Network printer printing garbage - Please HELP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by koekemoer, Feb 5, 2010.

  1. koekemoer

    koekemoer Private E-2

    This problem has been ongoing for nearly 3 weeks - Please Help

    We have 50 computers in a LAN with Eset anti-virus. We also have 5 big network printers (Zerox, Olivetti, HP). Two weeks ago the one Olivetti printer starting printing just one line of junk on each page until all the trays were empty of paper. The HP started printing one blank page for each page printed. The Xerox printers were not effected. From the Internet search it appears that the network was infected with the Bugbear-B virus which effects the network printers - it corrupts the drivers and make them print one line of gibberish until the paper is finished.

    I scanned the computers with Eset and didn't pick up any virus. Then I downloaded different Bugbear removal tools (e.g. Norton, Mcafee, Stinger) but not one of them could find any virus. I then checked the Windows start commands and found one computer with a weird startup program - as described for the Bugbear virus. The first line on the first page that gets printed reads: This program cannot be run in Dos Mode (Bugbear). I deleted this program. Then I disconnected the computer and scanned it in Safe Mode with System Restore disabled but couldn't pick up any virus. I then scanned some of the other computers the same way, also with MalwareBytes as well as other anti-virus/Malware programs like Stinger but could not find any virus anywhere.

    I reinstalled WinXP from scratch (reformatted hdd) on the computer that had the virus. In the meantime the Olivetti printer was still pumping out pages very randomly. I tried to see which computer caused the printer to start printing like this but could not really identify it. These are laser printers and you never get to see what is in the print queue. If I would also remove the paper tray and go from computer to computer and sometimes one computer's print queue will show that it is out of paper, other times it will show this for a number of computers. I actually reinstalled WinXP on about 6 computers and it didn't help. I also reinstalled the printer drivers - after deleting the printers from Windows Printers and deleting the specific drivers from Windows. This helped for about 7 hours - and then the problem started again. I also checked for infected flashdrives or CD's and removed a few. It is only the HP and the one Olivetti printer that is effected. The Olivetti printer guys say that is because of the type of driver software. The Xerox printers have very complicated software drivers which don't get affected. I have reinstalled printer drivers 3 times now but every time the problem starts again - within 3-4 hours. The other weird thing is that it only happens when two or more people are sending stuff to the printer to be printed at the same time. When I organise the users into 5 minute time slots for printing (one at a time), the problem doesn't occur.

    I phoned some of the anti-virus companies but nobody has been able to help me so far. What they do say is that an infected printer driver cannot infect other printers. It still seems that somewhere there is an infected computer but the anti-virus packages can't find it and therefore I don't know which one is infected (if that is the case). We also have two servers and both were checked and were clean. What is also peculiar is that I wasn't able to find the virus startup program in the Windows startup commands on any other computer - checked all 50.

    I am desperate please.

    Thanks
    Kobus
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not sure we can really help you with this especially since this is a company owned PC/network issue. You really should be paying for help. We really cannot spend the time to help you cleanup 50 PCs.

    If you really have a Bugbear type infection, you need to disconnect ALL ( yes ALL ) PCs from the network, and then you need to clean ALL PCs while not connected to the network. Once you have cleaned one PC, connect it back to your printers to make sure there are no problems. If problems still exist, you either did not clean the PC properly or you may have had someone else connect to the network to spread the infection again. You will have to repeat this on all PCs. While you need network and file sharing enabled to test the network printers, make sure that no PCs have setup shared drives or folders. (At least you need to start out this way until you have cleaned up the infection.).

    These infections spread via network shares and it is almost impossible to properly cleanup your network while all of these PCs are on the network. And if anyone using these PCs has been using USB drives or other removable media, they may have transferred the infection to this removable media. If the infected removable media is plug back into any PC, you could spread the infection again. Thus you need totally cooperation from the people in your network.

    Also has anyone connected a laptop to the network that they transport to/from home or to other networks? If so, they may be carrying the infection around with them too.

    You may be spreading the infection around via emails too and also via Bluetooth devices.

    Have you read all the info in the below links?
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-060423-5844-99&tabid=2
    http://www.f-secure.com/v-descs/bugbear_b.shtml
    http://www.bitdefender.com/VIRUS-39-en--Win32.BugBear.B@mm.html

    It is possible that many other files on your PCs are now carrying the infection. You may need to reinstall all of your PCs to properly clean this up if you have no luck finding and removing it with removal tools.

    After you recover, you need to make sure all of your PCs are running properly/fully updated Windows software and also protection software.
     
    Last edited: Feb 7, 2010
  3. koekemoer

    koekemoer Private E-2

    Hi Chaslang

    Thanks for the help.
    I actually did exactly what you suggested, over the weekend and I think that the problem will now be solved. I also removed all flashdisks and will check them out. My problem in the past was not to disconnect all the computers at the same time, allowing some to get infected again.

    I used Malwarebytes which actually picked up a lot of malware/trojans, etc. I had used some of the trojanremovers like Stinger and Bugbear removal tool by Norton and they didn't pick up anything.

    I have a question please. I did run Combofix on one computer that I suspected of being infected and it did pick up rootkits. After Combofix had run I couldn't use the CD-Rom, Network card, sound system and graphics drivers anymore as the drivers had been removed from Registry (it seemed). I installed another network card and booted up but the computer wasn't functioning properly (would hang). I couldn't get the CD-Rom re-installed again.

    Does this mean the sytem was like completely corrupted/infected ? Does it mean that I should re-install Win XP from scratch ? Is there any way the CD-Rom could be sorted out again ?

    Thanks again for the help and advice. I reported my original problem on three different help forums and I must say that MajorGeeks has been the best by far.

    Sorry, I didn't know that companies were not supposed to ask for support and that it is meant for private people. In what way do you provide support for companies, ie. how does one go about asking for support ?

    Thanks
    Kobus
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You should attach the log from ComboFix for us to look at. (See: HOW TO: Attach Items To Your Post )

    Don't know for sure which is why we have people run our cleaning procedure ( READ & RUN ME FIRST. Malware Removal Guide) so that we can get all the info we need to see what is going on.

    It is not so much a fact that "companies" should not ask for support. It is more of the below issues:
    1. Most companies have IT support and using tools like we use and having people not authorized by your company look at or work on PCs may be a breach of company policies and could be grounds for dismissal in some companies.
    2. Businesses may have proprietary info or customer info that could inadvertantly be shown ( unlikely but not impossible) or that could be lost during a cleaning process ( not too much unlike what happen when ComboFix was run ). It is rare but it can happen. Thus backups of important data should be made first. This is more critical on business PCs than personal but even personal PCs could lose data ( i.e., pictures of ones children).
    3. A company can have lots of PCs, and we clean one PC at a time and cannot really afford to have one person/company coming here and using all of our free bandwidth to cleanup 50 to 200 PCs. Which by the way would take a long time since it would be a somewhat serial process. Thus your company could be at a stand still while waiting for us and you are not paying us to give you any help or special treatment.
    4. IT Support people are getting paid to know how to fix PCs and this should include malware removal. We are not getting paid. We do this for free in our own spare time. Thus you can see how it can be somewhat of a conflict of interest to provide free support to someone who is getting paid to do what we are instructing them to do.
    We don't mind providing some guidance, but you can see how it could get out of hand.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds