A while ago, when I had nothing better to do, I amused myself by doing a Google search for all known BHO's in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

I came up with this bunch:

{00000000-5eb9-11d5-9d45-009027c14662}: VX2 Respondmiter (Ad popups), *Blackstone Transponder
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}: ACROIEHELPER.OCX *(Adobe Acrobat reader)
{1678F7E1-C422-11D0-AD7D-00400515CAAA}: Comet Cursor
{49A69FA0-2678-45CD-A069-6ACC372B20F8}: DownloadMage
{5998B08E-CFAC-11D5-822A-0050048E6E38}: JimmySurf
{657B9354-BB3B-4500-A9B0-109B4FA64815}: Amcis32.dll, *Win32/Aspam.Trojan
{724d43a9-0d85-11d4-9908-00400523e39a}: Roboform
{72EFCEB7-436E-11D3-93ED-0008C7396667}: DigitalMe toolbar
{C4D99500-4C77-11D4-93B7-0040950570BA}: eBoom Search Bar
{C900B400-CDFE-11D3-976A-00E02913A9E0}: WHIEHLPR.DLL * (Webhancer)
{CD4C3CF0-4B15-11D1-ABED-709549C10000}: GOIEHLP.DLL * (Go'Zilla)
{EBBFE27C-BDF0-11D2-BBE5-00609419F467}: AMCIS.DLL (Aureate/Radiate)
{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}: NZDD.DLL (NetZip Download Demon, Real Download)

To be sure, they're not all harmful: If you remove the Adobe BHO, for example, you won't be able to open on line PDF files, but most of them just don't belong there.

Now this is only a short list, of course.

Anyone has other BHOs for my collection? *;D

Hey!

Found three new ones:

{004A5840-FF59-11d2-B50D-0090271D3FD4} : *Yahoo Companion (probable)
{A586BE00-52AC-11D3-A075-E51A86A6C62B}: *ParentPresent - PP Browser
{139D88E5-C372-469D-B4C5-1FE00852AB9B}: FavoriteMan - ofrg.dll

:D

Hi Tony,

Nice info !

You maybe have heard of BHOCaptor.
The site is: http://www.xcaptor.org/ but at this moment when I click on BHOCaptor, I get an empty page; I don’t know why.

Links on the MS site:
http://msdn.microsoft.com/library/techart/bho.htm
http://support.microsoft.com/support/kb/articles/Q179/2/30.ASP

But I guess you maybe have seen these pages already.

Hi Jan,

Thanks, I know, but I use BHO Cop (http://www.extremetech.com/article/0,3396,s=1046&a=1066,00.asp?download_url=http://common.ziffdavisinternet.com/download/0/1023/bhocop.zip&login=1&r=0) myself, *which I like better.

If I remember well, BHO captor doesn't let you uncheck the BHO's but deletes them straight away (I may be off the mark here).

Anyhow, I found three on my system, 2 of them required (Roboform and Adobe), and the third one a Comet leftover.

Nothing spectacular.

I think it would be useful to have such a list, which could be consulted if one's in doubt where certain BHO's belong to.

Cheers, *Tony

Tony, you are right about BhoCop. Much better.

Additionally, if you just want to disable the BHO in question instead of killing it completely, you can just edit its CLSID in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects by inserting a minus sign in front of it like so:

-{00000000-5eb9-11d5-9d45-009027c14662}

Greetz, *Tony

Hey Tony and Mickey,

Thanks ! *:)

I must have missed BHO Cop somehow *:-[
Just installed it; thanks again.

Cheers, Jan.

litlle omparison on these 2: http://www.morelerbe.com/cgi-bin/ubb-cgi/ultimatebb.cgi?ubb=get_topic;f=14;t=000387

BHODemon is pretty good, too, guys - actually, it seems to be more informative.

When you click on whatever BHOD finds to highlight, then click 'Details'. Not enough details, you say? Then click on 'More Details' on that screen. Pretty neat.

And BHOD lets you activate/de-activate whatever BHO you're dealing with, too, just like BHOCop.

Check it out here, if you like: http://www.definitivesolutions.com/bhodemon.htm . *Pete

Pete, great catch !
already added to my page: http://pages.infinit.net/carbo1/bho.html

Just tried BHOdemon. I like it. (love the price) It detected adshield but nothin else. I didn't expect it to, I run a pretty tight ship, getting tighter every day.

-{ Quote: "BHODemon is pretty good, too, guys - actually, it seems to be more informative." }-
I'm sold! *I'll try it tonight.

-{ Quote: "I run a pretty tight ship, getting tighter every day. " }-
Out of curiosity, what software do you use?

