what the hell is this - help me!!??

[supercote]

I have been trying to clean out my system and found a file called
dss43l4l.ini
in my registry in HKLM/Software/Windows/CurrentVersion/Run
it is located in C:\WINDOWS\system32\dss43l4l.exe

Here is the .ini - I can't figure out what the heck this thing
is....does anyone know? I had encountered the error message "system
settings protector has encountered an error..." - which might be the
beta version of Spybot that I have....

any help would be grand - thanks muchly
Michelle

dss43l4l.exe:

[Files]
SAHAgent=dss43l4l.exe
SahHtml=s0chpaa5.exe
SAHUninstall=02pisha4.exe
lsp=e0e3k4n5.dll
WEBInstaller=WEBInstaller.dll
v=k7jjsqvt.dat
vg=ofiudscl.dat
vp=sni9utpd.dat
vu=vvhlfv55.dat
vh=38g010it.dat
sporder=sporder.dll
lsp_setup=update.exe
[SAHAgent]
PrefsServer=www.shopathomeselect.com
PrefsXML=/agent3/agentprefs3.sah
RenameFiles=yes
FileSahAgent=gah95on6
FileSahHtml=bln02nqv
FileSahUnInstall=70tovmto
FileLsp=2b3fsk0h
FileV=tm97pj39
FileVP=p1fumi62
FileVG=kdlmjh8r
FileVU=goreggbk
FileVH=b315cfed
WebInstall=no
KeyExistNai=Y
DllName=C:\DOCUME~1\Michelle\LOCALS~1\Temp\4D9TK51H.dll
HtmlName=C:\WINDOWS\system32\g86ft4bn.html
EulaDate=2005-04-19 19:52:25
EulaStatus=Displayed4002b
InstallLocation=downloads.shopathomeselect.com
InstPath=isearchtech/
BundleKey=isearchtech1004.sah
BundlePackage=bundlep_isearchtech1004.cab
PrefsPath=agent3/
iniName=bundlep_isearchtech1004.ini
PackageLocation=downloads.shopathomeselect.com
PackageName=/v4003/setup4003.cab
CookieUserAgent=iexplorer
BrowserType=Bundle
BundleProgress=4
CountKey=1
UniqueBundleKey=owner=isearchtech1004
UniqueBundleID=refer=250410805
GUID=GUID={E2981D9D-2E86-4E7F-B2DF-37CA350347D0}
CountStart=1
CountCab=1
LSPInstallNeed=yes
ReadyToInstall=complete
BundleInstall=installing
AgentVersion=4.0.1.2
NamedBy=MadAdam
AutoUpdate=
CreateDate=2005-04-19
UnInstallExecute=disable
UnInstallRequest=disable
DateToSendNextHeartbeat=2005-05-03 19:52:45
DateOfCheckForNewValidate=2005-05-03 19:52:45
LastPrefs=Tue, 19 Apr 2005 17:28:11 GMT
LastValid=Tue, 19 Apr 2005 17:28:14 GMT
LastGlobal=Tue, 19 Apr 2005 17:28:13 GMT
Download=
ValidateXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
ValidatePath=/agent/validate.sah
TemplatePath=
Images=/images/mrchntimages/
PopupCloseButton=close.gif
PopupDefaultImage=popupDefault.gif
RedirectTo=http://www.shopathomeselect.com/frameset3.asp
Categories=
Popup=
LSPVersion=1.1.1.1
GlobalPath=/agent/global.sah
SiteNotAvailablePeriod=10
ResponseTime=20
SuppressTimeout=10
PongTimeout=180
RetryDays=5
PrefsXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
Suppress1=afsrc=1
Suppress2=unused suppress string 2
IncUpdateEnabled=no
SearchEngineEnabled=s123|cgi.search123.com/cgi-bin/XMLFeed.cgi/5100?TYPE=Q&START=0&SIZE=10&ADULT=NO&QUERY=%Q%&IP=%IP%&UID=%ID%|&IP=%IP%&UID=%ID%&afsrc=1|1
SearchPopunderCount=2
ServiceDomain=gr3.cc
ServicePath=s.dll
NumberOfDaysNextHearbeart=14
NumberOfDaysNextValidate=14
NumberOfDaysNextUpdate=14
validate=Y
validateURL=www.shopathomeselect.com/agent3/
update=N
updateURL=downloads.shopathomeselect.com/v4003/setup4003.cab
LspSetupName=lsp_setup.exe
Country=CAN
GlobalXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
AttemptDownloadPrefs=ok
DateToCheckForNewUpdate=2005-05-03 19:52:45
RetryModeFinish=
LastSearchPopUnder=2005-04-19
SearchPopunderNumber=0
[SAHPopup]
main=197622
popunder=
name=Transformer
lastUpdateDate=2005-03-11
createDate=2005-03-11
locationX=100
locationY=100
dimensionX=100
dimensionY=100
showCloseButton=no
timer=0
delay=0
specialEffects=0
link=

