«

Really need help!

Internet explorer has stopped displaying all pages it just says the page
cannot be displayed, but email works fine on outlook.

Saw something that said SahAgent?

Dont know what that is.

Please help.... desparate!

Bev

http://www.safersite.com/PestInfo/s/sahagent.asp

"Bev" wrote:
> Really need help!
>
> Internet explorer has stopped displaying all pages it just says the page
> cannot be displayed, but email works fine on outlook.
>
> Saw something that said SahAgent?
>
> Dont know what that is.
>
> Please help.... desparate!
>
> Bev
>
>

"Bev" <> wrote in
news_cEb.7$:

> Really need help!
>
> Internet explorer has stopped displaying all pages it just says
> the page cannot be displayed, but email works fine on outlook.
>
> Saw something that said SahAgent?
>
> Dont know what that is.
>
> Please help.... desparate!
>
> Bev

Search for SahAgent...

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-
8&q=SahAgent&btnG=Google+Search

http://securityresponse.symantec.com...dware.sahagent
..html





--
I need to go lie down in a darkened room.
-anOLDun

"Bev" <> wrote in message
news_cEb.7$...
> Really need help!
>
> Internet explorer has stopped displaying all pages it just says the page
> cannot be displayed, but email works fine on outlook.
>
> Saw something that said SahAgent?
>
> Dont know what that is.
>
> Please help.... desparate!
>
> Bev
>
>

sorry if there's html with this ... but seeing as bev's internet explorer
isnt working i shall paste in the info on this particular problem ...
props to pest patrol and liz for providing the link

page follows:

Overview
Summary: a Winsock 2 Layered Service Provider that redirects visits to
merchant sites in order to take the affiliate fees from them automatically.
Alias: Golden Retriever, ShopAtHome, ShopAtHomeSelect
See Also: FavoriteMan · Grokster · IMesh
Category: Spyware: Any product that employs a user's Internet
connection in the background without their knowledge or explicit permission,
and gathers/transmits info on the user, their machine, or their behavior.

Variants: a.. ShopAtHomeSelect

Similar Pests: Spyware
Origins
Group: Belcaro Group Inc.
By This Group: ShopAtHomeSelect · ShopAtHomeSelect.com
Mailing Address: Belcaro Group Inc., 7100 East Belleview Avenue, #305,
Greenwood Village, CO 80111
Phone: 303-843-0302 Fax: 303-843-0377
EMail:
URL: http://www.shopathomeselect.com/
Date of Origin: September, 2003
Distribution
Distribution: May be bundled with Grokster, IMesh, Favoriteman.
Prevalence: a.. SAHAgent: 0.1% of all pest reports (139 per 100,000
reports)
a.. SahAgent: 0.1% of all pest reports (84 per 100,000 reports)
a.. ShopAtHomeSelect: 0.0% of all pest reports (27 per 100,000
reports) More Info

Clot Factor: a.. SAHAgent: On average, 19 objects detected in each
machine
a.. SahAgent: On average, 21 objects detected in each machine
a.. ShopAtHomeSelect: On average, 2 objects detected in each machine
The "Clot Factor" is a measure of how much a pest "gums up" a machine
by adding registry entries, files, and directories. As more objects are
placed in a machine, manual removal becomes more difficult and more
error-prone.

Countries Affected: In the past three months, we have received reports
of SAHAgent in Australia, Canada, Denmark, France, Germany, Hong Kong,
Netherlands, Nicaragua, Poland, Russian Federation, Slovenia, Spain, Sweden,
Switzerland, United Kingdom, United States, Venezuela.
Growth: a.. SAHAgent: Insufficient data to report growth
a.. SahAgent: Decreased 100.0% over the last 90 days
a.. ShopAtHomeSelect: Less than 1% in the last 90 days

Operation
Advertising: No.
Storage Required: a.. SahAgent: at least 57KB

Risks
Privacy Issues: Yes. Each visit to a merchant site is recorded by
ShopAtHomeSelect's servers with a unique ID that could be used to track your
browsing habits.
Privacy Policy: "When you first register with ShopAtHomeSelect.com, we
ask you to provide your name, date of birth, street address, and E-mail
address to determine your eligibility to be a member and to process your
"Cash Back" rewards. We also ask for additional optional information on your
interests, gender, and occupation. Based on this information, we can better
determine what types of merchants and specials to pursue so that you will
get the most out of your membership in ShopAtHomeSelect.com. However, you
are under no obligation to provide us with this information-it is completely
optional.
"ShopAtHomeSelect.com may also collect certain information online and
offline deriving from your navigation of ShopAtHomeSelect.com and our
Affiliate Merchants, including but not limited to the number and type of
offers you have responded to and completed, so that we can make future
relevant and personalized offers to you.
"ShopAtHomeSelect.com uses cookie technology to understand general
information on site traffic trends such as most frequently visited pages or
Affiliate Merchants."
from http://www.shopathomeselect.com/privacy.asp
Security Issues: Yes. Can download and execute arbitrary code from its
controlling server, as a silent update feature.
Stability Issues: Yes. May slow Opera or other applications,
particularly when accessing its servers.
Detection and Removal
Caution!!!: SAHAgent is a Winsock2 Layered Service Provider. As such,
if you merely delete registry entries and files, you stand a good chance of
losing your network and Internet connections.
Automatic Removal: PestPatrol detects this.