TDS-3
wormguard
regprot
adsheild
SpyCop S&D
NOD32
Labrea@home
Proximotron
mailwatcher
Kerio Personal Firewall
BHO demon
Surf in Peace
InCtrl5
adaware
dso stop

hope I didn't forget anything

oops, I am behind a 3com 3c510 router/firewall

-{ Quote: "TDS-3 me too
wormguard me too
regprot
adsheild
SpyCop S&D
NOD32
Labrea@home what's this?
Proximotron
mailwatcher any good?
Kerio Personal Firewall
BHO demon
Surf in Peace what's this?
InCtrl5 what's this?
adaware
dso stop" }-
I guess I should list my own inventory...ah well, something for me to do tonight!
Tx, Uni.

-{ Quote: "
Labrea@home what's this?
mailwatcher any good?
Surf in Peace what's this?
InCtrl5 what's this?
" }-

Labrea@home tarpit http://www.hackbusters.net/LaBrea/lbathome.html
monitors suspicious connctions to port 80 (mainly codered, bluecode and any port scanner) at the packet level and attempts to trap them in its pit. a port scanner will be unable to continue scanning, and it will forever be stuck connected to your machine. Very minor bandwidth used and you are helping slow down all the scanning that goes on. 532k mem and 0 cpu when idle. Free.

I won't say it works as good as all that, but it is neat to see it in action. It does not interfere with my webserver at all.

mailwatcher
http://www.webattack.com/get/etrustmail.shtml
does alot of what you wanted WG to do, and it is free. I recommend it. Jan recommended it to me to evaluate a few days ago, and I am sold. No script can run at all anywhere on your machine untill you allow it. Problem is you can't see what the script it so you have to guess at whether to allow it or not. It also blocks all attempts to access the MAPI mail object (most malware likes to send emails) Its settings are crude, so it is not perfect but works very well. I stongly recommend you evaluate it. It uses 132k of mem and 0 cpu time when idle. Free.

Surf in Peace
http://www.iconlabs.net/sip.html
is a rules based pop up killer, somewhat un-nessessary with proximotron running but it treated me well before so it can stay. It still does intercept windows sometimes but not nearly as much as befor proximorton was installed. 1.25 MB mem used and 0 cpu time when Idle. Free.

InCtrl5
http://www.zdnet.com/downloads/stories/info/0,10615,77424,00.html
is a tool that takes a snap shot of all your registry keys, and files folders ect, then after you install some software, you run it again and it will show you all the differences. Those keys that get tucked away inside MS land can not hide from this app. Doesn't run resident. Free.

I really like the sound of Labrea. *How does it work? *Alternatively, where can I dl it? *Also, yes, I'd like to try mailwatcher, if you'd be so kind as to provide a link.

Aren't you sleepy yet? *:)

RE: BHODemon

I've been talking to this guy and convinced him to make a new version, this one with a text log of what it finds. I've submitted two or three BHOs to lavasoft that my visitors have found, but I've had to it with screenshots. That is going to come in very handy.


-{ Quote: "----- Original Message -----
From: Larry Leonard
To: Mike Healan
Sent: Sunday, March 10, 2002 12:54 PM
Subject: Re: bhodemon


How's this look?



Details for BHO C:\WINNT\VX2.dll__BHODemonDisabled
----------------------------------------------------------------------------------------
CLSID: {00000000-5EB9-11D5-9D45-009027C14662}
File Size (bytes): 122880
Time Accessed: 2002/3/10 11:53:52
Time Modified: 2001/10/1 16:53:20
Time Created: 2001/10/1 16:53:20
Drive Number: 2
Comments:
CompanyName: VX2 Corporation
FileDescription: VX2 Module
FileVersion: 0, 3, 0, 6
InternalName: VX2
LegalCopyright: Copyright 2001
LegalTrademarks:
OLESelfRegister:
OriginalFilename: VX2.DLL
PrivateBuild:
ProductName: RespondMiter
ProductVersion: 0, 3, 0, 6
SpecialBuild:



Larry Leonard
www.DefinitiveSolutions.com

" }-

DLExpert's URL catcher which adaware thinks is transponder:
IEHELPER.DLL {A6927151-F5B4-11D4-AE7A-00D00925CF52}

Mike,

Sounds very interesting indeed. Would you mind keeping us posted?

regards.

paul

Sure.
I started *mirroring it on my site a few months ago. My site and his BHODemon both ended up in the same newsletter the same issue and I contacted him about it.
I'm waiting for word from Urizen to see if that log output is good enough for a reflist addition. If I don't hear from him by tomorrow, I may tell the guy "sure that looks fine".

