Fighting Spyware, Malware and Adware one File at a Time.

Navigation Links

Database of Spyware Home

About the Project

View the Database

Forums

Database of Spyware Site Map

SAHAgent

Overview

Summary

a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.

Alias

Golden Retriever, ShopAtHome, ShopAtHomeSelect,

Variants

ShopAtHomeSelect ·

Reasons For Retention

Modifies LSP Stack by inserting additional layers (lsp.dll )

Origins

Group

Belcaro Group Inc.

Others By This Group

ShopAtHomeSelect· ShopAtHomeSelect.com·

Mailing Address

Belcaro Group Inc.,7100 East Belleview Avenue, #305,Greenwood Village, CO 80111

Phone:

303-843-0302 Fax: 303-843-0377

Email

privacy@BelcaroGroup.com

URL

http://www.shopathomeselect.com/

Date of Origin

Variants from September, 2003 to July, 2005

Detection and Removal

Manual Removal

In Control Panel's Add/Remove Programs, find 'ShopAtHomeSelect Agent'. Use it to remove the software. Reboot.
Once you have uninstalled via Add/Remove programs, you can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside your 'Downloaded Program Files' folder, the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up.
If the entry for ShopAtHomeSelect remains in your Add/Remove Programs even though the software is uninstalled, you can remove it by opening the registry (Start->Run->regedit) and deleting the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent'.
If the above procedures do not work for any reason, you may remove SAHAgent manually, but at great risk of losing your network and Internet connections.
Open the registry (Start->Open->regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . Delete the 'SAHAgent' entry.
Next, deregister the LSP part of ShopAtHomeSelect. Run 'regedit' and find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 . For each key in Catalog_Entries, open the 'PackedCatalogItem' value and check if it starts with 'lsp.dll'. If it does delete that entry. Renumber the remaining keys so that they count up from 000000000001 one at a time, and set the 'Num_Catalog_Entries' value in Protocol_Catalog9 to the highest key number you have.
Next, open a DOS command prompt window (from Start->Programs->Accessories) and enter these commands:
cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\WEBinstaller.dll"
cd "..\Downloaded Program Files"
del WEBinstaller.dll
del SAH*.exe
Restart the computer and you should be able to delete the files 'tracking.tmp', 'vg.dat', 'v.dat', 'lsp.dll', 'SahDownloader.exe' and 'SahAgent.exe' from the System folder (inside the Windows folder; called 'System' on Windows 95/98/Me or 'System32' under Windows NT/2000/XP).
You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\VGroup to clean up if you like.PestPatrol 4.3 provides CleanSAHAgent.exe to perform this removal automatically.

Stop Running Processes:

Kill these running processes with Task Manager:

1.exe1buu2qs7.exe56olj8bb.exe6e9eh7oo.exe70tovmto.exea95kfrhe.exeap9h4qmo.exeapphelp3.exeaubmbrca.exebundle_mediamotor1004.exebundle~1.exebundlelite_westfrontier1001.exebundlep.exebwf1003.execleansahagent.exehbtnch71.exehfn7iefo.exeinstall_cheat_001.exeinstaller_marketing12.exens15bmii.exeofferdownline.exeprofilepath+\local settings\temp\sahupdate\sahdownloader_.exeprofilepath+\locals~1\temp\bundle.exeq17i9a4j.exeqlep5ad6.exes9ombkg8.exesahagent installer.exesahagent1020.exesahagent-cdt1004.exesahpackage.exeservice.exeshop1005[1].exesystemroot+\1bri6flm.exesystemroot+\downloaded program files\sahagent_.exesystemroot+\downloaded program files\sahdownloader_.exesystemroot+\downloaded program files\sahhtml_.exesystemroot+\downloaded program files\sahuninstall_.exesystemroot+\poh.exesystemroot+\sahuninstall.exesystemroot+\system\sahdownloader.exesystemroot+\system32\gah95on6.exesystemroot+\system32\sahagent.exesystemroot+\system32\sahagent1019.exesystemroot+\system32\sahdownloader.exesystemroot+\system32\sahhtml.exesystemroot+\temp\bundle.exeu6f6uftuc_.exeuabal85u.exeucmoreiex.exeupdate.exeuvv211ra.exevp9inkbd.exewuamgrd.exe

Remove Autorun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\8e87o9pd, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\9cjqvgcs, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ap9h4qmo, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\gah95on6, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\hpv33bbk, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahagent, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahbundle, delete it and reboot the machine immediately.

If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\vig1u9mh.exe, delete it and reboot the machine immediately.

Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}HKEY_CLASSES_ROOT\typelib\{cde442a3-dc2c-467e-a311-b4bc775d86c5}HKEY_CLASSES_ROOT\webinstaller.executeHKEY_CLASSES_ROOT\webinstaller.execute.1HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5f3b3060-09e0-44c6-86f7-bc7b02b57bee}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agentHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent\changedHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent\slowinfocacheHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\8e87o9pdHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\9cjqvgcsHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ap9h4qmoHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\gah95on6HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\hpv33bbkHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahagentHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahbundleHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\vig1u9mh.exeHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\m3mtlgpHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\shopathomeselect agentHKEY_LOCAL_MACHINE\software\vgroupHKEY_LOCAL_MACHINE\software\vgroup\sahagentHKEY_LOCAL_MACHINE\software\winsock2\layered provider sample

Remove Files:

Remove these files (if present) with Windows Explorer:

1.exe1.reg10.reg11.reg1buu2qs7.exe2.reg3.reg4.reg5.reg56olj8bb.exe6.reg6e9eh7oo.exe6hnue2ft.ini7.reg70tovmto.exe7174d1e1.ini8.reg8396j92r.dll9.reg9cjqvgcs.inia95kfrhe.exeap9h4qmo.exeap9h4qmo.iniapc0b5i9.dllapphelp3.exeaubmbrca.exebaur5s9q.datbqrufs5f.datbundle_mediamotor1004.exebundle~1.exebundlelite_westfrontier1001.exebundlep.exebvrg93m9.dllbwf1003.exec:\sahagent.logcdt1006.sahcleansahagent.dofcleansahagent.exeegdaccess.infegdaccess_1057.dllegdaccess_1058.dllgr_1reg.gifgr_2shop.gifgr_3cash.gifgr_reg_header.gifgr_sahs_logo.gifgrinstall6.dllhbtnch71.exehbug93n3.dathclo80jl.dllhe57tpsr.inihfn7iefo.exeinfo.txtinstall_cheat_001.exeinstaller_marketing12.exemessagebody.txtmessagehistory.txtnetslv32.dllnetslv32.infns15bmii.exentmsjrnlofferdownline.exep1ratjju.inipestinfoimportme.txtprofilepath+\administrator\recent\goldenretrievereula.txt.lnkprofilepath+\administrator\recent\shopathome.lnkprofilepath+\administrator\recent\shopathomememberagreement.txt.lnkprofilepath+\administrator\recent\shopathomeprivacy.txt.lnkprofilepath+\local settings\temp\sahupdate\sahdownloader_.exeprofilepath+\locals~1\temp\bundle.exeq10pvbrv.datq17i9a4j.exeqh4mkbv9.dllqlep5ad6.exes9ombkg8.exesahagent installer.exesahagent1020.exesahagent-cdt1004.exesahpackage.exeservice.exesetup.infshop1005[1].exesubmit_pop.gifsystemroot+\1bri6flm.exesystemroot+\1bri6flm.inisystemroot+\downloaded program files\grinstall.infsystemroot+\downloaded program files\lsp_.dllsystemroot+\downloaded program files\sahagent_.exesystemroot+\downloaded program files\sahdownloader_.exesystemroot+\downloaded program files\sahhtml_.exesystemroot+\downloaded program files\sahuninstall_.exesystemroot+\downloaded program files\xmlparse_.dllsystemroot+\downloaded program files\xmltok_.dllsystemroot+\poh.exesystemroot+\redir.txtsystemroot+\sahuninstall.exesystemroot+\system\lsp.dllsystemroot+\system\sahdownloader.exesystemroot+\system32\atpartners.dllsystemroot+\system32\bks.dllsystemroot+\system32\gah95on6.exesystemroot+\system32\lsp.dllsystemroot+\system32\lsp.xxsystemroot+\system32\sahagent.exesystemroot+\system32\sahagent1019.exesystemroot+\system32\sahdownloader.exesystemroot+\system32\sahhtml.exesystemroot+\temp\bundle.exet2msni6d.dlltmpmpt1.tmpu6f6uftuc_.exeu7tqoeep.dlluabal85u.exeucmoreiex.exeupdate.exeuvv211ra.exev.datvg.datvp.datvp9inkbd.exewebinstaller.dllwuamgrd.exe

Remove Directories:

Remove these directories (if present) with Windows Explorer:

S3xtrojan SABV SADownloaderLite SADownloaderLite1.0 SADownloaderLite1.1 SAHAgent SAMVulnerability SATAN SATAN1.0 SATAN1.1.1