Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Really struggling :( TWEX.EXE Keeps re-appearing on Two terminal Servers

  • This topic is locked This topic is locked
2 replies to this topic

#1 DJ_Enigma


  • Members
  • 2 posts
  • Local time:12:32 AM

Posted 25 June 2010 - 01:47 AM

Hi all,

My first post here, normally I've been able to remove many infections without assistance, but this time I'm really struggling to get this thing to stop re-infecting.

We have two almost identical (in terms of software) terminal servers installed in an organisation which have both become infected with malware.

I've been trying to fix it for a while but there is a file which keeps on appearing when people log in:

c:\documents and settings\%user%\application data\twex.exe

I don't know if it is doing any harm now that I've already scanned and removed most of the problem, but I need to know if it is and I need to get rid of it if possible.

So far I've used spybot search and destroy, superantispyware, malwarebytes, ccleaner, mcafee virusscan 8.0, ESET online scanner, Trend Micro House call, possibly more but I can't remember now.

I've been battling with this for 3 days and every time I think I've won the file re-appears.

Please can someone try to help me get rid of this for good?

Many Thanks,


I'm not able to post DDS from 2003 unfortunately. But I've attached GMER logs:


Argh! SERVER1 didn't like GMER and it rebooted (blue screened) with the following error:

BCCode : 50 BCP1 : EE660000 BCP2 : 00000000 BCP3 : B8EC0C3E
BCP4 : 00000000 OSVer : 5_2_3790 SP : 2_0 Product : 16_3



I have been working on this remotely this week, but I'm going on site tomorrow for a weekly visit.

Any advice would be really really appreciated at this point.

Many Thanks,


Attached Files

  • Attached File  Ark.txt   71.67KB   4 downloads

BC AdBot (Login to Remove)


#2 DJ_Enigma

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:32 AM

Posted 25 June 2010 - 05:21 AM

Ignore me I'm a fool!

It was coming down with their roaming profiles from a server that was not infected.

Malware bytes deleted all the infection and I had to manually delete twex.exe from all the profiles on the three servers.

Happy Days smile.gif

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:09:32 AM

Posted 27 June 2010 - 04:50 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users