 

[Federico]

Spyware.

http://www.spywareguide.com/product_show.php?id=700

I have been trying to clean out my system and found a file called
dss43l4l.ini
in my registry in HKLM/Software/Windows/CurrentVersion/Run
it is located in C:\WINDOWS\system32\dss43l4l.exe

Here is the .ini - I can't figure out what the heck this thing
is....does anyone know? I had encountered the error message "system
settings protector has encountered an error..." - which might be the
beta version of Spybot that I have....

any help would be grand - thanks muchly
Michelle

dss43l4l.exe:

[Files]
SAHAgent=dss43l4l.exe
SahHtml=s0chpaa5.exe
SAHUninstall=02pisha4.exe
lsp=e0e3k4n5.dll
WEBInstaller=WEBInstaller.dll
v=k7jjsqvt.dat
vg=ofiudscl.dat
vp=sni9utpd.dat
vu=vvhlfv55.dat
vh=38g010it.dat
sporder=sporder.dll
lsp_setup=update.exe
[SAHAgent]
PrefsServer=www.shopathomeselect.com
PrefsXML=/agent3/agentprefs3.sah
RenameFiles=yes
FileSahAgent=gah95on6
FileSahHtml=bln02nqv
FileSahUnInstall=70tovmto
FileLsp=2b3fsk0h
FileV=tm97pj39
FileVP=p1fumi62
FileVG=kdlmjh8r
FileVU=goreggbk
FileVH=b315cfed
WebInstall=no
KeyExistNai=Y
DllName=C:\DOCUME~1\Michelle\LOCALS~1\Temp\4D9TK51H.dll
HtmlName=C:\WINDOWS\system32\g86ft4bn.html
EulaDate=2005-04-19 19:52:25
EulaStatus=Displayed4002b
InstallLocation=downloads.shopathomeselect.com
InstPath=isearchtech/
BundleKey=isearchtech1004.sah
BundlePackage=bundlep_isearchtech1004.cab
PrefsPath=agent3/
iniName=bundlep_isearchtech1004.ini
PackageLocation=downloads.shopathomeselect.com
PackageName=/v4003/setup4003.cab
CookieUserAgent=iexplorer
BrowserType=Bundle
BundleProgress=4
CountKey=1
UniqueBundleKey=owner=isearchtech1004
UniqueBundleID=refer=250410805
GUID=GUID={E2981D9D-2E86-4E7F-B2DF-37CA350347D0}
CountStart=1
CountCab=1
LSPInstallNeed=yes
ReadyToInstall=complete
BundleInstall=installing
AgentVersion=4.0.1.2
NamedBy=MadAdam
AutoUpdate=
CreateDate=2005-04-19
UnInstallExecute=disable
UnInstallRequest=disable
DateToSendNextHeartbeat=2005-05-03 19:52:45
DateOfCheckForNewValidate=2005-05-03 19:52:45
LastPrefs=Tue, 19 Apr 2005 17:28:11 GMT
LastValid=Tue, 19 Apr 2005 17:28:14 GMT
LastGlobal=Tue, 19 Apr 2005 17:28:13 GMT
Download=
ValidateXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
ValidatePath=/agent/validate.sah
TemplatePath=
Images=/images/mrchntimages/
PopupCloseButton=close.gif
PopupDefaultImage=popupDefault.gif
RedirectTo=http://www.shopathomeselect.com/frameset3.asp
Categories=
Popup=
LSPVersion=1.1.1.1
GlobalPath=/agent/global.sah
SiteNotAvailablePeriod=10
ResponseTime=20
SuppressTimeout=10
PongTimeout=180
RetryDays=5
PrefsXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
Suppress1=afsrc=1
Suppress2=unused suppress string 2
IncUpdateEnabled=no
SearchEngineEnabled=s123|cgi.search123.com/cgi-bin/XMLFeed.cgi/5100?TYPE=Q&START=0&SIZE=10&ADULT=NO&QUERY=%Q%&IP=%IP%&UID=%ID%|&IP=%IP%&UID=%ID%&afsrc=1|1
SearchPopunderCount=2
ServiceDomain=gr3.cc
ServicePath=s.dll
NumberOfDaysNextHearbeart=14
NumberOfDaysNextValidate=14
NumberOfDaysNextUpdate=14
validate=Y
validateURL=www.shopathomeselect.com/agent3/
update=N
updateURL=downloads.shopathomeselect.com/v4003/setup4003.cab
LspSetupName=lsp_setup.exe
Country=CAN
GlobalXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
AttemptDownloadPrefs=ok
DateToCheckForNewUpdate=2005-05-03 19:52:45
RetryModeFinish=
LastSearchPopUnder=2005-04-19
SearchPopunderNumber=0
[SAHPopup]
main=197622
popunder=
name=Transformer
lastUpdateDate=2005-03-11
createDate=2005-03-11
locationX=100
locationY=100
dimensionX=100
dimensionY=100
showCloseButton=no
timer=0
delay=0
specialEffects=0
link=

