Hello, I still have a computer bug. I have a P4 running XP. My
Internet privacy is set on high, yet every time I log onto the
Internet, my home page is changed from google.com (which I want!) to
this irritating page--

res://mshp.dll/index.html#37049

What is this site, how did it infect my computer, and how do I get rid
of it please?!!  No matter how many times I make google my choice as
my homepage, this site above changes my settings -- with popups
galore, etc.

Please help me kill this evil site.  I wrote to them and they have
ignored me.  Thanks from a loyal, broke google fan!

Hi soulnsea, 

I found the answer to your problem in a discussion forum here:
http://forums.techguy.org/showthread.php?threadid=203900&ef3754c04f2df9cfcdcee411ebe49a02
and I've taken the pertinent information and provided some updated
links to software below.

It appears that you have been hit by the CoolWebSearch hijacker.  You
can download the CoolWebShredder that should fix this problem here:
http://www.spychecker.com/program/coolwebshredder.html

Once you run that you should go to the Microsoft Windows Update page
and download all the critical updates.  This should fix the
vulnerability with the Java VM that allowed this to install itself in
your system.

You should also then run HijackThis, available here:
http://www.spychecker.com/program/hijackthis.html and scan your system
for any plugins installed in your Internet Explorer.  Make sure to
check off these entries for fixing, and then click the Fix Checked
button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://mshp.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://mshp.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://mshp.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://mshp.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://mshp.dll/sp.html#37049

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents
and Settings\Jan Russell\Application Data\sysdt\sysdt32.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} -
C:\Documents and Settings\Jan Russell\Application
Data\sysdt\mssearch.dll

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} -
C:\Documents and Settings\Jan Russell\Application
Data\sysdt\msiesh.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: VPN Client.lnk = ?

Once you've done that, delete this folder: C:\Documents and
Settings\[Your User Name]\Application Data\sysdt

You should then run AdAware available here:
http://www.lavasoftusa.com/support/download/ to find any other things
lurking in your system.

Finally, just to be really sure you're clean, you should run SpyBot
available here: http://tomcoyote.com/SPYBOT/index1.php to check for
problems.  Remove anything marked in red.

That should fix things for you.

Good luck,

Hibiscus

---

Request for Answer Clarification by soulnsea-ga on 16 Apr 2004 23:45 PDT

Dear Hibiscus (the Hawaiian state flower):

You are the bomb. No, you are a big King Kamehameha Bomb (this is good
thing)!  My google.com homepage has returned!!  Thank you!!  But now a
simple question please.  In following your complete instructions, I
went to the site below to remove java VM from my PC running XP. So how
do I find these "following items" and how do I delete them?  The
author offers no instrucions here.  I have already downloaded Sun's
java update, I hope this is okay.  Thanks again, er, Mahalo!  GF

"After the machine restarts, delete the following items: 
the \%systemroot%\java folder 
java.pnf from the \%systemroot%\inf folder 
jview.exe and wjview.exe from the \%systemroot%\system32 folder 
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM registry subkey 
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\JAVA_VM registry subkey (to remove the
Microsoft Internet Explorer (IE) options)"

---

Clarification of Answer by hibiscus-ga on 17 Apr 2004 16:50 PDT

Hi again, or maybe Aloha would be better,

The \%systemroot%\ folder is just the folder where your Windows is
installed.  Usually that's c:\Windows\

The keys you need to delete are in the registry.  You'll need to use
regedit to remove them.  Click Start -> Run and then type 'regedit'
(no quotes) and hit enter.  You'll see HKEY_LOCAL_MACHINE with a small
plus beside it.  Click that and it expands out into a big list of what
appear to be folders.  Clicking the plusses expands out the
sub-folders and eventually you'll get to the keys you're looking for. 
Then just select the key and hit the delete button and you're set.

I'm glad this has helped you out.

Hibiscus

Thank you, thank you for helping me get rid of coolwebsearch.    Thank
you, thank you.

Hello Again:

The spyware program has returned.  It's worse than ever now. It
continually makes my homepage:

res://inayu.dll/index.html#37680

It's been here for almost 2 weeks. My computer is very slow now,
freezes, can't keep Google as my home page, etc.  I've tried
everything to fix this. New AdAware, new Spybot, amd CW Shredder.  I
even purchased the newest Norton AntiVirus. But still I get this on
every re-boot -- 10 entries to fix on HiJackThis, plus AdAware always
finds 7-10 problems on every re-start.

In desperation, I paid $39.95 to some ripoff company called XoftSpy. 
They took my money then sent me an email that said they would get back
to me when they could solve the problem -- this was over a week ago.

Here's a typical HiJAckThis report:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\inayu.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://inayu.dll/index.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://inayu.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\inayu.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://inayu.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\system32\inayu.dll/sp.html#37680
O2 - BHO: (no name) - {0B1BB08E-50CD-5561-D255-BD8ED1F5FD01} -
C:\WINDOWS\addfj32.dll
O4 - HKLM\..\Run: [sdkyv.exe] C:\WINDOWS\system32\sdkyv.exe

Sorry for the long message.  You guys have been great.  Please help! 
I had to kill my card information after the XoftSpy ripoff.  Tell me
how to pay for your service please in a secure format.  I'm concerned
my computer security is breached.

Thank you,

GF

Hi Soulnsea, 

To answer the last part of your question first, in order to pay for
Google Answers you do require a valid credit card. If you have
cancelled your card you will need to get a new credit card in order to
pay for the service.  The payment process is secure, with encryption
used on the credit card information page, but if you're very concerned
about software on your computer stealing your card information you
might want to post your question using a different computer.

In the mean time I can offer two quick suggestions to you.  First, use
regedit to go to the
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run and
delete the registry entry for this sdkyv.exe program.  This may fix
the problem (though it may be more complicated).

Second, regardless of whether that works, you may wish to stop using
Internet Explorer.  It's quite prone to this sort of thing.  You may
want to download Mozilla or Mozilla Firefox from
http://www.mozilla.org/ .  Firefox (the stripped down version of
Mozilla) is very fast, very small, and works much better than IE
generally.

If this doesn't solve your problem you should post another question. 
But, as I say, you'll need a valid credit card to do so.

Hibiscus