart viewer? That would be good.
Process Explorer is the best thing I know to check which dlls are used by each program. As for which dll is out of place, your guess is as good as mine.
Haven't had much experience actually having to root out a rootkit (fortunately). From what I have read, regdatXP looks VERY promising in this regard. I haven't used it though.

 

thanks, Tassie and Devinco

Tassie i uninstalled the printer software and the printer's exe's were still in TM so if i find them i'll use that file scanner

Devinco, we looked for hidden processes and found none, however after i left the house with TDS running it dialled out again, but she doesnt know how to use port explorer so we're still none the wiser, however i went over yesterday and windowsupdate was connected but that was after we were already connected to the internet, it didnt call out, diall, without being prompted, which is the thing we are trying to find. oh well, if i wasnt such a newbie it probably would have been sorted out by now

we also had alook at some dlls being used by some programs, but we were all as blanked-faced as each other regarding which dlls are used for what

we'll just do a reinstall. i'll make sure we have all the passwords first

thanks for the help

 

also, all TDS found was cwsshreader's dual extention.
and i checked and net/bios are off, dont know how relevent that is
maybe i'll download that french bloke's wwc thingy.

 

if you are interested, im losing interest because its above my knowledge skills.
but i uploaded these files into Jotti's file scanner and they came back clean.
the file path is windows/system32/LEXBCES.EXE and LEXPPS.EXE is in the same place. should i try and delete them? looks dodgy to me. thanks

 

I would get rid of them.

I would find out where they are being launched from in the registry and delete those entries.

 

thanks, Devinco they were also found in system32 in a spool folder. i'll try and sign in as iceni and try to post a sreenshot of all the places where they were found, thinking back now i dont think they were .exes but i'll show you what i find.
acouple of minutes ago i just used ccleaner and JV16 to clean out the registry, but after i show you where they are in system32 i'll do a manual search for them.

thanks, Devinco for sticking with me and helping helen and i out with this hugs from me and kisses from helen

 

these are the search results for lexpps.exe;lexbces.exe what should i do. remember that i uninstalled lexmark, which lexpps and lexbces are associated with. so they shouldnt be on the computer, i think. also something keeps on dialling up the internet then calling out, which i think are to do with lexpps.exe;lexbces.exe

 

Are they running in memory after you reboot?
Check in Task Manager.
If they are, first locate where they are being launched from in the registry.
DCS autostart viewer could help. Probably HJT as well, however I am not familiar with it. I would use regedit (as I am more familiar with it) back up the registry, and then find all the entries relating to the processes.

Once the registry entries are gone, then delete the programs on disk.

 

i just rebooted after running NTREGOPT (off topic, but recommended after installing SP2) and they are there in TM. we're going out for abit so i'll let you know when we get back thanks

 

they are a running process. i've checked with DCS autostart viewer and spybot to see where they are starting up in the registry and they're not there. i did a search of the registry (see screenshot) and nothing came up. i searched for LEXBCES;LEXBCES.EXE;LEXPPS;LEXPPS.EXE;lexmark

when i opened regedit it was open at...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Rating
helen has never used regedit, but she says her brother has used the computer to defrag. so maybe its possible he had a look in the registry

do you think this will stop them from loading up? or should i try to delete the enteries from system32 first?

i'll post a screenie of the system32 folder with the dlls.
HJT has a way of showing dll dependences, but i dont konw how to save it to show as a screenshot
there is a program called dependencewalker which shows dll dependences, i might download that and check out the dlls being used

 

oh, OK i understand now. thanks for putting it in simpler terms for me , sorry for being abit slow

 

That's a good idea ronjor.
But what happens when the registry tries to launch the process and can't find it? Would it throw an error or just ignore it and continue?

 

thanks, ron. i stopped them in TM then renamed them, like you said, rebooted and they havent loaded up. hopefully that will be the end of what ever was trying to call out. what would you do next?. wait afew days then delete them, and even try to delete the dlls? i renamed to .exe.old

if this is my last post in this thread, id like to thank Devinco and ron and everyone else who helped us. sounds like i just won an oscar

 

should i reboot and see what happens?