The results of not using a firewall

Hi all,

This is my first post here so please forgive me if I'm posting at the wrong place.

I was changing the hard disk of my wife's computer to another computer yesterday and having completed the task I forgot to switch the firewall on (Windows XP Pro).

After a while I heard the printer start printing and it started to spew paper. The first lines of the paper include some symbols, followed by the text "This program cannot be run in DOS mode".

Then, another line of symbols, followed by the text "PeX (c) by bart^CrackPl beta release". Another line of symbols.

I naturally unplugged the computer and ran a virus scan and Spybot S%D. No problems found. However, any time the computer is booted, it starts to print the same text again.

Since yesterday I've run A2, Stinger, Ad-Aware, an online Trojan scan the link of which I found here and now HijackThis. No alerts from anywhere.

The running processes are quite normal, no suspicious processes going on. I can't locate any files by the name of Pex.

I'm totally at a loss now: What has happened and how can I get rid of the printing at booting? I really would not like to format the drive.

I'd be very grateful for any hints you could give me.

Cheers,

-Topi Kuusinen, Finland

 

Problem solved.

I was sure there was some piece of malicious code that was trying to run itself and print something when the computer was booted. When I finally had the sense to actually check the printer queue, I noticed there were a number of print works waiting.

When I removed those the system booted up normally. I wish I had got the idea a bit earlier to save me quite a lot of work.

Obviously someone had attacked the computer when it did not have a firewall and put those print jobs there either on purpose or accidentally.

Well, now I can at least be rather sure the computer is clean.

There are very good instructions on this forum. Thanks for those!

 

Hi Paul,

Thanks for the tip. I would have forgotten that myself.

Luckily this computer did not have too many passwords to be changed.

Cheers,

-Topi Kuusinen, Finland

 

Re: Crssi.exe

Hi,

I have the same problem. This is a short program named crssi.exe. It spreads through my lan and some computers print the same message "pex by Bart ...". You've to end the processus and remove the program in the win/system32 directory. In regedit search crssi.exe and remove the ".. pro nic manager" entry.
This program is not detected by antiviruses (norton) and antispywares (adaware and spybot).

 

Thanks for the advice. I did run the searches for the crssi.exe file but could not find it in the computer: no exe file, no register entry, no process.

Anyway, the computer's been working OK now for week, regular virus checks etc. giving a clean result.

Cheers,

-Topi Kuusinen, Finland

 

Hi Topi,

i just found a file crsl.exe on my system (it tried to access network), wich has the text "PeX (c) by bart^CrackPl beta release" in it. perhaps you should search for the text in all files to find it.

 

Thanks for the tip.

I think I scanned the hard disk for "bart" and "crackpl" when I first noticed the problem and came up with nothing.

Anyway, I searched the computer again after reading your comment and again, I found nothing.

Cheers,

-Topi Kuusinen, Finland

 

The same thing has reciently happened to me. I am really new at this game and only discovered I had this virus (if thats what you call it!) when I kept getting a pop up stating "Pex by Bart can not find file.dll" and the hard drive going nuts when I logged onto the internet. I only had it for a few days when a mate of mine but me onto AVG virus protection and this seemed to solve the problem. Is it necessary for me to change my passwords?? Even if most of them are through web access (hotmail, this site etc)

AusMan