1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SAH Agent

Discussion in 'Virus & Other Malware Removal' started by kat7, Feb 14, 2005.

Thread Status:
Not open for further replies.
  1. kat7

    kat7 Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    2
    For 2 days I have been struggling with this darn program. I have read every post on this site and downloded so much software that DID NOT work.

    I have always run Zone Alarm and EZ-Trust Antivirus ... so much for being protected.

    From what I understand each time the program is deleted it replicates itself and then changes its file names etc.

    I stumbled on to the information quite by accident with information provided off another site. Someone gave a list of files and simply said delete them.
    I tried and could not.
    List below:

    sahAgent.exe
    sahAgent.exe Class.ocx
    WEBinstaller.dll
    SahDownloader.exe
    NSupd9x.inf
    SahAgent.log
    tracking.tmp
    vg.dat
    v.dat
    Software Update Manager
    xmlparse.dll
    xmltok.dll
    xmlparse.dll
    xmltok.dll


    Reg keys:
    sahagent
    vgroup
    shopathomeselect agent

    In order to find where these files were I ran a file search ... I started with WEBInstaller.dll

    Start ... Search ... files and folders ... I checked my drive and show hidden files. The search not only showed me the location of the dll file but it gave me a number of ini files (about 7 as I recall) when I double clicked one from inside the search it allowed me to open the file in word. There I noticed what appears to be a file that instructs this script to run and replicate itself. I will post a copy of the original below.

    I have tried to delete all of the files but so far I have not been able to do that.
    I did open the last ini file posted (all seemed to be the same) in notepad. There I screwed it up the best I could. :D
    I changed the dates when it was suppose to update itself to about 50 years in the future. I changed the addresses that it was to access to update itself. I changed whatever I thought might screw up its update process. then I simply saved that file where it was located.

    I set the area that said:

    UnInstallExecute=disable
    UnInstallRequest=disable

    to enable ... that did allow me to run the uninstall file named:
    SAHUninstall=70tovmto.exe ... in my case without the junk which would not let me do it at all before.

    Here is the ini file as it was originally generated ... perhaps someone else can help in figuring out what all of this means and who the piece of crap belongs to ... after I run the uninstall 70tovmto.exe when it reinstalls itself ini files seem to remain as I changed them. So maybe I can not delete it but perhaps it is severely screwed up so it can not function properly.
    -----------------------
    gah95on6.txt

    [Files]
    SAHAgent=gah95on6.exe
    SahHtml=bln02nqv.exe
    SAHUninstall=70tovmto.exe
    lsp=2b3fsk0h.dll
    WEBInstaller=WEBInstaller.dll
    v=tm97pj39.dat
    vg=kdlmjh8r.dat
    vp=p1fumi62.dat
    vu=goreggbk.dat
    vh=b315cfed.dat
    sporder=sporder.dll
    lsp_setup=upgrade.exe
    [SAHAgent]
    PrefsServer=www.shopathomeselect.com
    PrefsXML=/agent/agentprefs.sah
    RenameFiles=no
    FileSahAgent=gah95on6
    FileSahHtml=bln02nqv
    FileSahUnInstall=70tovmto
    FileLsp=2b3fsk0h
    FileV=tm97pj39
    FileVP=p1fumi62
    FileVG=kdlmjh8r
    FileVU=goreggbk
    FileVH=b315cfed
    WebInstall=no
    DllName=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\84OPELPI.dll
    HtmlName=C:\WINDOWS\system32\qddkqa1q.html
    EulaDate=2005-02-12 07:34:59
    EulaStatus=Displayed4002b
    InstallLocation=downloads.shopathomeselect.com
    InstPath=cdt/
    BundleKey=cdt1004.sah
    PackageLocation=downloads.shopathomeselect.com
    PackageName=/v4001/bunSetup.cab
    PrefsPath=agent/
    BundlePackage=setup4002b.cab
    iniName=setup4002b.ini
    CookieUserAgent=iexplorer
    BrowserType=Bundle
    BundleProgress=3
    UniqueBundleKey=owner=cdt1004
    UniqueBundleID=refer=340404205
    GUID=GUID={624C4AD5-ABC3-4555-A418-104720B19F89}
    LSPInstallNeed=yes
    ReadyToInstall=complete
    BundleInstall=installing
    AgentVersion=4.0.0.1
    AutoUpdate=
    CreateDate=2005-02-12
    UnInstallExecute=disable
    UnInstallRequest=disable
    DateToSendNextHeartbeat=2005-02-26 07:36:29
    DateOfCheckForNewValidate=2005-02-26 07:36:29
    LastPrefs=Thu, 10 Feb 2005 21:37:36 GMT
    LastValid=Thu, 10 Feb 2005 21:37:39 GMT
    LastGlobal=Thu, 10 Feb 2005 21:57:39 GMT
    Download=
    DateToCheckForNewUpdate=2005-02-26 07:36:29
    RetryModeFinish=
    ValidateXMLversion={7350A081-09F4-4978-94F1-5FB7BC3D7D1E}
    ValidatePath=/agent/validate.sah
    TemplatePath=
    Images=/images/mrchntimages/
    PopupCloseButton=close.gif
    PopupDefaultImage=popupDefault.gif
    RedirectTo=http://www.shopathomeselect.com/frameset.asp
    Categories=
    Popup=
    LSPVersion=4.0.0.1
    GlobalPath=/agent/global.sah
    SiteNotAvailablePeriod=10
    ResponseTime=20
    SuppressTimeout=10
    RetryDays=5
    PrefsXMLversion={7350A081-09F4-4978-94F1-5FB7BC3D7D1E}
    Suppress1=afsrc=1
    Suppress2=unused suppress string 2
    IncUpdateEnabled=no
    SearchEngineEnabled=no
    SearchPopunderCount=2
    ServiceDomain=gr1.cc
    ServicePath=s.dll
    NumberOfDaysNextHearbeart=14
    NumberOfDaysNextValidate=14
    NumberOfDaysNextUpdate=14
    validate=Y
    validateURL=www.shopathomeselect.com/agent/
    update=N
    updateURL=downloads.shopathomeselect.com/v4001/bunSetup.cab
    LspSetupName=lsp_setup.exe
    Country=none
    GlobalXMLversion={7350A081-09F4-4978-94F1-5FB7BC3D7D1E}
    AttemptDownloadPrefs=ok
    SiteNotAvailableCounter=0
    [SAHPopup]
    main=65914

    If anyone has any further suggestions other than those already posted on this site I would be interested to hear.
     
  2. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
  3. kat7

    kat7 Thread Starter

    Joined:
    Feb 14, 2005
    Messages:
    2
    Panda won't work gives an error.
    Housecall finds no virus.

    Here is the log file

    Logfile of HijackThis v1.99.0
    Scan saved at 8:44:11 AM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Picasa\PicasaMediaDetector.exe
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\WINDOWS\system32\gah95on6.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSI\Core Center\CoreCenter.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\MightyFax\MFNTCTL.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\Spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kats-korner.com/frontpage.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
    O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\MightyFax\MFNTCTL.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
    O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
    O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\SWMSIE~1.EXE
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korner.com/wfplayer/tdserver.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094666077859
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330342

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice