Win32.ShopAtHome Spyware Description
Shop at Home is a version of Spyware that redirects your web browser as well as monitors your Web Browsing history and online purchases. Shop At Home also goes by the names, Golden Retriever and Select Rebates and attempts to convince the user to buy products directly through affiliated websites through the Shop At Home portal. User’s generally sign up for the ShopAtHome service manually and install the Spyware knowingly.
Win32.ShopAtHome MalwarePayload
ShopAtHome Spyware will install itself in the Winsock layer of your computer’s operating system and redirects the computer’s Internet traffic through the Shop At Home website. There will be a customer ID assigned by Shop At Home that will be used to track your surfing history and sends the information back to Shop At Home servers without your permission. It has also been known to update itself and install other programs and files on computers without user permission.
Win32.ShopAtHome Spyware Processes and Files
ShopAtHome Spyware is installed through an ActiveX download session from the ShopAtHome website but can also be bundled with other Adware. The following system changes will occur to your computer once ShopAtHome is installed:
- Creates a folder
<system folder>\sahimages
- Installs the following files:
%windir%\downloaded program files\ bunsetup.cab
%temp%\bundletracking.asp
%temp%\bundle.exe
binsttmp.tmp
1239bkpt.dll
bundlep.exe
bundle.txt
bundletracking.asp
(cookie files)
ap1001.sah
bundlep_ap1001.cab
- Modifies your computer’s registry with the following keys with the values referencing one of the executable files installed on the computer:
-SAHBundle
-q2iulfjv
-SAHAgent
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-SAHAgent
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-Adds registry keys with values into the registry hive HKEY_CLASSES_ROOT:
..\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}
..\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
-Adds registry keys with values into the registry hive HKEY_CURRENT_USER:
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Classes\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
-Adds registry keys with values into the registry hive HKEY_LOCAL_MACHINE:
..\Software\Classes\CLSID\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Classes\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Software\Classes\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Microsoft\Code Store Database\Distribution Units\
{E9670165-86FE-4C34-8C4B-D3158DDC5D92}
{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}
{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\f3uor8hs
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\shopathomeselect agent
..\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\
<path>/xmltok_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/xmlparse_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/webinstaller.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahuninstall_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahagent_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/lsp_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\VGroup
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Winsock2\Layered Provider Sample
ShopAtHome Spyware Basic Removal Steps
Win32.ShopAtHome can sometimes be manually removed from your computer using the “Add/Remove” programs feature in Microsoft Windows. The EULA for the Shop At Home Service states that if you use a tool, the program may not be fully removed. The majority of spyware removal and anti-virus tools, however, can remove Shop At Home Spyware.
Click here for automatic removal instructions for removing the ShopAtHome Spyware.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