 

[Star Fleet Admiral Q]

Did you go to or purchase something from "shop at home" say on March 11th?
Looks like either covertly or incovertly they've installed some type of
spyware/popup advertising software, that also appears to keep in touch or
phones home every so often giving them updates to your online surfing
habits.

--

Star Fleet Admiral Q @ your Service!

http://www.google.com
Google is your "Friend"

I have been trying to clean out my system and found a file called
dss43l4l.ini
in my registry in HKLM/Software/Windows/CurrentVersion/Run
it is located in C:\WINDOWS\system32\dss43l4l.exe

Here is the .ini - I can't figure out what the heck this thing
is....does anyone know? I had encountered the error message "system
settings protector has encountered an error..." - which might be the
beta version of Spybot that I have....

any help would be grand - thanks muchly
Michelle

dss43l4l.exe:

[Files]
SAHAgent=dss43l4l.exe
SahHtml=s0chpaa5.exe
SAHUninstall=02pisha4.exe
lsp=e0e3k4n5.dll
WEBInstaller=WEBInstaller.dll
v=k7jjsqvt.dat
vg=ofiudscl.dat
vp=sni9utpd.dat
vu=vvhlfv55.dat
vh=38g010it.dat
sporder=sporder.dll
lsp_setup=update.exe
[SAHAgent]
PrefsServer=www.shopathomeselect.com
PrefsXML=/agent3/agentprefs3.sah
RenameFiles=yes
FileSahAgent=gah95on6
FileSahHtml=bln02nqv
FileSahUnInstall=70tovmto
FileLsp=2b3fsk0h
FileV=tm97pj39
FileVP=p1fumi62
FileVG=kdlmjh8r
FileVU=goreggbk
FileVH=b315cfed
WebInstall=no
KeyExistNai=Y
DllName=C:\DOCUME~1\Michelle\LOCALS~1\Temp\4D9TK51H.dll
HtmlName=C:\WINDOWS\system32\g86ft4bn.html
EulaDate=2005-04-19 19:52:25
EulaStatus=Displayed4002b
InstallLocation=downloads.shopathomeselect.com
InstPath=isearchtech/
BundleKey=isearchtech1004.sah
BundlePackage=bundlep_isearchtech1004.cab
PrefsPath=agent3/
iniName=bundlep_isearchtech1004.ini
PackageLocation=downloads.shopathomeselect.com
PackageName=/v4003/setup4003.cab
CookieUserAgent=iexplorer
BrowserType=Bundle
BundleProgress=4
CountKey=1
UniqueBundleKey=owner=isearchtech1004
UniqueBundleID=refer=250410805
GUID=GUID={E2981D9D-2E86-4E7F-B2DF-37CA350347D0}
CountStart=1
CountCab=1
LSPInstallNeed=yes
ReadyToInstall=complete
BundleInstall=installing
AgentVersion=4.0.1.2
NamedBy=MadAdam
AutoUpdate=
CreateDate=2005-04-19
UnInstallExecute=disable
UnInstallRequest=disable
DateToSendNextHeartbeat=2005-05-03 19:52:45
DateOfCheckForNewValidate=2005-05-03 19:52:45
LastPrefs=Tue, 19 Apr 2005 17:28:11 GMT
LastValid=Tue, 19 Apr 2005 17:28:14 GMT
