SAHAgent

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.

Alias:

 Golden Retriever, ShopAtHome, ShopAtHomeSelect

See Also:

 FavoriteMan · Grokster · IMesh

Category:

Spyware: Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. Many spyware products will collect referrer info (information from your web browser which reveals what URL you linked from), your IP address (a number that is used by computers on the network to identify your computer), system information (such as time of visit, type of browser used, the operating system and platform, and CPU speed.) Spyware products sometimes wrap other commercial products, and are introduced to machines when those commercial products are installed. See also Adware.

Variants:
  • ShopAtHomeSelect
    		•

    Similar Pests:

    		 Spyware

    Origins

    Group:

    		 Belcaro Group Inc.

    By This Group:

    		 ShopAtHomeSelect ·

    Mailing Address:

    		 Belcaro Group Inc., 7100 East Belleview Avenue, #305, Greenwood Village, CO 80111

    Phone:

    		 303-843-0302 Fax: 303-843-0377

    EMail:

    		 privacy@BelcaroGroup.com

    URL:

    		 http://www.shopathomeselect.com/

    Date of Origin:

    		 September, 2003

    Distribution

    Distribution:

    		 May be bundled with Grokster, IMesh, Favoriteman and from www.shopathomeselect.com

    Prevalence:
  • SAHAgent: 240.7%
  • ShopAtHomeSelect: 41.5%
    • More Info

    Clot Factor:
  • SAHAgent: 10

    • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Growth:
  • SAHAgent: Insufficient data to report growth
  • ShopAtHomeSelect: Insufficient data to report growth
    		•

    Operation

    Advertising:

    		 No.

    Storage Required:
  • SAHAgent: at least 2865 KB
  • ShopAtHomeSelect: at least 873 KB
    		•

    Risks

    Privacy Issues:

    		 Yes. Each visit to a merchant site is recorded by ShopAtHomeSelect's servers with a unique ID that could be used to track your browsing habits.

    Privacy Policy:

    		 "When you first register with ShopAtHomeSelect.com, we ask you to provide your name, date of birth, street address, and E-mail address to determine your eligibility to be a member and to process your "Cash Back" rewards. We also ask for additional optional information on your interests, gender, and occupation. Based on this information, we can better determine what types of merchants and specials to pursue so that you will get the most out of your membership in ShopAtHomeSelect.com. However, you are under no obligation to provide us with this information-it is completely optional.
    "ShopAtHomeSelect.com may also collect certain information online and offline deriving from your navigation of ShopAtHomeSelect.com and our Affiliate Merchants, including but not limited to the number and type of offers you have responded to and completed, so that we can make future relevant and personalized offers to you.
    "ShopAtHomeSelect.com uses cookie technology to understand general information on site traffic trends such as most frequently visited pages or Affiliate Merchants."
    from http://www.shopathomeselect.com/privacy.asp

    Security Issues:

    		 Yes. Can download and execute arbitrary code from its controlling server, as a silent update feature.

    Stability Issues:

    		 Yes. May slow Opera or other applications, particularly when accessing its servers.

    Detection and Removal

    Caution!!!:

    		 SAHAgent is a Winsock2 Layered Service Provider. As such, if you merely delete registry entries and files, you stand a good chance of losing your network and Internet connections. Do not attempt to remove manually. Deleting files without carefully repairing the Layered Service Provider Stack in the registry will result in a lost Internet connection.

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 In Control Panel's Add/Remove Programs, find 'ShopAtHomeSelect Agent'. Use it to remove the software. Reboot.
    Once you have uninstalled via Add/Remove programs, you can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside your 'Downloaded Program Files' folder, the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up.
    If the entry for ShopAtHomeSelect remains in your Add/Remove Programs even though the software is uninstalled, you can remove it by opening the registry (Start->Run->regedit) and deleting the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent'.
    If the above procedures do not work for any reason, you may remove SAHAgent manually, but at great risk of losing your network and Internet connections.
    Open the registry (Start->Open->regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . Delete the 'SAHAgent' entry.
    Next, deregister the LSP part of ShopAtHomeSelect. Run 'regedit' and find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 . For each key in Catalog_Entries, open the 'PackedCatalogItem' value and check if it starts with 'lsp.dll'. If it does delete that entry. Renumber the remaining keys so that they count up from 000000000001 one at a time, and set the 'Num_Catalog_Entries' value in Protocol_Catalog9 to the highest key number you have.
    Next, open a DOS command prompt window (from Start->Programs->Accessories) and enter these commands:
    cd "%WinDir%\System"
    regsvr32 /u "..\Downloaded Program Files\WEBinstaller.dll"
    cd "..\Downloaded Program Files"
    del WEBinstaller.dll
    del SAH*.exe
    Restart the computer and you should be able to delete the files 'tracking.tmp', 'vg.dat', 'v.dat', 'lsp.dll', 'SahDownloader.exe' and 'SahAgent.exe' from the System folder (inside the Windows folder; called 'System' on Windows 95/98/Me or 'System32' under Windows NT/2000/XP).
    You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\VGroup to clean up if you like. PestPatrol 4.3 provides CleanSAHAgent.exe to perform this removal automatically.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove AutoRun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ap9h4qmo , delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\gah95on6, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahagent, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sahbundle, delete it and reboot the machine immediately.



    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • Andrew Clover
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 April 04, 2005