The Malware Dictionary

The Latest Computer Adware, Spyware, and Virus Info!

Spyware – Win32.ShopAtHome

Tags: , , , , ,

Win32.ShopAtHome Spyware Description

Shop at Home is a version of Spyware that redirects your web browser as well as monitors your Web Browsing history and online purchases. Shop At Home also goes by the names, Golden Retriever and Select Rebates and attempts to convince the user to buy products directly through affiliated websites through the Shop At Home portal. User’s generally sign up for the ShopAtHome service manually and install the Spyware knowingly.


Win32.ShopAtHome MalwarePayload

ShopAtHome Spyware will install itself in the Winsock layer of your computer’s operating system and redirects the computer’s Internet traffic through the Shop At Home website. There will be a customer ID assigned by Shop At Home that will be used to track your surfing history and sends the information back to Shop At Home servers without your permission. It has also been known to update itself and install other programs and files on computers without user permission.

Win32.ShopAtHome Spyware Processes and Files

ShopAtHome Spyware is installed through an ActiveX download session from the ShopAtHome website but can also be bundled with other Adware. The following system changes will occur to your computer once ShopAtHome is installed:

- Creates a folder
<system folder>\sahimages

- Installs the following files:
%windir%\downloaded program files\ bunsetup.cab
%temp%\bundletracking.asp
%temp%\bundle.exe
binsttmp.tmp
1239bkpt.dll
bundlep.exe
bundle.txt
bundletracking.asp
(cookie files)
ap1001.sah
bundlep_ap1001.cab

- Modifies your computer’s registry with the following keys with the values referencing one of the executable files installed on the computer:
-SAHBundle
-q2iulfjv
-SAHAgent
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-SAHAgent
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

-Adds registry keys with values into the registry hive HKEY_CLASSES_ROOT:
..\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}
..\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}

-Adds registry keys with values into the registry hive HKEY_CURRENT_USER:
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent          
..\Software\Classes\WEBInstaller.execute               
..\Software\Classes\WEBInstaller.execute.1               
..\Software\Classes\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}

-Adds registry keys with values into the registry hive HKEY_LOCAL_MACHINE:   
..\Software\Classes\CLSID\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Classes\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}              
..\Software\Classes\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}              
..\Software\Classes\WEBInstaller.execute               
..\Software\Classes\WEBInstaller.execute.1 
..\Software\Microsoft\Code Store Database\Distribution Units\
 {E9670165-86FE-4C34-8C4B-D3158DDC5D92}
 {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}
 {30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\f3uor8hs
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\shopathomeselect agent
..\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\
 <path>/xmltok_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/xmlparse_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/webinstaller.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/sahuninstall_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/sahagent_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}               
 <path>/lsp_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\VGroup               
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent               
..\Software\Winsock2\Layered Provider Sample

ShopAtHome Spyware Basic Removal Steps

Win32.ShopAtHome can sometimes be manually removed from your computer using the “Add/Remove” programs feature in Microsoft Windows. The EULA for the Shop At Home Service states that if you use a tool, the program may not be fully removed. The majority of spyware removal and anti-virus tools, however, can remove Shop At Home Spyware.

Click here for automatic removal instructions for removing the ShopAtHome Spyware.

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • Propeller
  • Yahoo! Buzz
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • FriendFeed
  • Twitter

Related posts:

  1. Adware – Win32.BaiduSobar Win32.BaiduSobar Adware Description Adware Win32.Baidu Sobar is considered to be...
  2. Spyware Removal – How to Remove Barracuda Spyware Barracuda Spyware Description Barracuda Spyware is a fake anti-malware program...
  3. Adware – Win32.Game Vance Win32.Game Vance Adware Description Game Vance Adware refers to advertisements...
  4. Rogue Anti-Spyware Malware – Win32.Fake Raken Win32.Fake Raken Description Fake Raken is one of the latest...
  5. Win32.Transponder Spyware Description of Transponder Spyware The spyware Transponder is the Helper...

Related posts brought to you by Yet Another Related Posts Plugin.

Tags: , , , , ,

Leave a Reply

Main Menu

    Translate to:

    Powered by Google Translate.

Malware Dictionary Friends

Recent Posts

© 2009 The Malware Dictionary. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.