Browser Helper Objects list.

[TonyKlein]

A while ago, when I had nothing better to do, I amused myself by doing a Google search for all known BHO's in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

I came up with this bunch:

{00000000-5eb9-11d5-9d45-009027c14662}: VX2 Respondmiter (Ad popups), *Blackstone Transponder
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}: ACROIEHELPER.OCX *(Adobe Acrobat reader)
{1678F7E1-C422-11D0-AD7D-00400515CAAA}: Comet Cursor
{49A69FA0-2678-45CD-A069-6ACC372B20F8}: DownloadMage
{5998B08E-CFAC-11D5-822A-0050048E6E38}: JimmySurf
{657B9354-BB3B-4500-A9B0-109B4FA64815}: Amcis32.dll, *Win32/Aspam.Trojan
{724d43a9-0d85-11d4-9908-00400523e39a}: Roboform
{72EFCEB7-436E-11D3-93ED-0008C7396667}: DigitalMe toolbar
{C4D99500-4C77-11D4-93B7-0040950570BA}: eBoom Search Bar
{C900B400-CDFE-11D3-976A-00E02913A9E0}: WHIEHLPR.DLL * (Webhancer)
{CD4C3CF0-4B15-11D1-ABED-709549C10000}: GOIEHLP.DLL * (Go'Zilla)
{EBBFE27C-BDF0-11D2-BBE5-00609419F467}: AMCIS.DLL (Aureate/Radiate)
{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}: NZDD.DLL (NetZip Download Demon, Real Download)

To be sure, they're not all harmful: If you remove the Adobe BHO, for example, you won't be able to open on line PDF files, but most of them just don't belong there.

Now this is only a short list, of course.

Anyone has other BHOs for my collection? *

[TonyKlein]

Hey!

Found three new ones:

{004A5840-FF59-11d2-B50D-0090271D3FD4} : *Yahoo Companion (probable)
{A586BE00-52AC-11D3-A075-E51A86A6C62B}: *ParentPresent - PP Browser
{139D88E5-C372-469D-B4C5-1FE00852AB9B}: FavoriteMan - ofrg.dll

Hi Tony,

Nice info !

You maybe have heard of BHOCaptor.
The site is: http://www.xcaptor.org/ but at this moment when I click on BHOCaptor, I get an empty page; I don’t know why.

Links on the MS site:
http://msdn.microsoft.com/library/techart/bho.htm
http://support.microsoft.com/support.../Q179/2/30.ASP

But I guess you maybe have seen these pages already.

[TonyKlein]

Hi Jan,

Thanks, I know, but I use BHO Cop myself, *which I like better.

If I remember well, BHO captor doesn't let you uncheck the BHO's but deletes them straight away (I may be off the mark here).

Anyhow, I found three on my system, 2 of them required (Roboform and Adobe), and the third one a Comet leftover.

Nothing spectacular.

I think it would be useful to have such a list, which could be consulted if one's in doubt where certain BHO's belong to.

Cheers, *Tony

[MickeyTheMan]

Tony, you are right about BhoCop. Much better.

[TonyKlein]

Additionally, if you just want to disable the BHO in question instead of killing it completely, you can just edit its CLSID in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects by inserting a minus sign in front of it like so:

-{00000000-5eb9-11d5-9d45-009027c14662}

Greetz, *Tony

Hey Tony and Mickey,

Thanks ! *

I must have missed BHO Cop somehow *
Just installed it; thanks again.

Cheers, Jan.

[MickeyTheMan]

litlle omparison on these 2: http://www.morelerbe.com/cgi-bin/ubb-cgi/ultimatebb.cgi?ubb=get_topic;f=14;t=000387

[spy1]

BHODemon is pretty good, too, guys - actually, it seems to be more informative.

When you click on whatever BHOD finds to highlight, then click 'Details'. Not enough details, you say? Then click on 'More Details' on that screen. Pretty neat.

And BHOD lets you activate/de-activate whatever BHO you're dealing with, too, just like BHOCop.

Check it out here, if you like: http://www.definitivesolutions.com/bhodemon.htm . *Pete

[MickeyTheMan]

Pete, great catch !
already added to my page: http://pages.infinit.net/carbo1/bho.html

[UNICRON]

Just tried BHOdemon. I like it. (love the price) It detected adshield but nothin else. I didn't expect it to, I run a pretty tight ship, getting tighter every day.

[Checkout]

Quote:

BHODemon is pretty good, too, guys - actually, it seems to be more informative.

I'm sold! *I'll try it tonight.

[Checkout]

Quote:

I run a pretty tight ship, getting tighter every day.

Out of curiosity, what software do you use?

[UNICRON]

TDS-3
wormguard
regprot
adsheild
SpyCop S&D
NOD32
Labrea@home
Proximotron
mailwatcher
Kerio Personal Firewall
BHO demon
Surf in Peace
InCtrl5
adaware
dso stop

hope I didn't forget anything

oops, I am behind a 3com 3c510 router/firewall

[Checkout]

Quote:

TDS-3 me too
wormguard me too
regprot
adsheild
SpyCop S&D
NOD32
Labrea@home what's this?
Proximotron
mailwatcher any good?
Kerio Personal Firewall
BHO demon
Surf in Peace what's this?
InCtrl5 what's this?
adaware
dso stop

I guess I should list my own inventory...ah well, something for me to do tonight!
Tx, Uni.

