twex.exe
Malware - Harmful EXE

 Updated version of this article is available on this link

twex.exe is added on your computer by a new variant of ZBot or zlob variant -
- a banking trojan that disables firewall,
- runs in the background and allows the hacker remote access to the infected system. steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components. It has the characteristics of a Keylogger, Trojan Horse and a Backdoor.

The recently analyzed samples of this malware indicate that, this file twex.exe is located in C:\Windows\System32\twex.exe , and it creats a folder named C:\Windows\System32\twain32

The name twain32 is associated with a software that is used with scanners, therefore you need to make sure if the folder is a ligitimate one or not. If possible , delete the folder from that location, in case of a doubt of infection, and then reinstall the scanner's driver if you have the driver cd or the installation program. Until now, the information available indicate that, this virus creates twain32 folder only under C:\Windows\System32 folder.

the virus writers keep on changing the names/ locations of its files on the computer in order to avoid detection, therefore it will be helpful if you use the registry editor and open the Edit > Find box, and search for the filename "twex.exe" delete its entries.

This article gives you step by step instructions to remove the threat manually from your computer.

 

Aliases:     These are some of the aliases
          Trojan Horse [Symantec]
     Trojan-Spy.Win32.Zbot.ose [Kaspersky Lab]
     PWS:Win32/Zbot.gen!R [Microsoft]
     Trojan-Spy.Win32.Zbot [Ikarus]
     Win-Trojan/Zbot.70144.D [AhnLab]

 Turn off - system restore : The malicious files are saved in the system restore backup. You need to turn system restore off to remove them. You can turn it ON after cleaning the computer. Click here to read more...
 View Hidden Files: You need to enable to view hidden files and folders before  you can search for the virus files and folders. Click here to read more...
 Boot in safe mode: If you are unable to delete the malware files/ folders, try doing it while in windows safe mode. Click here to read more...
 

If you are unable to open Task Manager
Sometimes you are not able to open the task manager, the run command etc. The virus does this. There are free tools to solve this problem.  They are listed here.  Click here to read more...

Delete process/es from Task Manager:  The following process may be found in the task manager. Delete it if found. Click here to read more...
twex.exe

Delete folders/ files from the hard disk:
Delete the following folder if found
C:\Windows\System32\twain32

These are different places where twain.exe could be located
C:\Windows\System32\twain32.exe
C:\Windows\networkservice\twain32.exe
C:\Windows\twain32.exe

 (It will be useful to run a freeware temp files/ registry cleaner like CCleaner after deleting the above file. Click here to read more...)

 Delete the registry keys: by manually editing registry. You can edit the registry by using the windows built in registry editor. Click here to read more...

 These are the registry keys found in one infection. The infection of your computermay or may not be the same. So even if you do not find exactly same registry keys, you should find the files and the folder (mentioned beforehand) on an infected computer.

  • The following Registry Keys were created:
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
      • UID = "%ComputerName%_00048AC7"
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}]
      • {54DA3CE0-F090-3C13-C933-22A102DCA42E} = FF 09 F2 0D
      • {23343233-2C66-3B33-3432-343233343233} = FA 0A F4 0E
      • {94A73C77-34E2-9329-4A2D-D11633511DF1} = FD 09 F2 0D
      • {33323038-2829-5F2A-3039-333033333333} = F7 09 F2 0D
      • {1427B3BA-1099-AF5D-25A2-C7EF5A97F580} = FC 09 F2 0D
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      • ProxyEnable = 0x00000000
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
      • {33323038-2829-5F2A-3039-333033333333} = F7 09 F2 0D
  • The following Registry Values were modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      • Userinit = "%System%\userinit.exe,%System%\twex.exe,"

      • so that twex.exe runs every time Windows starts
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      • Cookies = "%Profiles%\LocalService\Cookies"
      • History = "%Profiles%\LocalService\Local Settings\History"
 Run System File Checker: This is a built in utility in windows, it scans the computer for any altered/ deleted windows system files and replaces them with original files automatically. Click here to read more...

 Using Firewall: It will be helpful if you have a firewall so that you can block the malicious communication of the malware.

 reprinted with permission from threat expert
Comments
Add New Search
Saurabh  - great site   |122.173.56.xxx |2009-03-22 11:20:57
Thanx for such a nice step by step guide to delete the twex.exe .
Reply
Turbiales   |212.80.167.xxx |2009-03-30 05:05:16
Great Work Folks!!!
It worked wonderfully!!
Reply
Mark  - variant   |86.146.165.xxx |2009-03-31 12:58:55
My variant would not die. Removed hard disk, stuck it in a friends pc as
secondary. deleted twex.exe job done...
Reply
MaineMan  - USERINIT also infected   |72.73.114.xxx |2009-06-26 05:37:21
In my case, editing the USERINIT line in the Winlogon part of the Registry to
remove the reference to TWEX didn't work - it kept automatically restoring
itself. AND, of course, I couldn't simply delete the TWEX file since it was
"in use." Furthermore, the USERINIT.EXE was also infected. The file
size was 76KB when it should have been 24KB.

My solution was:
- boot to the
Recovery Console on the Windows Install CD
- EXPAND a copy of the real
USERINIT.EX_ from the I386 directory to overwrite the malware-corrupted version
in SYSTEM32.

HERE'S THE CRITICIAL PART: Simply deleting TWEX.EXE from SYSTEM32
at that point might have caused WINLOGON to fail since the reference to it was
still in the USERINIT line in the Registry (and there's no way to selectively
edit that from the Recovery Console).

SOLUTION:

I made a copy of NOTEPAD.EXE
and renamed it "TWEX.EXE" and replaced the real (malware) TWEX.EXE in
SYSTE...
Reply
Write comment
Name:
Email:
 
Title:
 

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 
Privacy Policy