Checkout, I included links to the sofware in my previous post. You can find out the whats and hows there.

-{ Quote: "Checkout, I included links to the sofware in my previous post. You can find out the whats and hows there." }-

Duh! *Oh well. *BTW, do you run LaBrea on a Windows system? *According the the product's blurb, it won't tarpit intruders under Windows' PPP. *Correct?

About MailWatcher:

It's nice that it is still available!
(I thought you couldn't get it anymore).

But...but...but...

Hmm.

Is there a product out there which can parse web pages in real time and intelligently filter out scripts/controls with bad intentions?

Hey Checkout: EXCELLENT QUESTION! I have been thinking of this very thing myself. No matter how protected we are with email, ports closed, etc. I worry about malicious code from websites. Thinking about that, I have been wondering the very question you asked. Something real time that can immediately identify a scumsite. Hope somebody has an answer. If not, there's an opportunity for some ambitious programmer!

John

I'm not really sure that we don't already have the tools at our fingertips to accomplish any of this.

(a) *Proper browser settings
(b) *The script-control program of your choice
(c) * The registry-monitoring program of your choice

Somebody give me the link to a site that will defeat all three of these (plus your firewall and AV program, of course), and then I'll believe there's a lack of protection somewhere. Pete

Pete: You are right in that those three things can all do something if you are willing to wait until you have already been hit or throw the baby out with the bath water. Correct me if I'm wrong, Checkout, but Checkout and my question involves not just preventing scripts period, but identifying malicious scripts immediately. All of the things you mentioned Pete takes an all or nothing approach, or can only take action after the registry has been revised. My question, and I think that of Checkout, is if there is something that can in real time quickly and as fast as possible upon connection to a scumsite, shut down the net connection with a warning, thereby allowing the ability to surf without shutting off scripts completely and still be warned before infection.

John

What Luv2bsecure said, doubled and with cherries on top. *Scripting isn't going to go away, but JavaScript, ActiveX et al are mere 4GLs. *Good parsing will sort the Good from the Bad and the Ugly. * :)

I must be missing something here, then.

RegProt (among others on here), does not let registry changes take place without your say-so first.

The same goes for Scriptrap (and definitely WormGuard, again, among others).

There is no 'baby-with-the-bathwater', 'all-or-nothing', 'after-the-fact' about it, that I can see.

I use all this stuff every day, it's protected me from anything malicious, and it hasn't cramped my surfing style at all.

I'm not getting it, I guess. Links to this kind of stuff, please? Pete

Oh, for Pity's sake, I typed S H I T and this forum's s/w translated it into "nuts"! *How pathetic! *Should I have said sh1t or cr*p? *Paul, for Pity's sake, let us be treated as adults!

-{ Quote: "I must be missing something here, then." }-
Yes, you're missing something here, Pete. *What Love2bsecure and I (and, potentially, godzillions of other unwitting vicims) want, is something which stands between us and Scripting languages. *There's no point saying: *"turn off javascript" or "ActiveX" when it's increasing obvious that M$ is becoming more adept at imposing its Worldview than a certain German/Austrian housepainter (meaning nothing disparaging here, apart from the fact that Hitler was a ****).

Yes, I said it: *Hitler was a ****. *Controversial, I know. *Just saying "Hitler" is enough to make some people's blood boil. *Let's face it, he wasn't a nice bloke.**

(** In no way do I endorse his products or services. *But let's get over it, on account of he's DEAD.)

But the main point is, a system which will parse Scripts and differentiate good scripts from naughty scripts would be highly desirable.

one word: "heuristics"

this feild is being developed further everyday, but still has a long way to go. Detection can get incredibly complex, considering encryption of scripts ect.

PS: sorry Jan, yes it was you that recommended mailwatcher to me. And yes I had a hard time finding it. CA's site search could not locate it but google could. It was still there, but even if it wasn't, google caches pages.

Checkout,

You could have made your point well enough without making any reference to that certain person.
May I kindly (but urgently) ask you to refrain from that further.

Goodness.

Why is it, again, that questions can be asked nicely and information presented in a friendly way when Spy1, who I have tried to be friendly with, has to come along and stir things up. He seems to do this slyly by making it seem like he has all the answers and if you don't see it his way something is really wrong and the rest of us are fools. For example,
-{ Quote: "Somebody give me the link to a site that will defeat all three of these (plus your firewall and AV program, of course), and then I'll believe there's a lack of protection somewhere." }-
It makes it looks like, how dare a question be posed that, to him, already looks answered. In the next post,
-{ Quote: "There is no 'baby-with-the-bathwater', 'all-or-nothing', 'after-the-fact' about it, that I can see.

