Printer port hacked

After eliminating all other possibilities as to why couldn't print; I found my culprit in properties of LPT1 printer port. An "interupt request" is logged on the port. I created a report with the IRQ settings that need to be fixed - (code after interrupt request is 07, with 05 as the only other choice from the drop-down menu) -
Dirty dog hack doesn't allow report to be opened.

Is the path of least resistance creating another port and putting my printer there?

 

Dbl - I haven't the faintest idea what you are asking about. From the lack of response, I may not be the only one.

Maybe if you could restate what the problem is and what you want to do??

 

Newt; thanks for asking for clarification. I've been hacked. Printer is disabled due to an "interrupt request" followed by "07 ", listed under LPT1 Properties in Device Manager. I am blocked from changing the setting. Uninstalling everything Lexmark, and reinstalling, shows the same block.

When I tried to remove it, I apparently used the wrong setting "00 "...I used the option to create a system report with the IRQ settings. The dirty dog won't allow me to open the report.

When I asked about a new printer port, I was making a bad joke about another way out of this dilemma. All drives, except floppy, also blocked for download. (Dialogue box to choose destination drive shows a "rectangle" box symbol after the drive letter.


Or, I could get a bigger hammer.

 

My LPT1 is on IRQ 7.
Here is a reach. Maybe some system policies were put into effect. Is there a possibility of getting into the registry?
Click on the Start button then click on Run. Type in Regedit then hit Enter. If Regedit opens, navigate to this key in the left pane.
Hkey_Current_User\Software\Microsoft\Windows\Current Version\Policies\Explorer . Then look in the right pane and look for a value named: NoSetFolders, if the value is set to Dword 0x00000001 (1). If it is, right click then select modify and change it to 0x00000000 (0). This disables changes to printer and control panel settings if set to (1), the same for the other values listed there. A couple more to look at would be NoAddPrinter, NoPrinterTab (hides General and Details tabs in Printer Properties), and NoDeletePrinter.
Hope this helps.

 

Besides "Default ", the only listing is "No Drive Type Auto ", with a value of "95 00 00 00" following it. (Default listed as "No Value Set "

Thanks for your response!

 

The problem is definitely not there, then. Sorry, but this has got me stumped right now. Maybe something will come to me later.

BTW, if I was a contributing member, you would be seeing a particular 5 point star under my name, heh heh.

 

Dbl - I can't think of a for-sure cause or fix either. Some ideas though.

First a question - you say you've been hacked. Might be helpful to know why you think that.

1. Have you picked up a virus of some sort? There are so many out there these days including (I think) a variation of the old CHF that would mess up BIOS firmware. I'd do not only a scan from the GUI but one from a DOS boot as well.

2. Have you tried removing the ports themselves both from device manager in safe mode and then from the BIOS and adding everything back in afterwards?

The behavior of the Hd makes me really curious as well.

I am going now to place a thread in the hardware section pointing to this one and asking folks to take a look. I think some of the hardware regulars never look in this section.

 

The setup of the printer actually sounds perfectly normal (IRQ5 and IRQ7 will often be the only selectable options).

What model of printer is it?

Are there any conflicts showing in the Device Manager?

Are you running Win 98 as per your sig (I only ask as I've noticed prior posts from you relating to XP)?

As suggested by Newt, have you run and anti-virus scan?

What exactly is the "report" which you are unable to open?

 

What a headache!

Just this afternoon back online. Took H/D to "computer shop "; erased and reformatted. Win98SE reloaded with all applicable updates. Got my box home only to find the same curious files on record - again!

The money spent was wasted; the computer shop claims I'm smoking wacky backy; and my intruder is laughing his ass off! After dealing with this for this long (7/22/02); I have no embarrassment asking what may sound like stupid questions. I did go back to WIN98SE after getting tired of fighting with XP.

My Computer Associates anti-virus has never detected a problem. Updates were loaded every other day, on average. The "computer shop" loaded the free firewall Zone Alarm that does report attempts to enter. Now the stupid questions:

Can my "unfriend" have loaded files with triggers to renew themselves on deletion? After deleting specific printer files; on reboot, they reappear.

Staying online, ignoring prompts to restart, (having deleted what printer files I could see) I reloaded Lexmark Z22 software from scratch - staying online went to Lex website and got latest driver. It's a zip file and attempted to install immediately. No Can Do.
This intruder has to have commands to override what I attempt.

(Found files that netbios supercedes TCPIP - AT&T senior technician SWEARS their broadband overrides any other command.) Well any ideas short of a molotov ****tail, bigger hammer....if my BIOS has been gone into; I'm SOL to make any effective change or to ask for additional f-disk/reformat by "computer shop professional." One last stupid ???

Can this intruder put up false screens? While going online at the computer shop, the offending files DID NOT SHOW; but show when online at home w/my IP logged. Please don't laugh!!!
Thanks for any ideas.

 

This problem is NOT related to hacking!

What files?

If the shop "erased and reformatted" your HD then whatever may have been on it before is there no longer!

How did you go about removing theses files? Did you uninstall the printer software via Add/Remove Programs or simply delete the files?

Why not? What happened? Was there an error message? If so, what did it say?

Eh? I don't have the foggiest as to what you might mean? Have you made some changes? If so, what were those changes? Did you disable NetBIOS Over TCP/IP?

If there was an "intruder ", probably; but there is no intruder!

Also, per my previous post, are there any conflicts showing in the Device Manager and what exactly was the "report" which you were unable to open?

 

Got my box home only to find the same curious files on record - again!
What files exactly?

