Limited Time!
Totally FREE Web Design!
Click here!

Parasite: ShopAtHomeSelect

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.

Also known as

Golden Retriever.

Distribution

Bundled with Grokster (around the start of 2003) and iMesh 4.

Also installed by the FavoriteMan parasite from May 2003.

What it does

Advertising

No.

Privacy violation

Yes. Each visit to a merchant site is recorded by ShopAtHomeSelect’s servers with a unique ID that could be used to track browing habits.

Security issues

Yes. The software can download and execute arbitrary code from its controlling servers at shopathomeselect.com and gr3.cc, as a silent update feature.

Stability problems

On testing, seemed to cause Opera to run quite slowly. Would occasionally make the desktop show an hourglass pointer for a while when accessing its servers.

Removal

There should be an entry in the Control Panel’s Add/Remove Programs entry for ‘ShopAtHomeSelect Agent’. Use it to remove the software then restart the computer.

You can delete the damaged ‘{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}’ entry inside the ‘Downloaded Program Files’ folder, the ‘SAHUninstall.exe’ file in the ‘Windows’ folder and ‘SahAgent.log’ in the root of the C: drive to clean up if you like.

If the entry for ShopAtHomeSelect remains in your Add/Remove Programs even though the software is uninstalled, you can get rid of it by opening the registry (Start->Run->regedit) and deleting the key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent’.

Manual removal

As with all software that uses Winsock2 LSPs, you should be very careful removing ShopAtHomeSelect by hand: if you slip up you may lose all networking ability.

First, open the registry (Start->Open->regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . Delete the ‘SAHAgent’ entry.

Next, deregister the LSP part of ShopAtHomeSelect. The easiest way to do this is to use a tool such as LSPFix. Tell it to ‘Remove’ lsp.dll and ‘Keep’ the rest.

(It is possible to remove LSPs by hand by editing the registry, but it’s quite a bit of effort and it’s easy to make a mistake. If you want to try anyway, run ‘regedit’ and find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 . For each key in Catalog_Entries, open the ‘PackedCatalogItem’ value and check if it starts with ‘lsp.dll’. If it does delete that entry. Renumber the remaining keys so that they count up from 000000000001 one at a time, and set the ‘Num_Catalog_Entries’ value in Protocol_Catalog9 to the highest key number you have. See, I told you it was a lot of effort.)

Next, open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\WEBinstaller.dll"
cd "..\Downloaded Program Files"
del WEBinstaller.dll
del SAH*.exe

Restart the computer and you should be able to delete the files ‘tracking.tmp’, ‘vg.dat’, ‘v.dat’, ‘lsp.dll’, ‘SahDownloader.exe’ and ‘SahAgent.exe’ from the System folder (inside the Windows folder; called ‘System’ on Windows 95/98/Me or ‘System32’ under Windows NT/2000/XP). You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\VGroup to clean up if you like.

Links

ShopAtHomeSelect official site.