PC printing/deleting email automatically?

Discussion in 'Windows Applications' started by Bootsy, Sep 9, 2011.

  1. Bootsy

    Bootsy Huh?

    Messages:
    1,124
    Location:
    Miami, Fl
    Hi All,
    I am truly baffled by this one. I am an admin and have an issue with a PC (I think) at a remote location. The user has told me that something is printing her emails but deleting them before they get to the inbox.

    I know it sounds very strange but at first thought it was viral. I ran scans with Symantec End-point protection 12, Trend micro house call, malwarebytes, super anti spyware, and spybot search & destroy. They found some stuff but they were "cleaned" and now the behavior continues. If I scan the machine again, it comes up clean.

    Oh, and I have tried deleting the printer but it still prints to it!

    I suspect it is this machine since this is the one she has her email client on. Where else could they be coming from..

    More info:

    Active Directory 2003 domain (very simple)
    PC has XP SP3 on it with ALL updates
    I have tried recreating her profile on the PC as well, no luck

    As I said, I am baffled and could not find anything that would behave like this through google.

    Any help is appreciated.

    Thanks in advance
     
  2. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Both of those AV are not very good at removing viruses/malware.

    Post a hijackthis log.
     
  3. Bootsy

    Bootsy Huh?

    Messages:
    1,124
    Location:
    Miami, Fl
    Oh yea? I thought symantec was good. Which would you recommend?

    I will post a hijackthis log soon

    Thanks
     
  4. Bootsy

    Bootsy Huh?

    Messages:
    1,124
    Location:
    Miami, Fl
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:00:36 AM, on 9/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Lantronix\Redirector\red32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\Dell\PanelMgr\SSMMgr.exe
    C:\WINDOWS\twain_32\Dell\Dell2335\Scan2Pc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [msnmsgupdate] msnmsgupdater.exe
    O4 - HKLM\..\Run: [Dell PanelMgr] C:\WINDOWS\Dell\PanelMgr\SSMMgr.exe /autorun
    O4 - HKLM\..\Run: [2335dn Scan2PC] "C:\WINDOWS\twain_32\Dell\Dell2335\Scan2Pc.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Scanner File Utility.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251124125437
    O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.msbce.com/reports/bin/arview2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VPCOMMONS.COM
    O17 - HKLM\Software\..\Telephony: DomainName = VPCOMMONS.COM
    O17 - HKLM\System\CCS\Services\Tcpip\..\{574D1B95-FB11-4BF9-8C9F-F16F597EB722}: NameServer = 10.8.1.5,64.80.84.108
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VPCOMMONS.COM
    O17 - HKLM\System\CS1\Services\Tcpip\..\{574D1B95-FB11-4BF9-8C9F-F16F597EB722}: NameServer = 10.8.1.5,64.80.84.108
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VPCOMMONS.COM
    O17 - HKLM\System\CS2\Services\Tcpip\..\{574D1B95-FB11-4BF9-8C9F-F16F597EB722}: NameServer = 10.8.1.5,64.80.84.108
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

    --
    End of file - 7159 bytes
     
  5. larycom

    larycom OSNN One Post Wonder

    Messages:
    2
    It was a helpful information for me,Bootsy's post is quite appreciable and was very helpful for me.But i didn't understand how u scanned all this and pasted here,need some assistance not much.Thanks in advice bootsy.
     
  6. Bootsy

    Bootsy Huh?

    Messages:
    1,124
    Location:
    Miami, Fl
    The log I pasted was from hijackthis, a troubleshooting tool. It basically says all meaningful running programs/services on your pc.

    My problem was fixed by the way, there had been a user who set themselves up as an email pop recipient directly on the printer... hah...