Replys within... Kaj Haulrich wrote:
A week ago I had to buy a new PC for one of my daughters (14 years old). She absolutely needed Windows in order to run some special, school-related apps. The PC came with WinXP pre-installed.
So this was a school pc? Yer I know the sort of apps you are talking about.
The first thing I did was to install Mozilla, OpenOffice and some sort of firewall, called ZoneAlarm. Now, I thought it was safe....Zone alarm..... AHAHA xp firewall is better at inbound protection.
to set up the XP firewall on braud band. Go into the connections right click on the network card. Find the enable firewall on this device. This firewall will make it so you shouldent be able to act as a server.
Suddenly, when she tries to send an e-mail (from within Mozilla, of course, I'm not THAT stupid), up pops a message from our ISP saying that the box is compromized, accordingly the smtp-server won't accept the mail. In fact, her IP was blacklisted.Teach her as well NOT TO GET ECARDS. Some of these ECARD SITES include trojans/ backdoors you get the drift.
Some on-line security scans, revealed no less than 159 trojans, worms and viruses !
After heavy googling around, I purchased a spyware/trojan scanner called XoftSpy, which cleaned most of the shit. But nevertheless, a spyware trojan keeps coming in (SAHAgent). No matter what I do.
(The bugger doesn't show up in ControlPanel --> Remove software).
turn xp restore OFF then remove.
_Name_: SAHagent
_Command_: Sahagent.exe
_Status_: X
_Description_: ShopAtHomeSelect <http://www.doxdesk.com/parasite/ShopAtHomeSelect.html>parasite
ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.
Also known as
/Golden Retriever/.
Distribution
Bundled with Grokster (around the start of 2003) and iMesh 4.
Also installed by the FavoriteMan <FavoriteMan.html> parasite from May 2003.
What it does
Advertising
No.
Privacy violation
Yes. Each visit to a merchant site is recorded by ShopAtHomeSelect's servers with a unique ID that could be used to track browing habits.
Security issues
Yes. The software can download and execute arbitrary code from its controlling server, as a silent update feature.
Stability problems
On testing, seemed to cause Opera to run quite slowly. Would occasionally make the desktop show an hourglass pointer for a while when accessing its servers.
Removal
There should be an entry in the Control Panel's Add/Remove Programs entry for 'ShopAtHomeSelect Agent'. Use it to remove the software then restart the computer.
You can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside the 'Downloaded Program Files' folder, the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up if you like.
If the entry for ShopAtHomeSelect remains in your Add/Remove Programs even though the software is uninstalled, you can get rid of it by opening the registry (Start->Run->regedit) and deleting the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent'.
Manual removal
As with all software that uses Winsock2 LSPs, you should be very careful removing ShopAtHomeSelect by hand: if you slip up you may lose all networking ability.
First, open the registry (Start->Open->regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . Delete the 'SAHAgent' entry.
Next, deregister the LSP part of ShopAtHomeSelect. The easiest way to do this is to use a tool such as LSPFix <http://cexx.org/lspfix.htm>. Tell it to 'Remove' lsp.dll and 'Keep' the rest.
(It /is/ possible to remove LSPs by hand by editing the registry, but it's quite a bit of effort and it's easy to make a mistake. If you want to try anyway, run 'regedit' and find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 . For each key in Catalog_Entries, open the 'PackedCatalogItem' value and check if it starts with 'lsp.dll'. If it does delete that entry. Renumber the remaining keys so that they count up from 000000000001 one at a time, and set the 'Num_Catalog_Entries' value in Protocol_Catalog9 to the highest key number you have. See, I told you it was a lot of effort.)
Next, open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands:
|cd "%WinDir%\System" regsvr32 /u "..\Downloaded Program Files\WEBinstaller.dll" cd "..\Downloaded Program Files" del WEBinstaller.dll del SAH*.exe |
Restart the computer and you should be able to delete the files 'tracking.tmp', 'vg.dat', 'v.dat', 'lsp.dll', 'SahDownloader.exe' and 'SahAgent.exe' from the System folder (inside the Windows folder; called 'System' on Windows 95/98/Me or 'System32' under Windows NT/2000/XP). You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\VGroup to clean up if you like.
Links
ShopAtHomeSelect <http://www.shopathomeselect.com/> official site.
Well, I know next to nothing about Windows, but before I subscribe to a windows-list (which I would hate, really), I would like to ask if you can recommend :I dont know if there are any OSS firewalls. Try sourceforge.net. Kerio is free. Adaware(good free version avail) but it wont remove viruses.
1. A good, reliable firewall for Windows (preferably OSS and free) ?
2. A spyware/trojan/worm cleaner capable of removing all malware ?
3. Shutting down the whole kaboodle and wait for SP2 ?
Many thanks and apologies in advance
Kaj Haulrich.
------------------------------------------------------------------------
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