I use all this stuff every day, it's protected me from anything malicious, and it hasn't cramped my surfing style at all.

I'm not getting it, I guess. Links to this kind of stuff, please?" }-

See? We're all fools in the eyes of Pete. Can't we see? He says, basically, "PROVE IT! Show me a site where my 37 pieces of software won't protect me."

Sarcasm in, brings sarcasm out, Pete. Maybe one day you will learn that. Your post obviously ticked Checkout off as well as me, simply because of your "know it all" and "you are such fools" tone. What's up with that?

Then, Checkout gets a reprimand for mentioning in an offhand manner one of the great monsters of our times. Why should he not mention his name? Why make a nice but urgent request to not use his name? The man was a historical figure, he is now a generic symbol for evil. I was surprised at the post to him asking to self-censor future posts. Should there be a "historical figures that may be mentioned while posting" and a "historical fugures who may not be mentioned while posting here" list?

Don't blame Checkout (and don't blame me for this post). As far as I can see, blame Pete for, again, and I have seen it happen on several occasions, puffing out his chest and instead of being friendly and conversational has to be a ---------- well, maybe I should just say be jerky about things.

Posting a bunch of stuff jumping to Pete's defense will do no good for this forum. He has a problem with dealing with people in a friendly way and to defend him is just letting him know he can continue his know it all and "how dare you question me" attitude.

I thought Checkout and my question was a good one. Pete DID miss the point and yet turned it around to make US look like fools. That should be stopped. He's a moderator for Christ's (another historical figure) sake!

John

John and Checkout,

First, you both are absolutely no fools.
You both are more than welcome here, and your postings are very appreciated!

Now to that other matter.
First: I didn't want to hurt Checkout.
Maybe I shouldn't have posted what I did, maybe I was wrong. I believed the part of the posting by Checkout didn't serve any purpose; without it, it was clear enough what he posted. But as said, maybe I did wrong by posting what I did.
And yes, (and now the right English words fail me a bit, sorry) I might have sometimes too strong feelings about this. This might not be the right place to go deeper on that, but, eh, there are historical-family reasons for, eh, certain emotions.

Hi Jan,

I guessed that when I read your post. I'm very sorry if that it is an emotional thing for you to hear the name. I can imagine that chapter of history being painful, especially to those whose lineage was directly affected. At the same time, his name was not raised in any way but to associate with evil. That's why I said that and stood up for Checkout's right to say the name without being "called on the carpet." You don't have to apologize, certainly NOT. I am sure Checkout himself wouldn't expect that considering. Your saying you were probably wrong I'm sure is enough, no biggie.

Now Pete and his attitude? That's a different story.

John

Thanks John !

I didn't want to hurt you or Checkout, sorry!


I'm sure the other thing with Pete will be solved.

Jan.

-{ Quote: "I didn't want to hurt you or Checkout, sorry!" }-
Jan, I'm not hurt at all. *But we all need to lay this ghost to rest. *Mentioning a "certain person's" name is very common when using hyperbole. *Furthermore, I'm not insensitive to the many contributors here who are German. *Far from it, I've lived and worked in Germany, and experienced first-hand just how candid they can be about a "certain person" and the circumstances surrounding him. *And don't forget that my culture also bore the stains of that period. *Heinous and shameful acts were committed by our forefathers too.

Please, let us not go knee-jerking whenever his name is mentioned. *It's a subtle and pervasive form of censorship, and helps foster an atmosphere counter to open and free speech.

Finally, allow me this: *I love Germany and its people. *I had wonderful years there, and I consider the English and the Germans far closer - culturally and mentally - than the English and Americans.

That's all. *I certainly had no intention of bruising anyone here, even if unintentionally. *It's about time we all got over this fifty-year-old inherited sensitivity.

While I'm still in the saddle, I wish to mention that I have absolutely no problems with Pete. *Far from it.

My two sixpence:

being jewish, having lost quite a lot of family members in WWII, I don't have any objection in using the name "Hitler" in an appropriate context.

regards,

paul

-{ Quote: "
being jewish, having lost quite a lot of family members in WWII, I don't have any objection in using the name "Hitler" in an appropriate context.

regards,

paul" }-

Thanks Paul,
These words goes exactly the same for me.

That new version is now out.
http://www.definitivesolutions.com/bhodemon.htm
http://www.definitivesolutions.com/files/bhodmon1.zip
http://www.spywareinfoforum.com/downloads/bhodmn.zip