Twink64.exe

[Holeson]

twink64.exe is always trying to connect to the Internet. I find that strange, so I thought It might maybe be a trojan or something. I ran Norton Antivirus 2003, but it didn´t find anything. Then I tried using Pc-Cillin, but without results. Then I tried Spybot and Ad-Aware SE but still nothing. Finally I ran Hijack this and this is the log file:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\twink64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
D:\My Documents\My Received Files\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.ex
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL



Should I delete the "O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe" ??

Is there anything else in the log file??

 

[howard_hopkinso]

Hello and welcome to Techspot.

Yes you are right twink64.exe is a trojan downloader.

Boot into safe mode and let hijackthis fix the following.

C:\WINDOWS\System32\twink64.exe

O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

The rest look fine to me.


Regards Howard

:wave: :wave:

 

[Holeson]

Thx alot Howard
Everything seems to be in order now

 

[marianna]

Similar problem

Hi.
I think I've got a similar problem but before trying to fix somthing I'd like you to see hijackthis log. Really thanks.

 

[Mictlantecuhtli]

Welcome to TechSpot Forums

Hi.
I think i've got a similar problem but before trying to fix somthing i'd like you to see hijackthis log. Really thanks.

At least these should be deleted.

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\twink64.exe internat.dll,LoadKeyboardProfile
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

I'd recommend to install Firefox instead of IE, it helps reducing these things quite a lot.

I'm not sure what this is but I would delete it anyhow: :giddy:

O2 - BHO: (no name) - {650114E4-2D24-41ED-877A-410B6465C1F1} - C:\WINDOWS\system32\jdjoaaa.dll

And (at least) this is unnecessary:

O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE

 

[marianna]

Similar problem

Thanks a lot. It seems all rigth now. :grinthumb

 

[timkar]

I NEED HELP :/

I get this message from symantec ALL THE TIME :

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: WINDOWS\system32\twink64.exe
Location: WINDOWS\system32

User: Timkar Admin
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Mon Dec 06 11:18:21 2004

I ran hijack and heres the result:
(copy to browser)
netikka.net/timkar/hijackthis.log

 

[RealBlackStuff]

Timkar,
Welcome to TechSpot

Logfile of HijackThis v1.97.7
You should update to a newer version of HijackThis

Read my post carefully https://www.techspot.com/vb/topic17297.html and do as advised there.

When all is done, run HJT Standalone in Safe mode and have it "fix"

C:\WINDOWS\System32\twink64.exe
C:\Program Files\Winamp\winampa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[highway]

I'm also having a twink problem. I've tried to post my hijack log, but the website keeps telling me that it has URLs in it and I can't send the message.

Any suggestions? I have tried to delete anything remotely resembling a URL in the log, but I still can't send it.

Thanks.

 

[marianna]

You could rename the log as txt and attach it.
Bye

 

[highway]

Thanks. Here is the attached log.

I already went ahead and had it fix the:

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

What else should I get rid of? I also noticed: O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab

I had a problem with info6.cab showing up on some antivirus stuff a few months ago, and couldn't fix it, so I deleted the file.

Thanks for any assistance. Things seem to be running smoother since I got rid of the 04 code noted above, but I would like to completely clean out any junk in there.

Jeff

 

[RealBlackStuff]

You may as well format your HD and reinstall from scratch.
You have both Symantec AND McAfee on your PC. This will NEVER work.
Only 1 antivirus per PC, preferably NOT from Norton/Symantec.
Also, if you can avoid it, do NOT install AOL.

 

[highway]

I disabled the antivirus from Symantec. I have Norton SystemWorks, so I left the other features on the hard drive. I got McAffee because Norton wasn't getting the job done with my problem. I never would have figured out about the twink64 without McAffee. I already have an active subscription to Norton that is paid through next July, so I don't want to drop the whole program. Besides, it is supposed to have a firewall, though it appears fairly useless.

As for AOL, I know it's not ideal, but I've had it since 1992, and everybody I've ever met has my email address. I still sometimes hear from people that I haven't heard from in years, so I hate to think about changing my email address. I can always install FireFox and load it up as an alternate to IE when going to the web.

Aside from having Norton and McAffee both installed, what do I need to get rid of in my registry via HiJack This? Also, does it need to be done in safe mode? Lastly, with Windows XP, do I need to shut off System Restore before I make the changes?

Thanks.

