PDA

View Full Version : twex.exe, Spybot 1.6 update, now black scree



lketchersid
2009-01-07, 18:15
Working on a computer (my wife's), she clicked on a link in an email. Tea Timer told her that a registry entry change, adding system32/twex.exe to userinit. She told it not to make the entry.

I went to run Spybot, she had version 1.5.2, ran update. It pulled down version 1.6, including a new tea-timer. Said I needed to reboot.

On reboot, Tea-timer saw a bad process, and a window popped up that said it had stopped services.exe and was shutting down in 60seconds.

When I restarted, I now get a black screen if I boot normal (mouse control exists, but no other key combinations have any effect).

I can boot into safe-mode with command prompt. Went to system32 to see if I could delete twex.exe, it is still being held by a process. It took safe-mode command prompt a long time to come up, but it did come up.

Now I am trying to let it run in regular safe mode, waiting for it to come up (since safe-mode with command prompt took a long time, I am assuming patience is a virtue).

Q1: Would Spybot/tea-timer delete a services process during an install? I am pretty sure the malware did not get installed, since Tea-Timer appeared to catch it, so I am not sure how updating to a new version of Spy-Bot got me to this point...unless Tea-Timer got disabled during the upgrade?

Q2: Any suggestions on how to get around the black screen to a usable version of windows so I can run Spybot 1.6 or any other tools?

Thanks,

lketchersid
2009-01-08, 23:45
Problem resolved. My services.exe file in system32 did indeed end up getting deleted. I am still not sure if it was the malware or if it somehow was tagged as being infected and deleted (I got a pop-up window that said it was deleting it and shutting down in 30 seconds, so sounds like a virus/malware thing to do). I know there is a services.exe and fservices.exe virus, but those are normally found in other directories...

I could not get system restore to work, and the system was dog slow without any services loaded (couldn't get it to run any of the log file generating programs requested here). I was finally able to run spybot in safe mode, found and removed Virtumonde. I replaced the services.exe file with one from a known good computer, changed the ownership and ACL's of the file. I went to sleep. Then rebooted in the morning, the speed difference was obvious. Updated spybot, reran it, and everything has been lovely since.

I'm not quite sure how to close this ticket, but looks to be solved, posting this info in case it helps anyone else.