Dunedin and Flgolfnut -- thanks very much for your responses!
I checked out the removal instructions for SAHAgent at the SpyAny URL you provided. I have not actually performed any of the removal operations described there, but I searched on my computer all folders, registry, and the "Start>Control Panel>Add/Remove Programs" listing for all of the items (files, registry entries, and programs) specified in the SpyAny instructions, including the procedure for manual removal of SAH Agent.
None of the specified items noted above are present on my computer. I would not be able to perform any of the removal operations because there is nothing to remove! This finding adds to my feeling that my computer presently is not actually infected with SAHAgent, though it may have been previously.
I tried searching my registry for the strings "shopathome" and "golden retriever" (an alternate name for the SAHAgent adware.) Several entries were found, and I have copied them below in the hope clue is there as to why NAV continues to report infection with SAHAgent.
Make a special folder in My Documents to download it to. Set it to "Scan" and then to create its "Log". This will be long, but copy all of it into Notepad and post it to be checked.
My machine seems to be running fine, so for the time being I will just ignore Norton's reporting of SAHAgent. Later I will download HijackThis and generate a log file, as you recommended.
Most of those registry entries (the ones with MRU in the key name) are just the caches of file names you have searched for. It does not mean the files are or were on your drive. For example the first one just records the fact that you searched for 'shopathome' in search companion. The names you searched for are listed in the Search Assistant\AcMRu key. If you use search, type s in the box 'all or part of a file name', 'shopathome' would appear (together with any other previous searches starting with s) as suggestions in a dropdown list below the box.
Such entries remain until you clear the cache. You can do that in several ways. e.g. using Spybot (in advanced mode, settings tab, file sets, check usage tracks to include these), or Adaware SE also gives the option to clear MRU entries.Or you can deete them manually in search (highlight the entries that appear one at a time and press delete key), or you can right click and delete in the registry.
The entries in a \P3P\history\ key were put there (not sure if it is by Spybot, Adaware or Spywareblaster as I have all three) to block those sites from downloading things. The key should contain one Dword, called default and with a value 0x00000005. Leave those, they are protecting you.
As for the folder c:\windows\downloaded program files, it contains the active X controls you have downloaded at some point. These include embedded files (right click on one of them, click properties, dependency tab, you'll see a list of files; some may be system files the active X control uses, and then the path to the file will point to the Windows folder the file is in; but other files are embedded in the activeX control: the path points to the C:\Windows\downloaded program folder, but the file is not separately listed there. For example SysProWMI Class (the Dell system profiler activeX control) depends on the file C:\Windows\download...\syspro.inf*, but that file does not show in the folder contents.
You might check what files MrSidi control depends on. I don't have that one. The other two you mentioned are OK.
You can safely remove an ActiveX control (right click, remove). Should you need it again when visiting the site it got downloaded from, it will just be downloaded again.
Message Edited by JRosenfeld on 11-09-2004 12:46 AM
Message Edited by JRosenfeld on 11-09-2004 12:50 AM
JRosenfeld -- thanks very much for your informative and useful response!
FYI, the object in Downloaded Program Files pertaining to the image viewer Mr Sid has these file dependencies: MRSIDI.INF (in C:\Windows\Downloaded Program Files), MRSID.ICO in (C:\Windows), and MRSID.OCX (in C:\Windows).
Do you have any idea why NAV 2004 continues to report the three SAHAgent adware files in Downloaded Program Files folder, even though these files are not present in this or any other folder on my computer? Could there be some kind of table of contents for the Downloaded Program Files folder that somehow did not get updated when the SAHAgent adware was removed by (I assume) the AdAware SE and/or SPYBOT 1.3 programs I am running?
No, I do not know why NAV 2004 is reporting that. The only thing I can suggest is that you look through their pages on SAHAgent and check out whether you have any of the registry entries they indicate (try the first link on this search results page first as it seems the most relevant).
Prior to writing to this forum, I did review Norton's description of SAHAgent. I searched the folders and registry of my computer for items (files and registry entries) Norton associated with this adaware, but found none.
When I instruct Norton to delete the SAHAgent files (SAHAgent_exe, SAhHtml_.exe, and SAHUninstall_.exe) it says it finds in the Downloaded Program Files folder, Norton reports that the deletion attempt failed.
dunedin
2.7K Posts
0
November 6th, 2004 22:00
Hi,
Does this help?
http://www.spyany.com/program/article_spy_rm_SAHAgent.html
flgolfnut
71 Posts
0
November 7th, 2004 03:00
dunedin
2.7K Posts
0
November 7th, 2004 11:00
TAH
43 Posts
0
November 7th, 2004 15:00
Dunedin and Flgolfnut -- thanks very much for your responses!
I checked out the removal instructions for SAHAgent at the SpyAny URL you provided. I have not actually performed any of the removal operations described there, but I searched on my computer all folders, registry, and the "Start>Control Panel>Add/Remove Programs" listing for all of the items (files, registry entries, and programs) specified in the SpyAny instructions, including the procedure for manual removal of SAH Agent.
None of the specified items noted above are present on my computer. I would not be able to perform any of the removal operations because there is nothing to remove! This finding adds to my feeling that my computer presently is not actually infected with SAHAgent, though it may have been previously.
