bhocop / bhodemon

There's already a StarDownLoader thread started, here: https://www.wilderssecurity.com/showthread.php?t=4595 .

 

I know Ghost. That was one of the reasons I asked Tony about it

Regards,

Pieter

 

A tantalizing idea!

However, I don't intend to dedicate the rest of my life to the noble (?) BHO.

I'm sure there must be more to life.

Now if ony I could find out what it could possibly be...

 

Is there any way that BHO´s can be hiding from BHODemon?
The reason I´m asking is that Startuplist shows two BHO´s that BHODemon doesn´t.
(no name) - (no file) - {7583A45D-8C46-11D1-8D99-00A0C913CAD4}
(no name) - (no file) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}
I haven´t got the faintiest where that first one comes from
I searched the regsitry and the only place these CSLID´s show up is in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects where one would expect BHODemon to detect them. Or does it ignore them since they are not linked to anything?

Regards,

Pieter

 

No, BHOs can't possibly hide.

Startuplist reads the data in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, and then looks at the Inprocserver32 subkey of the corresponding CLSID in HKEY_CLASSES_ROOT in order to determine what the dll in question is.

In both of these cases it finds "no file" so the BHO is harmless in practice.

That ought somehow to account for the difference.

 

Thnx Tony,

That´s what I suspected. Just wanted to make sure

Cheers,

Pieter

 

No prob!

 

Greetings Forum members and Moderators,
To Tony Klein,
I have been looking through your list of BHO's with interest, after reading the posted comments,because I have a new one for your list and also seek your help.

I have found 4 in the Registry but BHODemon only records 3 of them.(This may answer Peiter's query)
I will list the CLSID's and note what I found:-

1. {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
2. {80F3E430-B101-42AD-A544-FADC6B084872}
3. {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
4. {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80}

1,2 and 3 you already have listed.BHODemon shows 1,2 and 4 but misses 3.
4. This belongs to AbsoluteShield Internet Eraser and is called AbsoluteShield IE Popup Blocker (PKExt.dll)
I can provide more info as you require.It is disabled by BHODemon now as I use Outpost firewall as my popup blocker(Quite effective too, I might add!)

I would like to find out what to do to make BHODemon find and record 3.I tried putting the CLSID into the .ini file for BHODemon but nothing happens!It is as though it does not exist.It is found in the Registry with the others, labelled as 'Activater', and a search shows that it does exist on my HardDrive.

What can I do to be rid of it?

Regards
Tommie

 

Hi Tommie,

Thanks for the new BHO. It'll be in the next update, together with another 6 or so new ones.

BHO's appear to be all the rage: Google and Cookie Pal's Kookaburra appear to be two more companies that didn't use to install BHOs with their software, but now do.

About the third BHO, I don't think there's anything you can do to "make BHO Demon see it".

Did you find a reference to that CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects as well?

Because that's where it ought to read them from.

Alternatively, please do this:

Go to http://www.spywareinfoforum.com/downloads.php#det , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Let's see whether it does find the third BHO.

 

Hello Tony
Just came back to the Forum to see your reply.
The screen shot shows the info you ask but I will follow your advice and try to return later with that info too.

Regards
Tommie

 

Hello Tony Klein
I am back with the info again.
Will try to post 2 images at one time-maybe not allowed here.

 

Tommie,

Go to HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}

Does that key have all three af the following subkeys:

ImprocServer32, ProgID, and VersionIndependentProgID?

Also take a look at the default value for ImprocServer32.
What dll does it point to, and do you in fact have that dll?

 

Ah, thank you for that second image.

It says "No file", so the dll in question has probably been removed, which is why BHO Demon wasn't able to read its properties.

That's why.

Cheers,

 

trying again to download the Hijack log file .the notice says it is not allowed so I changed .log to .txt Hope it works!

 

Hello Tony

As the screen shot shows none of those keys are present for that CLSID.
Now what do I do to get rid of 'Activater'?

 

Well, delete both
HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}

 

Hi Tony and tommie_tt,

I´ve had this Activater key longer then I can remember. It was there the first time I ever looked into BHO´s.
I exported that part of the registry and it looks like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}]
@="Activater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}\ReadMe-BHODemon]
@="This BHO has been enabled by BHODemon."

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7559B76E-0222-4d77-9499-CCE9EB4EDC2F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7559B76E-0222-4d77-9499-CCE9EB4EDC2F}\ReadMe-BHODemon]
@="This BHO has been enabled by BHODemon."

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}\ReadMe-BHODemon]
@="This BHO has been enabled by BHODemon."

I always assumed this was a Windows key. Was I mistaking?

Regards,

Pieter

 

Tony,
Thank you very much for your help and advice.
Seems like your Forum is like the one at Agnitum Outpost in friendly and helpful Moderators.I appreciate that a great deal and will continue here as long as I can.
Belated New Year wishes to you and your Moderators ans Posters.

Best Regards
Tommie.

p.s Saw that 'root' has been here a long time before me!

 

Thank you and Welcome Pieter,
I did not have mine very long as I'm ALWAYS reading something about security and checking to see if it applies to my computer.I am relatively new to this computer thing and try to get the knowledge and help that I can.
According to Tony's List of BHO's you should also get rid of that one!

I'll be in this Forum more often this time as there is much I have to learn now.

Regards
Tommie

 

You're welcome, Tommy.

Pieter,

This is the very first I've seen of this Activater BHO, and I can assure you it isn't a Windows file.

Do you still have the related HKCR\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F} key.

It's ImprocServer32 subkey will point to "its" dll, which in turn will tell you what it belongs to.

 

Oops, major brain fart:

Not only isn't it a Windows file, it could be an early version of this one:

CnbarIE.dll - Commonname toolbar


Also seen the CLSID used by HTMLedit.dll : http://www.wjjsoft.com/htmledit.html

 

BTW, the same object CLSID is also mentioned as an example here:

Browser Helper Objects: The Browser the Way You Want It

So the same CLSID could very well have been used by other companies in addition to CN.

 

Hi Tony,

The related CLSID is gone. It only shows up twice in my registry, the other entry is in HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility
I´ll look through my ancient Adaware logs to see if I can find anything that might have been responsible for this entry.

Computer archeology. LOL

Regards,

Pieter

 

First time I installed BHO Demon I actually found an orphaned Comet Cursor key there.

 

BHODemon never showed this one.
I think I stumbled into it, when I was trying to make a simple BHO myself and looked in the regsitry in order to find out how the entries had to be made.

Regards,

Pieter