Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please! Twext.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 martyn

martyn

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 November 2008 - 01:39 PM

I managed to get myself infected (I think anyway) with twext.exe today.

Now in my registry the userinit key under winglogon has c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe

There did appear to be a 0 byte file called twext.exe but that disappeared when the AV Software scanned it.

I deleted the entry from the registry but it just re-appears, using regmon.exe it looks like it's winlogon thats putting it back in.

I ran Sysinternals rootkitrevealer and sure enough it found twext.exe in c:\windows\system32 and about 330k in size but it's hidden from API.

I've not rebooted the system yet, but have disabled internet access so it can't get hijacked.

Scanning google pages before I came here I found a post that said combofix may help in this - which is why i'm here.

Can anyone help me please with combofix or any other solution.
Thanks,

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:17 AM

Posted 26 November 2008 - 03:48 PM

Please do not use Combofix without a HJT team member assisting you. (in the Hijack This forum)
You should be able to use Sdfix to remove it:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Please read the tutorial in it's entirety
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 November 2008 - 04:19 PM

Please do not use Combofix without a HJT team member assisting you. (in the Hijack This forum)
You should be able to use Sdfix to remove it:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Please read the tutorial in it's entirety


Yes, some other sites just say use combofix but reading posts on here I see not to use Combofix,
i'll take a look at SDFIX thread, thanks,

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:17 AM

Posted 26 November 2008 - 04:30 PM

It just dawned on me. I don't believe you can use sdfix on Vista
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 November 2008 - 05:37 PM

that's alright, i'm a dinosaur running XP

#6 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 November 2008 - 06:14 PM

running sdfix from Safe mode, keeps on popping up box titled

Windows - No Disk

Exception processing message c0000013 parameters 75b6bf74, 75b6bf7c, 75b6bf7c,

cancel, try again, continue.

Cancel cancelled the whole process
try again is 1 big infinite loop
continue after 5 or 6 presses goes away for about 1 minute

This is all at the checking running processes and services step

Edited by martyn, 26 November 2008 - 06:26 PM.


#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:17 AM

Posted 26 November 2008 - 06:49 PM

You can try changing the drive letter for the drive. If that doesn't work, it's the malware doing it.
My suggestion would be to post a HJT log following the preparation guide as best as possible:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post in the proper forum here:
http://www.bleepingcomputer.com/forums/forum22.html#
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 November 2008 - 07:00 PM

I ran it with the report option and that did eventually complete after loads of clicks on the continue button.

Currently running the fix option, again i'll need a new mouse after this.

Once complete i'll do the other suggestion of the HJT log.
thanks,

#9 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 November 2008 - 05:27 AM

Ok, it finally ran through the fix option in Safe Mode, rebooted and it's running the 2nd pass that it does automatically

Its been going for about 30 minutes now and then it's started listing on screen
Unable to open file c:\windows\temp\sdfix_filecheck\ then about 8 files, most seem to be windows update files.
then it churns away for about 2 - 3 minutes and puts the same list up over and over again

Is this normal behaviour ?

Looks like the hard disk is hammering away during all this, hopefully not the malware trashing all my files :thumbsup:

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:17 AM

Posted 27 November 2008 - 10:14 AM

I would do the HJT log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 27 November 2008 - 10:40 AM

it stopped doing the scrolling bit but is still processing something.

i brought up task manager (ctrl-shift-esc) and can see that it's running at avg 70% cpu.

It keeps running UnRaR.exe and dnif.exe as processes.

Could't resist the temptation seeing as it had been running for almost 8 hours in this state so I opened up a cmd prompt via new task in task manager.

in the c:\SDFIX folder there are files
testspreadbot1.txt timed at 10:03 and 15k in size
testspreadbot2.txt timed at 10:20 and 6k in size
testspreadbot3.txt , time on this keeps changing and it is 0 in size, guess it's still doing something.

also in that folder is a file userinfix.reg - i looked in this file (type at a cmd prompt) and it is the userinit key from the reg with the correct values - i.e. no mention of twext.exe so that's a good sign isn't it ?

Also in the c:\windows\temp\sdfix_filecheck folder there are 4576 files - 247 of these are rar files, could it be just slowly cycling through these ?

As i've not got through the full logon process and to a proper desktop yet i'm reluctant to do anything to it for fear of it messing things up more with files it's moved around for now.

Edited by martyn, 27 November 2008 - 10:42 AM.


#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:17 AM

Posted 27 November 2008 - 05:00 PM

Hello martyn,

I see that you now have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/182432/help-please-on-this-hjt-log/

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users