Twink64.exe

By Holeson
Nov 30, 2004
Topic Status:
Not open for further replies.
  1. twink64.exe is always trying to connect to the Internet. I find that strange, so I thought It might maybe be a trojan or something. I ran Norton Antivirus 2003, but it didnĀ“t find anything. Then I tried using Pc-Cillin, but without results. Then I tried Spybot and Ad-Aware SE but still nothing. Finally I ran Hijack this and this is the log file:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\System32\twink64.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\WINDOWS\system32\mapiicon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\devldr32.exe
    D:\My Documents\My Received Files\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ADSL_A2] A2Installed
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.ex
    O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL



    Should I delete the "O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe" ??

    Is there anything else in the log file??


    :confused:
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Yes you are right twink64.exe is a trojan downloader.

    Boot into safe mode and let hijackthis fix the following.

    C:\WINDOWS\System32\twink64.exe

    O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll

    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

    The rest look fine to me.


    Regards Howard

    :wave: :wave:
  3. Holeson

    Holeson Newcomer, in training Topic Starter

    Thx alot Howard
    Everything seems to be in order now :D
  4. marianna

    marianna Newcomer, in training

    Similar problem

    Hi.
    I think i've got a similar problem but before trying to fix somthing i'd like you to see hijackthis log. Really thanks.

    Attached Files:

  5. Mictlantecuhtli

    Mictlantecuhtli TechSpot Evangelist Posts: 4,916   +9

    Welcome to TechSpot Forums

    At least these should be deleted.

    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\twink64.exe internat.dll,LoadKeyboardProfile
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com

    I'd recommend to install Firefox instead of IE, it helps reducing these things quite a lot.

    I'm not sure what this is but I would delete it anyhow: :giddy:

    O2 - BHO: (no name) - {650114E4-2D24-41ED-877A-410B6465C1F1} - C:\WINDOWS\system32\jdjoaaa.dll

    And (at least) this is unnecessary:

    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
  6. marianna

    marianna Newcomer, in training

    Similar problem

    Thanks a lot. It seems all rigth now. :grinthumb
  7. timkar

    timkar Newcomer, in training

    I NEED HELP :/

    I get this message from symantec ALL THE TIME :

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Download.Trojan
    File: WINDOWS\system32\twink64.exe
    Location: WINDOWS\system32

    User: Timkar Admin
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Mon Dec 06 11:18:21 2004

    I ran hijack and heres the result:
    (copy to browser)
    netikka.net/timkar/hijackthis.log
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Timkar,
    Welcome to TechSpot

    Logfile of HijackThis v1.97.7
    You should update to a newer version of HijackThis

    Read my post carefully http://www.techspot.com/vb/topic17297.html and do as advised there.

    When all is done, run HJT Standalone in Safe mode and have it "fix"

    C:\WINDOWS\System32\twink64.exe
    C:\Program Files\Winamp\winampa.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TIMKAR~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  9. highway

    highway Newcomer, in training

    I'm also having a twink problem. I've tried to post my hijack log, but the website keeps telling me that it has URLs in it and I can't send the message.

    Any suggestions? I have tried to delete anything remotely resembling a URL in the log, but I still can't send it.

    Thanks.
  10. marianna

    marianna Newcomer, in training

    You could rename the log as txt and attach it.
    Bye
  11. highway

    highway Newcomer, in training

    Thanks. Here is the attached log.

    I already went ahead and had it fix the:

    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

    What else should I get rid of? I also noticed: O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab

    I had a problem with info6.cab showing up on some antivirus stuff a few months ago, and couldn't fix it, so I deleted the file.

    Thanks for any assistance. Things seem to be running smoother since I got rid of the 04 code noted above, but I would like to completely clean out any junk in there.

    Jeff
     
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You may as well format your HD and reinstall from scratch.
    You have both Symantec AND McAfee on your PC. This will NEVER work.
    Only 1 antivirus per PC, preferably NOT from Norton/Symantec.
    Also, if you can avoid it, do NOT install AOL.
  13. highway

    highway Newcomer, in training

    I disabled the antivirus from Symantec. I have Norton SystemWorks, so I left the other features on the hard drive. I got McAffee because Norton wasn't getting the job done with my problem. I never would have figured out about the twink64 without McAffee. I already have an active subscription to Norton that is paid through next July, so I don't want to drop the whole program. Besides, it is supposed to have a firewall, though it appears fairly useless.

    As for AOL, I know it's not ideal, but I've had it since 1992, and everybody I've ever met has my email address. I still sometimes hear from people that I haven't heard from in years, so I hate to think about changing my email address. I can always install FireFox and load it up as an alternate to IE when going to the web.

    Aside from having Norton and McAffee both installed, what do I need to get rid of in my registry via HiJack This? Also, does it need to be done in safe mode? Lastly, with Windows XP, do I need to shut off System Restore before I make the changes?

