Twink64.exe

twink64.exe is always trying to connect to the Internet. I find that strange, so I thought It might maybe be a trojan or something. I ran Norton Antivirus 2003, but it didn´t find anything. Then I tried using Pc-Cillin, but without results. Then I tried Spybot and Ad-Aware SE but still nothing. Finally I ran Hijack this and this is the log file:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\twink64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
D:\My Documents\My Received Files\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.ex
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL



Should I delete the "O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe" ??

Is there anything else in the log file??

Hello and welcome to Techspot.

Yes you are right twink64.exe is a trojan downloader.

Boot into safe mode and let hijackthis fix the following.

C:\WINDOWS\System32\twink64.exe

O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

The rest look fine to me.


Regards Howard

:wave: :wave:

Thx alot Howard
Everything seems to be in order now

Similar problem

Hi.
I think i've got a similar problem but before trying to fix somthing i'd like you to see hijackthis log. Really thanks.

Similar problem

Thanks a lot. It seems all rigth now. :grinthumb

I NEED HELP :/

I get this message from symantec ALL THE TIME :

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File: WINDOWS\system32\twink64.exe
Location: WINDOWS\system32

User: Timkar Admin
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Mon Dec 06 11:18:21 2004

I ran hijack and heres the result:
(copy to browser)
netikka.net/timkar/hijackthis.log

Timkar,
Welcome to TechSpot

Logfile of HijackThis v1.97.7
You should update to a newer version of HijackThis

Read my post carefully http://www.techspot.com/vb/topic17297.html and do as advised there.

When all is done, run HJT Standalone in Safe mode and have it "fix"

C:\WINDOWS\System32\twink64.exe
C:\Program Files\Winamp\winampa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'm also having a twink problem. I've tried to post my hijack log, but the website keeps telling me that it has URLs in it and I can't send the message.

Any suggestions? I have tried to delete anything remotely resembling a URL in the log, but I still can't send it.

Thanks.

You could rename the log as txt and attach it.
Bye

Thanks. Here is the attached log.

I already went ahead and had it fix the:

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

What else should I get rid of? I also noticed: O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab

I had a problem with info6.cab showing up on some antivirus stuff a few months ago, and couldn't fix it, so I deleted the file.

Thanks for any assistance. Things seem to be running smoother since I got rid of the 04 code noted above, but I would like to completely clean out any junk in there.

Jeff

You may as well format your HD and reinstall from scratch.
You have both Symantec AND McAfee on your PC. This will NEVER work.
Only 1 antivirus per PC, preferably NOT from Norton/Symantec.
Also, if you can avoid it, do NOT install AOL.

I disabled the antivirus from Symantec. I have Norton SystemWorks, so I left the other features on the hard drive. I got McAffee because Norton wasn't getting the job done with my problem. I never would have figured out about the twink64 without McAffee. I already have an active subscription to Norton that is paid through next July, so I don't want to drop the whole program. Besides, it is supposed to have a firewall, though it appears fairly useless.

As for AOL, I know it's not ideal, but I've had it since 1992, and everybody I've ever met has my email address. I still sometimes hear from people that I haven't heard from in years, so I hate to think about changing my email address. I can always install FireFox and load it up as an alternate to IE when going to the web.

Aside from having Norton and McAffee both installed, what do I need to get rid of in my registry via HiJack This? Also, does it need to be done in safe mode? Lastly, with Windows XP, do I need to shut off System Restore before I make the changes?

Thanks.

Do a proper cleanup of McAfee.
Read my post carefully http://www.techspot.com/vb/topic17297.html and do exactly as advised there.

When all is done, run HJT Standalone in Safe mode again and post your log again.

Here it is

Here's the new Hijack log after cleaning up everything suggested.

Something tells me that those "Trusted Zones" shouldn't be trusted. I've never heard of them.

Thanks.

Come back when you have ONLY 1 antivirus program on your PC.
(And you are still running an OLD version of HijackThis).

Thanks for nothing

Like I already explained, I have Norton Systemworks. I have this installed. I used to have the Norton antivirus, but it was worthless. Therefore, I disabled that antivirus and installed McAfee. I only have one active antivirus program on my system. If you're so tecnologically intelligent, you'd know that I could not install McAfee with Symantec antivirus active. It won't let you.

I will not remove Norton Systemworks just because I have McAfee installed as my antivirus. That is asinine.

If you don't want to help me, or you can't figure out how to read a log with two different programs on it, that's fine. Just say so. I'll go elsewhere for help.

Ruffled your feathers?
Nothing to get excited about.
Let HJT "fix" (as described):
R3 - Default URLSearchHook is missing
O4 - Global Startup: Digital Line Detect.lnk = ?
O15 - Trusted Zone: *.searchmeup.cc
O15 - Trusted Zone: *.skoobidoo.com

Now who in his right mind trusts ANY website?

Thank you

Thanks for the assistance. I'm sorry I blew up earlier. I just wanted to get the crap out of my registry without fighting about what antivirus I may or may not have installed.

I've taken care of all of the stuff you mentioned. I can tell the difference in the way the computer is running now.

Thanks again.

Jeff

Hi

I too am having problems with the "Twink64" beastie , and after a couple of days of banging my head against the monitor, came across this thread..

The posts are really helpful however I'd be eternally grateful if anyone could have a look at this log, just to see if there's anything else I should be deleting along with the aformentioned "twink" entry



any advice would be greatly recieved

Cheers

OOGIE