LastGlobal=Tue, 19 Apr 2005 17:28:13 GMT
Download=
ValidateXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
ValidatePath=/agent/validate.sah
TemplatePath=
Images=/images/mrchntimages/
PopupCloseButton=close.gif
PopupDefaultImage=popupDefault.gif
RedirectTo=http://www.shopathomeselect.com/frameset3.asp
Categories=
Popup=
LSPVersion=1.1.1.1
GlobalPath=/agent/global.sah
SiteNotAvailablePeriod=10
ResponseTime=20
SuppressTimeout=10
PongTimeout=180
RetryDays=5
PrefsXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
Suppress1=afsrc=1
Suppress2=unused suppress string 2
IncUpdateEnabled=no
SearchEngineEnabled=s123|cgi.search123.com/cgi-bin/XMLFeed.cgi/5100?TYPE=Q&START=0&SIZE=10&ADULT=NO&QUERY=%Q%&IP=%IP%&UID=%ID%|&IP=%IP%&UID=%ID%&afsrc=1|1
SearchPopunderCount=2
ServiceDomain=gr3.cc
ServicePath=s.dll
NumberOfDaysNextHearbeart=14
NumberOfDaysNextValidate=14
NumberOfDaysNextUpdate=14
validate=Y
validateURL=www.shopathomeselect.com/agent3/
update=N
updateURL=downloads.shopathomeselect.com/v4003/setup4003.cab
LspSetupName=lsp_setup.exe
Country=CAN
GlobalXMLversion={40BB8389-5FBE-4FB6-8805-1D855518D7ED}
AttemptDownloadPrefs=ok
DateToCheckForNewUpdate=2005-05-03 19:52:45
RetryModeFinish=
LastSearchPopUnder=2005-04-19
SearchPopunderNumber=0
[SAHPopup]
main=197622
popunder=
name=Transformer
lastUpdateDate=2005-03-11
createDate=2005-03-11
locationX=100
locationY=100
dimensionX=100
dimensionY=100
showCloseButton=no
timer=0
delay=0
specialEffects=0
link=

 

[Malke]

I have been trying to clean out my system and found a file called
dss43l4l.ini
in my registry in HKLM/Software/Windows/CurrentVersion/Run
it is located in C:\WINDOWS\system32\dss43l4l.exe

Here is the .ini - I can't figure out what the heck this thing
is....does anyone know? I had encountered the error message "system
settings protector has encountered an error..." - which might be the
beta version of Spybot that I have....

(snip long unnecessary .ini)

SAHAgent is the Shop At Home malware. Here are general malware removal
steps. Do everything with updated tools in Safe Mode.

First delete all Temporary and Temporary Internet Files. To do this, go
to Control Panel>Internet Options>General tab. You'll see where you can
delete cookies and files. For Temporary files, Start>Run cleanmgr
[enter] and then:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.intermute.com/products/cwshredder.html
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke