Win32.ShopAtHome Spyware Description
Shop at Home is a version of Spyware that redirects your web browser as well as monitors your Web Browsing history and online purchases. Shop At Home also goes by the names, Golden Retriever and Select Rebates and attempts to convince the user to buy products directly through affiliated websites through the Shop At Home portal. User’s generally sign up for the ShopAtHome service manually and install the Spyware knowingly.
Win32.ShopAtHome MalwarePayload
ShopAtHome Spyware will install itself in the Winsock layer of your computer’s operating system and redirects the computer’s Internet traffic through the Shop At Home website. There will be a customer ID assigned by Shop At Home that will be used to track your surfing history and sends the information back to Shop At Home servers without your permission. It has also been known to update itself and install other programs and files on computers without user permission.
Win32.ShopAtHome Spyware Processes and Files
ShopAtHome Spyware is installed through an ActiveX download session from the ShopAtHome website but can also be bundled with other Adware. The following system changes will occur to your computer once ShopAtHome is installed:
- Creates a folder
<system folder>\sahimages
- Installs the following files:
%windir%\downloaded program files\ bunsetup.cab
%temp%\bundletracking.asp
%temp%\bundle.exe
binsttmp.tmp
1239bkpt.dll
bundlep.exe
bundle.txt
bundletracking.asp
(cookie files)
ap1001.sah
bundlep_ap1001.cab
- Modifies your computer’s registry with the following keys with the values referencing one of the executable files installed on the computer:
-SAHBundle
-q2iulfjv
-SAHAgent
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-SAHAgent
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-Adds registry keys with values into the registry hive HKEY_CLASSES_ROOT:
..\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}
..\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
-Adds registry keys with values into the registry hive HKEY_CURRENT_USER:
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Classes\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
-Adds registry keys with values into the registry hive HKEY_LOCAL_MACHINE:
..\Software\Classes\CLSID\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Classes\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Software\Classes\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Microsoft\Code Store Database\Distribution Units\
{E9670165-86FE-4C34-8C4B-D3158DDC5D92}
{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}
{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\f3uor8hs
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\shopathomeselect agent
..\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\
<path>/xmltok_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/xmlparse_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/webinstaller.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahuninstall_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahagent_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/lsp_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\VGroup
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Winsock2\Layered Provider Sample
ShopAtHome Spyware Basic Removal Steps
Win32.ShopAtHome can sometimes be manually removed from your computer using the “Add/Remove” programs feature in Microsoft Windows. The EULA for the Shop At Home Service states that if you use a tool, the program may not be fully removed. The majority of spyware removal and anti-virus tools, however, can remove Shop At Home Spyware.
Click here for automatic removal instructions for removing the ShopAtHome Spyware.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
ShopAtHome.com’s toolbar is tested weekly with more that 20 security software packages. None of these packages considers the ShopAtHome.com Toolbar to be spyware and the toolbar is white-listed with these security software companies. For a complete list of security software packages that the ShopAtHome.com toolbar is tested with, please send your request via email to Service@ShopAtHome.com.
While millions of ShopAtHome.com customers safely enjoy the benefits of the toolbar (alerts of cash back, coupons, and other money saving opportunities), we realize that the toolbar is not for everyone, which is why we make it easy to remove. Using the Select Rebates uninstaller is the safest and cleanest way to completely remove the toolbar. Simply go to the Add/Remove Software area of the Control Panel in Windows OS, click on Select Rebates from the list of installed software, click remove. We DO NOT recommend using a 3rd party tool to remove the toolbar as unpredictable result may occur.
Please also see this (lengthy) forum post on myWot.com regarding the ShopAtHome.com: http://www.mywot.com/en/forum/7196-shopathome-com-wants-you
If you have questions or concerns about the ShopAtHome.com or the ShopAtHome.com toolbar, please feel free to contact us: Service@ShopAtHome.com.
Thanks for the great feedback and update.