[UNICRON]

Quote:

Labrea@home what's this?
mailwatcher any good?
Surf in Peace what's this?
InCtrl5 what's this?

Labrea@home tarpit http://www.hackbusters.net/LaBrea/lbathome.html
monitors suspicious connctions to port 80 (mainly codered, bluecode and any port scanner) at the packet level and attempts to trap them in its pit. a port scanner will be unable to continue scanning, and it will forever be stuck connected to your machine. Very minor bandwidth used and you are helping slow down all the scanning that goes on. 532k mem and 0 cpu when idle. Free.

I won't say it works as good as all that, but it is neat to see it in action. It does not interfere with my webserver at all.

mailwatcher
http://www.webattack.com/get/etrustmail.shtml
does alot of what you wanted WG to do, and it is free. I recommend it. Jan recommended it to me to evaluate a few days ago, and I am sold. No script can run at all anywhere on your machine untill you allow it. Problem is you can't see what the script it so you have to guess at whether to allow it or not. It also blocks all attempts to access the MAPI mail object (most malware likes to send emails) Its settings are crude, so it is not perfect but works very well. I stongly recommend you evaluate it. It uses 132k of mem and 0 cpu time when idle. Free.

Surf in Peace
http://www.iconlabs.net/sip.html
is a rules based pop up killer, somewhat un-nessessary with proximotron running but it treated me well before so it can stay. It still does intercept windows sometimes but not nearly as much as befor proximorton was installed. 1.25 MB mem used and 0 cpu time when Idle. Free.

InCtrl5
http://www.zdnet.com/downloads/stories/info/0,10615,77424,00.html
is a tool that takes a snap shot of all your registry keys, and files folders ect, then after you install some software, you run it again and it will show you all the differences. Those keys that get tucked away inside MS land can not hide from this app. Doesn't run resident. Free.

[Checkout]

I really like the sound of Labrea. *How does it work? *Alternatively, where can I dl it? *Also, yes, I'd like to try mailwatcher, if you'd be so kind as to provide a link.

Aren't you sleepy yet? *

[Mike_Healan]

RE: BHODemon

I've been talking to this guy and convinced him to make a new version, this one with a text log of what it finds. I've submitted two or three BHOs to lavasoft that my visitors have found, but I've had to it with screenshots. That is going to come in very handy.

Quote:

----- Original Message -----
From: Larry Leonard
To: Mike Healan
Sent: Sunday, March 10, 2002 12:54 PM
Subject: Re: bhodemon


How's this look?



Details for BHO C:\WINNT\VX2.dll__BHODemonDisabled
----------------------------------------------------------------------------------------
CLSID: {00000000-5EB9-11D5-9D45-009027C14662}
File Size (bytes): 122880
Time Accessed: 2002/3/10 11:53:52
Time Modified: 2001/10/1 16:53:20
Time Created: 2001/10/1 16:53:20
Drive Number: 2
Comments:
CompanyName: VX2 Corporation
FileDescription: VX2 Module
FileVersion: 0, 3, 0, 6
InternalName: VX2
LegalCopyright: Copyright 2001
LegalTrademarks:
OLESelfRegister:
OriginalFilename: VX2.DLL
PrivateBuild:
ProductName: RespondMiter
ProductVersion: 0, 3, 0, 6
SpecialBuild:



Larry Leonard
www.DefinitiveSolutions.com

DLExpert's URL catcher which adaware thinks is transponder:
IEHELPER.DLL {A6927151-F5B4-11D4-AE7A-00D00925CF52}

[Paul Wilders]

Mike,

Sounds very interesting indeed. Would you mind keeping us posted?

regards.

paul

[Mike_Healan]

Sure.
I started *mirroring it on my site a few months ago. My site and his BHODemon both ended up in the same newsletter the same issue and I contacted him about it.
I'm waiting for word from Urizen to see if that log output is good enough for a reflist addition. If I don't hear from him by tomorrow, I may tell the guy "sure that looks fine".

[UNICRON]

Checkout, I included links to the sofware in my previous post. You can find out the whats and hows there.

[Checkout]

Quote:

Checkout, I included links to the sofware in my previous post. You can find out the whats and hows there.

Duh! *Oh well. *BTW, do you run LaBrea on a Windows system? *According the the product's blurb, it won't tarpit intruders under Windows' PPP. *Correct?

About MailWatcher:

It's nice that it is still available!
(I thought you couldn't get it anymore).

[Checkout]

But...but...but...

Hmm.

Is there a product out there which can parse web pages in real time and intelligently filter out scripts/controls with bad intentions?

[luv2bsecure]

Hey Checkout: EXCELLENT QUESTION! I have been thinking of this very thing myself. No matter how protected we are with email, ports closed, etc. I worry about malicious code from websites. Thinking about that, I have been wondering the very question you asked. Something real time that can immediately identify a scumsite. Hope somebody has an answer. If not, there's an opportunity for some ambitious programmer!

John