    Thanks.
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Do a proper cleanup of McAfee.
    Read my post carefully http://www.techspot.com/vb/topic17297.html and do exactly as advised there.

    When all is done, run HJT Standalone in Safe mode again and post your log again.
  15. highway

    highway Newcomer, in training

    Here it is

    Here's the new Hijack log after cleaning up everything suggested.

    Something tells me that those "Trusted Zones" shouldn't be trusted. I've never heard of them.

    Thanks.
  16. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Come back when you have ONLY 1 antivirus program on your PC.
    (And you are still running an OLD version of HijackThis).
  17. highway

    highway Newcomer, in training

    Thanks for nothing

    Like I already explained, I have Norton Systemworks. I have this installed. I used to have the Norton antivirus, but it was worthless. Therefore, I disabled that antivirus and installed McAfee. I only have one active antivirus program on my system. If you're so tecnologically intelligent, you'd know that I could not install McAfee with Symantec antivirus active. It won't let you.

    I will not remove Norton Systemworks just because I have McAfee installed as my antivirus. That is asinine.

    If you don't want to help me, or you can't figure out how to read a log with two different programs on it, that's fine. Just say so. I'll go elsewhere for help.
  18. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Ruffled your feathers?
    Nothing to get excited about.
    Let HJT "fix" (as described):
    R3 - Default URLSearchHook is missing
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O15 - Trusted Zone: *.searchmeup.cc
    O15 - Trusted Zone: *.skoobidoo.com

    Now who in his right mind trusts ANY website?
  19. highway

    highway Newcomer, in training

    Thank you

    Thanks for the assistance. I'm sorry I blew up earlier. I just wanted to get the crap out of my registry without fighting about what antivirus I may or may not have installed.

    I've taken care of all of the stuff you mentioned. I can tell the difference in the way the computer is running now.

    Thanks again.

    Jeff
  20. oogie boogie

    oogie boogie Newcomer, in training

    Hi

    I too am having problems with the "Twink64" beastie , and after a couple of days of banging my head against the monitor, came across this thread..

    The posts are really helpful however I'd be eternally grateful if anyone could have a look at this log, just to see if there's anything else I should be deleting along with the aformentioned "twink" entry



    any advice would be greatly recieved

    Cheers

    OOGIE
  21. Spike

    Spike Newcomer, in training Posts: 2,371

    You may like to know that it is now possible to connect to aol email via IMAP from your preferred mail client in the UK. I'm not sure about the US, but I'd assume it would be strange if it was a different scenario over there,

    http://www-stg.aolsvc.co.uk/help/OutlookExpressSteps.htm
  22. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    OOGIE

    Welcome to TechSpot

    Go to my post here first http://www.techspot.com/vb/topic17297.html and do all that.
    Then in Safe Mode, run HJT Standalone and let it "fix"

    C:\WINDOWS\SYSTEM32\NTNUT.EXE
    C:\WINDOWS\SYSTEM\TWINK64.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpe.dll/blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

    O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
  23. Rugrat

    Rugrat Newcomer, in training

    twink64

    Well..I have this beastie too. I have tried all the manual removal processes posted out on the web including editing the registry to remove the autostart entires but everytime I reboot the beastie is back. Here is a printout of my hyjackthis log. I know I should probably "fix" the "skoobidoo" and "windupdates" entries, but there are obviously others I am missing. Can you please help me?

    Thank you for your time and efforts!

    Attached Files:

  24. oogie boogie

    oogie boogie Newcomer, in training

    Thanks "Real Black Stuff" !!!

    You're an absolute star

    Have followed all your steps and the beast seems to have been vanquised, no longer auto dialling. The only little problem now is that the dial-up box still keeps popping up on start-up, however I'm not sure whether this is connected.

    Could you cast your eye over the latest log just to make sure I followed your instructions correctly.

    logfile of HijackThis v1.98.2
    Scan saved at 22:16:55, on 13/12/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
    C:\MY DOCUMENTS\APPS\HIJACKTHIS.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll[/COLOR]

    I don't know if this is relevant but the WINDOWS\system32\ntnut.exe home entry no longer appears in the HJT log but still shows up in msconfig as a startup option.

    Again a million thanks for sharing your grey matter!!!!!

    Cheers

    OOGIE
  25. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    OOGIE
    MSConfig could tell you where it is "starting" from.
    Boot in safe mode, then delete the sucker.
    Check in Start/Programs/Startup if it is in there, delete as well.
    Or check in the Registry (Start/Run type regedit and hit enter) under the "Run" keys. Easiest way is to Edit/Find "Runonce", above it is the "Run" key. If found, highlight it and hit the Del key. Repeat Find (F3 key) until regedit is at the end of the registry.

    Otherwise you are clean.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.