 

[RealBlackStuff]

Do a proper cleanup of McAfee.
Read my post carefully https://www.techspot.com/vb/topic17297.html and do exactly as advised there.

When all is done, run HJT Standalone in Safe mode again and post your log again.

 

[highway]

Here it is

Here's the new Hijack log after cleaning up everything suggested.

Something tells me that those "Trusted Zones" shouldn't be trusted. I've never heard of them.

Thanks.

 

[RealBlackStuff]

Come back when you have ONLY 1 antivirus program on your PC.
(And you are still running an OLD version of HijackThis).

 

[highway]

Thanks for nothing

Like I already explained, I have Norton Systemworks. I have this installed. I used to have the Norton antivirus, but it was worthless. Therefore, I disabled that antivirus and installed McAfee. I only have one active antivirus program on my system. If you're so tecnologically intelligent, you'd know that I could not install McAfee with Symantec antivirus active. It won't let you.

I will not remove Norton Systemworks just because I have McAfee installed as my antivirus. That is asinine.

If you don't want to help me, or you can't figure out how to read a log with two different programs on it, that's fine. Just say so. I'll go elsewhere for help.

 

[RealBlackStuff]

Ruffled your feathers?
Nothing to get excited about.
Let HJT "fix" (as described):
R3 - Default URLSearchHook is missing
O4 - Global Startup: Digital Line Detect.lnk = ?
O15 - Trusted Zone: *.searchmeup.cc
O15 - Trusted Zone: *.skoobidoo.com

Now who in his right mind trusts ANY website?

 

[highway]

Thank you

Thanks for the assistance. I'm sorry I blew up earlier. I just wanted to get the crap out of my registry without fighting about what antivirus I may or may not have installed.

I've taken care of all of the stuff you mentioned. I can tell the difference in the way the computer is running now.

Thanks again.

Jeff

 

[oogie boogie]

Hi

I too am having problems with the "Twink64" beastie , and after a couple of days of banging my head against the monitor, came across this thread..

The posts are really helpful however I'd be eternally grateful if anyone could have a look at this log, just to see if there's anything else I should be deleting along with the aformentioned "twink" entry



any advice would be greatly recieved

Cheers

OOGIE

 

[Spike]

You may like to know that it is now possible to connect to aol email via IMAP from your preferred mail client in the UK. I'm not sure about the US, but I'd assume it would be strange if it was a different scenario over there,

http://www-stg.aolsvc.co.uk/help/OutlookExpressSteps.htm

 

[RealBlackStuff]

OOGIE

Welcome to TechSpot

Go to my post here first https://www.techspot.com/vb/topic17297.html and do all that.
Then in Safe Mode, run HJT Standalone and let it "fix"

C:\WINDOWS\SYSTEM32\NTNUT.EXE
C:\WINDOWS\SYSTEM\TWINK64.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpe.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

 

[Rugrat]

twink64

Well..I have this beastie too. I have tried all the manual removal processes posted out on the web including editing the registry to remove the autostart entires but everytime I reboot the beastie is back. Here is a printout of my hyjackthis log. I know I should probably "fix" the "skoobidoo" and "windupdates" entries, but there are obviously others I am missing. Can you please help me?

Thank you for your time and efforts!

 

[oogie boogie]

Thanks "Real Black Stuff" !!!

You're an absolute star

Have followed all your steps and the beast seems to have been vanquised, no longer auto dialling. The only little problem now is that the dial-up box still keeps popping up on start-up, however I'm not sure whether this is connected.

Could you cast your eye over the latest log just to make sure I followed your instructions correctly.

logfile of HijackThis v1.98.2
Scan saved at 22:16:55, on 13/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\MY DOCUMENTS\APPS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll[/COLOR]

I don't know if this is relevant but the WINDOWS\system32\ntnut.exe home entry no longer appears in the HJT log but still shows up in msconfig as a startup option.

Again a million thanks for sharing your grey matter!!!!!

Cheers

OOGIE

 

[RealBlackStuff]

OOGIE
MSConfig could tell you where it is "starting" from.
Boot in safe mode, then delete the sucker.
Check in Start/Programs/Startup if it is in there, delete as well.
Or check in the Registry (Start/Run type regedit and hit enter) under the "Run" keys. Easiest way is to Edit/Find "Runonce", above it is the "Run" key. If found, highlight it and hit the Del key. Repeat Find (F3 key) until regedit is at the end of the registry.

Otherwise you are clean.