Need help with Res://

Discussion in 'adware, spyware & hijack cleaning' started by Cyric, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. Cyric

    Cyric Registered Member

    Jun 30, 2004
    Hi Everyone,
    My homepage has been changed to: res://qhohi.dll/index.html#96676
    and I've been having lots of random pop-ups. I was wonder if anyone could help me get rid of this virus. Here is my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:42:56 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Desktop\Danny\Other Programs\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhohi.dll/sp.html#96676[/B]
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qhohi.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qhohi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qhohi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qhohi.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qhohi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C486F978-8D65-4A98-0179-CD984597B279} - C:\WINDOWS\system32\sysiw.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [apifd32.exe] C:\WINDOWS\system32\apifd32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [javamp32.exe] C:\WINDOWS\javamp32.exe
    O4 - HKLM\..\RunOnce: [atlpv.exe] C:\WINDOWS\atlpv.exe
    O4 - HKLM\..\RunOnce: [apijm.exe] C:\WINDOWS\system32\apijm.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
    O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\WINDOWS\TEMP\~DlfnTmp0\imgSizer.ocx
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,54/
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -[/SIZE][/SIZE]

    I've tried, CWShredder, but it found nothing. I've also tried to look for it in Safemode, under HKEY_CURRENT_USER>Software>Microsoft>Windows>Current Version>Run
    but it isn't there.

    If anyone could help me, that would be great. Feel free to email me at:

  2. Cyric

    Cyric Registered Member

    Jun 30, 2004
    So, I finally got it fixed, but if anyone else has a similar problem then I have a site that you must go to, to help you get it fixed.

    My homepage was changed to: res://qhohi.dll/index.html#96676 but if your homepage has been changed to anything like that (res://random.dll/index.html#random number) then I advise you to go to: OR

    I think that the main thing behind it is, But it might be Search-All-Fast, or Search-To-Find. Or, actually, CoolWebSearch.

    Anyway, Good luck.

Thread Status:
Not open for further replies.