Can my "unfriend" have loaded files with triggers to renew themselves on deletion? After deleting specific printer files; on reboot, they reappear.
What files exactly?

... staying online went to Lex website and got latest driver. It's a zip file and attempted to install immediately. No Can Do.
Lots of time you have to unzip the printer files to a known location and then tell the printer install routine where to look for them.

(Found files that netbios supercedes TCPIP - AT&T senior technician SWEARS their broadband overrides any other command.)
If you are referring to Netbios over TCP/IP (or NetBT or NBT which are all 3 the same thing) this is a normal Microsoft thing to allow for WINS (windows internet naming service) which was common on NT networks up thru NT4 and is still around on many. It is being superceded by DNS which the internet and now many local networks use to resolve names. If that wasn't what you meant, please explain.

... when online at home w/my IP logged. ...
Only place I normally see that term is with this sort of bbs where a record of your IP address is kept for use by admins/moderators. When did you mean and how is this a problem?

 

Good questions, Newt

 

At the risk of continuing to sound like an idiot; most of the files were copied into a "file ".doc and saved in my documents. On returning; it's blank with the file name gone and the heading reading "document.doc ". On "select all" - there were over 1,000 files recorded and viewed as "details."

Many, many identified as "share" files.

They reloaded standard Win98, which included NetMeeting. Before trying to load any software, I deleted it. On reboot, it was back as "NeMeet.~1 along with a phone dailing program for "remote telephone access." Deleted both, I have no reason for remote access; reboot, both there.

Misc. file names "Show Desktop.scf, an archive file in WIN/SYS directory, "(unknown)" for creation date, "4/23/99 10:22 PM" modified date (standard WIN date entry but were NOT on the H/D on first boot from "computer shop" because I checked. Many, many "lx....." "lex...." .dll files in SYSTEM, but before installing Lexmark install disk or new driver from their website.

Many, many alerts from Zone Alarm attemping to access TCP port.
But blocked.

I did unzip the driver files and directed to install in a folder I had created. It did; but all the extensions had a "_" (underscore) which means they are extra, or unneeded files.

If only I could copy and forward the complete list of system files;
after deleting the "netbios" file, it was there again on reboot as "vnetbios ". Other file PROPERTIES idenfy the file as "Windows Explorer Command File ". Others:
SIMPDATA.TLB, created&modified 8/17/01
SPLITTER.VXD
SETUPAPI.DLL (400 KB size)
RSVP.EXE
RPCSS.EXE
HANDLER.REG
SUCATREG.EXE
Executable (exe) files listed as archives, but in WIN/SYS directory.

Thank you.

 

The NETBIOS term became known when viewed "greyed-out" and checked, relative to the adapter settings. If I recall the statement is "I prefer to use netbios settings over TCP/IP settings ". I couldn't find a way to uncheck it.

Still more Zone Alarm alerts trying to access TCP random search, now at "Port #1092" from a numbered address; can that number be cross-referenced to a user?

 

All of the files which you have listed are files which you would expect to see on any system.

Please answer the questions contained in the previous posts.

BTW - "hits" on your firewall are nothing to worry about.

 

Thanx all for your input; paranoiawilldestroyya was they say, but I'm apparently unable to articulate, beyond my frustration, the problem. There is a solution and, since it does not require programming experience, I think it's time to take it. Have a great weekend!

 

Am in agreement with Brett - call me stupid or dense but what's the issue here? Most parallel port printers grab 07 IRQ - so what's the deal? What's not working?

Also don't quite understand your comments on your network settings. Remove Netbios if this disturbs you - can't complain about it if its gone.

Nothing here makes much sense.

 

Break-in confirmed by MS tech support (re: system files/registry)
and after having a shop wipe/reload OS/install ZoneAlarm. ATT, it turns out, has little background or desire to play "cop" when it comes to malicious tampering w/systems. Lesson: don't take security lightly. Now looking beyond Zone Alarm Pro to Computer Associates for additional software, in addition to limiting time spent online. Had ethernet hardwired inside, swapped traceable MAC hardware and after just getting up and running again; it's sweet!

The villain turned out to be another ATT customer.

 

Back to basics

Has anyone tried hardware tests.

1. Ensure printer is on and cable connected properly.
2. Enter BIOS setup and ensure LPT1 is set to ECP, and the COM ports are enabled.
3. Boot to Command Prompt Only.
4. Type DEBUG .
5. Type D 40:0 .
6. The top line of the displayed info should be similar to: 0040:0000 F8 03 F8 02 E8 03 E8 02 - 78 03 78 02 00 00 00 00 00
The F8 03 is the memory address for COM1.
The F8 02 is the memory address for COM2.
The E8 03 is the memory address for COM3.
The E8 02 is the memory address for COM4.
The 78 03 is the memory address for LPT1.
The 78 02 is the memory address for LPT1.
7. If the 78 03 is not present and reads 00 00, the motherboard is most likely bad.
8. Type Q to exit Debug.
9. If 78 03 is present, type COPY CONFIG.SYS LPT1: (this assumes that the file config.sys exists and has some content.)
10. If One File Copied is displayed, and the printer doesn't print, the printer is most likely bad.
11. If Write Fault Error is displayed, the cable is most likely bad.

-- OR --

Go to a C:\> prompt.
Once you get to the prompt,
Type in MODE LPT1 COLS=80
If you get:

LPT1 Not Rerouted.
Printer Error.
No Retry on Parallel Printer Time Out.

The Parallel port is functioning fine.

 

Oops - that will teach me not to write out a reply and not post it for an hour...