I tried searching my registry for the strings "shopathome" and "golden retriever" (an alternate name for the SAHAgent adware.) Several entries were found, and I have copied them below in the hope clue is there as to why NAV continues to report infection with SAHAgent.
Thanks again!
Search for string "shopathome"
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
(Name: 011; data: shopathome)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\zip
(Name: a; data: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip)
[Note: there is no such file "ShopAtHome.zip" on my computer, despite this registry reference to it.]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005 (5))
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\Search Assistant\ACMru\5603
(Name:012; data: shopathome)
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\CurrentVersion\Explorer\COMDlg32\OpenSaveMRU\zip
(Name: a; data: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ShopAtHome.zip)
[Note: there is no such file "ShopAtHome.zip" on my computer, despite this registry reference to it.]
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com
(Name: (Default); data: 0x00000005(5))
Search for string "golden retriever"
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
(Name: 014; data: goldenretriever)
HKEY_USERS\S-1-5-21-3849651895-3067381501-290885498-1006\Software\Microsoft\Search Assistant\ACMru\5603
(Name:014; data: goldenretriever)
dunedin
2.7K Posts
0
November 7th, 2004 17:00
A lot of these entries are just "History" which you could get rid of by deleting history in IE
Some more are in Spybot`s backup of deleted items and they won`t do any harm there.
If your machine is running without problems I would be inclined to ignore Norton
Your other option which would identify them properly and allow for deletion is to download and run HijackThis.
Do not try to delete anything yourself.
Hijack This http://www.majorgeeks.com/download3155.html
Make a special folder in My Documents to download it to. Set it to "Scan" and then to create its "Log". This will be long, but copy all of it into Notepad and post it to be checked.
TAH
43 Posts
0
November 7th, 2004 18:00
Dunedin -- thanks!
My machine seems to be running fine, so for the time being I will just ignore Norton's reporting of SAHAgent. Later I will download HijackThis and generate a log file, as you recommended.
Thanks, again!
TAH
dunedin
2.7K Posts
0
November 7th, 2004 21:00
You are very welcome.
You`ll know it is time to run HijackThis if you start getting pop-ups or are hijacked to their site
JRosenfeld
2 Intern
•
4.4K Posts
0
November 8th, 2004 22:00
Most of those registry entries (the ones with MRU in the key name) are just the caches of file names you have searched for. It does not mean the files are or were on your drive. For example the first one just records the fact that you searched for 'shopathome' in search companion. The names you searched for are listed in the Search Assistant\AcMRu key. If you use search, type s in the box 'all or part of a file name', 'shopathome' would appear (together with any other previous searches starting with s) as suggestions in a dropdown list below the box.
Such entries remain until you clear the cache. You can do that in several ways. e.g. using Spybot (in advanced mode, settings tab, file sets, check usage tracks to include these), or Adaware SE also gives the option to clear MRU entries.Or you can deete them manually in search (highlight the entries that appear one at a time and press delete key), or you can right click and delete in the registry.
The entries in a \P3P\history\ key were put there (not sure if it is by Spybot, Adaware or Spywareblaster as I have all three) to block those sites from downloading things. The key should contain one Dword, called default and with a value 0x00000005. Leave those, they are protecting you.
As for the folder c:\windows\downloaded program files, it contains the active X controls you have downloaded at some point. These include embedded files (right click on one of them, click properties, dependency tab, you'll see a list of files; some may be system files the active X control uses, and then the path to the file will point to the Windows folder the file is in; but other files are embedded in the activeX control: the path points to the C:\Windows\downloaded program folder, but the file is not separately listed there. For example SysProWMI Class (the Dell system profiler activeX control) depends on the file C:\Windows\download...\syspro.inf*, but that file does not show in the folder contents.
You might check what files MrSidi control depends on. I don't have that one. The other two you mentioned are OK.
You can safely remove an ActiveX control (right click, remove). Should you need it again when visiting the site it got downloaded from, it will just be downloaded again.
Message Edited by JRosenfeld on 11-09-2004 12:46 AM
Message Edited by JRosenfeld on 11-09-2004 12:50 AM
TAH
43 Posts
0
November 9th, 2004 20:00
JRosenfeld -- thanks very much for your informative and useful response!
FYI, the object in Downloaded Program Files pertaining to the image viewer Mr Sid has these file dependencies: MRSIDI.INF (in C:\Windows\Downloaded Program Files), MRSID.ICO in (C:\Windows), and MRSID.OCX (in C:\Windows).
Do you have any idea why NAV 2004 continues to report the three SAHAgent adware files in Downloaded Program Files folder, even though these files are not present in this or any other folder on my computer? Could there be some kind of table of contents for the Downloaded Program Files folder that somehow did not get updated when the SAHAgent adware was removed by (I assume) the AdAware SE and/or SPYBOT 1.3 programs I am running?
Thanks, again!
TAH
JRosenfeld
2 Intern
•
4.4K Posts
0
November 9th, 2004 22:00
No, I do not know why NAV 2004 is reporting that. The only thing I can suggest is that you look through their pages on SAHAgent and check out whether you have any of the registry entries they indicate (try the first link on this search results page first as it seems the most relevant).
http://search.symantec.com/custom/us/query.html
What happens if you let NAV fix what it thinks is the problem?
TAH
43 Posts
0
November 9th, 2004 23:00