SAHAgent

Categoria: Adware e PUA Opzioni di protezione ora disponibili:17 ago 2005 00:00:00 (GMT)
Tipo: Unspecified PUA Ultimo aggiornamento:17 ott 2013 22:44:10 (GMT)

Download Scaricate il nostro Virus Removal Tool: è gratis! - Scoprite le minacce che sono sfuggite al vostro antivirus

SAHAgent is advertising software which includes functionality to monitor browsing habits and to silently download, install and run new software, including updates of its software.

When SAHAgent is installed the following files are typically created:

\SahAgent.log
\SahAgentH.log
<Temp>\bundle.exe
<Temp>\<variable filename>.sah
<Windows>\SAHUninstall.exe
<Downloaded Program Files>\lsp_.dll
<Downloaded Program Files>\SAHAgent_.exe
<Downloaded Program Files>\SahHtml_.exe
<Downloaded Program Files>\SAHUninstall_.exe
<Downloaded Program Files>\setup.inf
<Downloaded Program Files>\sporder.dll (legitimate DLL)
<Downloaded Program Files>\sporder_.dll (legitimate DLL)
<Downloaded Program Files>\WEBInstaller.dll
<Downloaded Program Files>\xmlparse_.dll
<Downloaded Program Files>\xmltok_.dll
<System>\lsp.dll
<System>\SahAgent.exe
<System>\sahagent?.exe (where ? is a version number)
<System>\SahHtml.exe
<System>\sporder.dll (legitimate DLL)
<System>\v.dat (data file)
<System>\vg.dat (data file)
<System>\vp.dat (data file)
<System>\xmlparse.dll
<System>\xmltok.dll

The following registry entries are created to run SahAgent.exe and bundle.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHAgent
<System>\SahAgent.exe

C:\Windows\System32\SahAgent.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SAHBundle
<Temp>\bundle.exe

The file WEBInstaller.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\(30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2)
HKCR\Interface\(4828C95F-C5DB-4AB6-A945-8D8EC44B98A8)
HKCR\Interface\(4E570F74-DEEE-4FCF-B960-FEEFA4B8C6FC)
HKCR\TypeLib\(CDE442A3-DC2C-467E-A311-B4BC775D86C5)
HKCR\WEBInstaller.execute\
HKCR\WEBInstaller.execute.1\

The file lsp.dll is registered as a layered service provider (LSP), creating and modifying registry entries in the Winsock 2 system configuration database under:

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\

The pathname of lsp.dll may be stored in hexidecimal format, for example:

43 3A 5C 57 49 4E 44 4F 57 53 5C 53 79 73 74 65 6D 33 32 5C 6C 73 70 2E 64 6C 6C

Note: the Winsock 2 database should only be repaired by exerienced individuals or under expert guidance.

The standard Microsoft system driver <System>\drivers\ws2ifsl.sys may be registered as a new service (if it is not already registered as a service) named "WS2IFSL", with a display name of "Windows Socket 2.0 Non-IFS Service Provider Support Environment" and a startup type of manual, creating registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL\

This service should not be removed.

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
ShopAtHomeSelect Agent\
HKLM\SOFTWARE\VGroup\SAHAgent\
HKLM\SOFTWARE\VGroup\SAHPopup\

SAHAgent provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "ShopAtHomeSelect Agent".

scarica Prova gratuita dei prodotti Sophos
Scarica subito