PestPatrol removes this.



Manual Removal: In Control Panel's Add/Remove Programs, find
'ShopAtHomeSelect Agent'. Use it to remove the software. Reboot.
Once you have uninstalled via Add/Remove programs, you can delete the
damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside your
'Downloaded Program Files' folder, the 'SAHUninstall.exe' file in the
'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up.
If the entry for ShopAtHomeSelect remains in your Add/Remove Programs
even though the software is uninstalled, you can remove it by opening the
registry (Start->Run->regedit) and deleting the key
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Uninstall\Shop
AtHomeSelect Agent'.
If the above procedures do not work for any reason, you may remove
SAHAgent manually, but at great risk of losing your network and Internet
connections.
Open the registry (Start->Open->regedit) and find the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run . Delete
the 'SAHAgent' entry.
Next, deregister the LSP part of ShopAtHomeSelect. Run 'regedit' and
find the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WinSock2\Parameters\Pro
tocol_Catalog9 . For each key in Catalog_Entries, open the
'PackedCatalogItem' value and check if it starts with 'lsp.dll'. If it does
delete that entry. Renumber the remaining keys so that they count up from
000000000001 one at a time, and set the 'Num_Catalog_Entries' value in
Protocol_Catalog9 to the highest key number you have.
Next, open a DOS command prompt window (from
Start->Programs->Accessories) and enter these commands:
cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\WEBinstaller.dll"
cd "..\Downloaded Program Files"
del WEBinstaller.dll
del SAH*.exe
Restart the computer and you should be able to delete the files
'tracking.tmp', 'vg.dat', 'v.dat', 'lsp.dll', 'SahDownloader.exe' and
'SahAgent.exe' from the System folder (inside the Windows folder; called
'System' on Windows 95/98/Me or 'System32' under Windows NT/2000/XP).
You can also delete the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup to clean up if you like. PestPatrol 4.3
provides CleanSAHAgent.exe to perform this removal automatically.
Stop Running Processes:

Kill these running processes with Task Manager:

systemroot+\downloaded program files\sahagent_.exe
systemroot+\downloaded program files\sahdownloader_.exe
systemroot+\downloaded program files\sahuninstall_.exe
systemroot+\sahuninstall.exe
systemroot+\system32\sahagent.exe
systemroot+\system32\sahdownloader.exe

Remove AutoRun Reference:

Go To the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run.



Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

systemroot+\downloaded program files\lsp_.dll
systemroot+\downloaded program files\webinstaller.dll
systemroot+\downloaded program files\xmlparse_.dll
systemroot+\downloaded program files\xmltok_.dll
systemroot+\system32\lsp.dlllsp.dll


Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_CLASSES_ROOT\interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
HKEY_CLASSES_ROOT\interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
HKEY_CLASSES_ROOT\webinstaller.execute
HKEY_CLASSES_ROOT\webinstaller.execute.1
HKEY_LOCAL_MACHINE\software\classes\clsid\{30402ff 4-3e71-4a1c-9b4b-1cd3486a9
fb2}
HKEY_LOCAL_MACHINE\software\classes\interface\{482 8c95f-c5db-4ab6-a945-8d8ec
44b98a8}
HKEY_LOCAL_MACHINE\software\classes\interface\{4e5 70f74-deee-4fcf-b960-feefa
4b8c6fc}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution
units\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/lsp_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/sahagent_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/sahuninstall_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/sporder_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/webinstaller.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/xmlparse_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/downloaded program
files/xmltok_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/system32/mfc42.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/system32/msvcrt.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/
winnt/system32/olepro32.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\sahagent
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\shopa
thomeselect agent
HKEY_LOCAL_MACHINE\software\vgroup
HKEY_LOCAL_MACHINE\software\winsock2\layered provider sample

Remove Files:

Remove these files (if present) with Windows Explorer:

c:\sahagent.log
systemroot+\downloaded program files\lsp_.dll
systemroot+\downloaded program files\sahagent_.exe
systemroot+\downloaded program files\sahdownloader_.exe
systemroot+\downloaded program files\sahuninstall_.exe
systemroot+\downloaded program files\webinstaller.dll
systemroot+\downloaded program files\xmlparse_.dll
systemroot+\downloaded program files\xmltok_.dll
systemroot+\sahuninstall.exe
systemroot+\system32\lsp.dll
systemroot+\system32\lsp.xx
systemroot+\system32\sahagent.exe
systemroot+\system32\sahdownloader.exe

Research
File Analyses: a.. SahAgent: lsp.dll

More Info: a.. AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google,
HotBot, Lycos, LookSmart, MSN, Yahoo!

Research By: a.. Andrew Clover
a.. PestPatrol's Pest Research Center

Last Revised: 17 December, 2003
Copyright: © 2003 PestPatrol, Inc. All rights reserved.

"leftnutrzr" <> wrote in
news:njeEb.3803$:

>
> "Bev" <> wrote in message
> news_cEb.7$...
>> Really need help!
>>
>> Internet explorer has stopped displaying all pages it just says
>> the page cannot be displayed, but email works fine on outlook.
>>
>> Saw something that said SahAgent?
>>
>> Dont know what that is.
>>
>> Please help.... desparate!
>>
>> Bev

> sorry if there's html with this ...
[snip]

> begin 666 DetectsandCleans.gif

Please don't.