HomeSearch hijack - Ratchet, Twain.dll and Twain_32.dll possible to blame?
Hi yall, This is seconed time to have HomeSearch installed on my computer, the first time I solved it by reading these (extreamly helpfull) forums. Well it looks like it's turned up again. After running HJT, Spybot S&D, and Ad-aware, homesearch still hijacks my homepage after a re-boot. Safe mode keeps it from happening, as does turning off sytem services and startup items in msconfig.
After poking around in my windows folders I found 2 suspicious .dll's, Twain.dll and Twain_32.dll. These 2 files replace themselves no matter what I do with them. After looking in the summery details It says that the company ID for both is "Twain Working Group". After searching the web I found the site of the company, http://www.twain.org/, that oddly enough has a little note on their hompage claiming they are in no way connected to spyware or adware, and to place an e-mail to lega@twain-tech.com, if you find any such files on your computer with their company in the summary.
The e-mail I sent was retured becasue "user was not found", imagine that
Any help would be great, keep up the good work guys.
PS: I can't find or remove, C:\WINDOWS\system32\apiew.exe as it's not where it claims to be :\
Heres my HJT log:
Logfile of HijackThis v1.98.0
Scan saved at 1:14:13 AM, on 8/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crnv32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apiew.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liger1\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
O2 - BHO: (no name) - {F52E2033-83A1-5DFD-596F-100DD7ACA4B6} - C:\WINDOWS\system32\atlrp.dll
O4 - HKLM\..\Run: [crnv32.exe] C:\WINDOWS\system32\crnv32.exe
After poking around in my windows folders I found 2 suspicious .dll's, Twain.dll and Twain_32.dll. These 2 files replace themselves no matter what I do with them. After looking in the summery details It says that the company ID for both is "Twain Working Group". After searching the web I found the site of the company, http://www.twain.org/, that oddly enough has a little note on their hompage claiming they are in no way connected to spyware or adware, and to place an e-mail to lega@twain-tech.com, if you find any such files on your computer with their company in the summary.
The e-mail I sent was retured becasue "user was not found", imagine that
Any help would be great, keep up the good work guys.
PS: I can't find or remove, C:\WINDOWS\system32\apiew.exe as it's not where it claims to be :\
Heres my HJT log:
Logfile of HijackThis v1.98.0
Scan saved at 1:14:13 AM, on 8/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crnv32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\apiew.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liger1\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
O2 - BHO: (no name) - {F52E2033-83A1-5DFD-596F-100DD7ACA4B6} - C:\WINDOWS\system32\atlrp.dll
O4 - HKLM\..\Run: [crnv32.exe] C:\WINDOWS\system32\crnv32.exe
0
This discussion has been closed.
Comments
That's a weird looking log. It doesn't look complete.
Click start, and then run. Type "Services.msc" in the run box and hit enter.
Look for a service called "Network Security Service"... If it's there, click on it, click properties, and set the thing to "disabled" and then STOP the service. Reboot the computer into SAFE MODE, run HijackThis, and delete these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\ajbtz.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajbtz.dll/sp.html#96676
O2 - BHO: (no name) - {F52E2033-83A1-5DFD-596F-100DD7ACA4B6} - C:\WINDOWS\system32\atlrp.dll
O4 - HKLM\..\Run: [crnv32.exe] C:\WINDOWS\system32\crnv32.exe
Let us know how that goes.
P.S. I'm on to you!