Browser Helper Objects list.

Discussion in 'privacy problems' started by TonyKlein, Mar 12, 2002.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    A while ago, when I had nothing better to do, I amused myself by doing a Google search for all known BHO's in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    I came up with this bunch:

    {00000000-5eb9-11d5-9d45-009027c14662}: VX2 Respondmiter (Ad popups),  Blackstone Transponder
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}: ACROIEHELPER.OCX  (Adobe Acrobat reader)
    {1678F7E1-C422-11D0-AD7D-00400515CAAA}: Comet Cursor
    {49A69FA0-2678-45CD-A069-6ACC372B20F8}: DownloadMage
    {5998B08E-CFAC-11D5-822A-0050048E6E38}: JimmySurf
    {657B9354-BB3B-4500-A9B0-109B4FA64815}: Amcis32.dll,  Win32/Aspam.Trojan
    {724d43a9-0d85-11d4-9908-00400523e39a}: Roboform
    {72EFCEB7-436E-11D3-93ED-0008C7396667}: DigitalMe toolbar
    {C4D99500-4C77-11D4-93B7-0040950570BA}: eBoom Search Bar
    {C900B400-CDFE-11D3-976A-00E02913A9E0}: WHIEHLPR.DLL   (Webhancer)
    {CD4C3CF0-4B15-11D1-ABED-709549C10000}: GOIEHLP.DLL   (Go'Zilla)
    {EBBFE27C-BDF0-11D2-BBE5-00609419F467}: AMCIS.DLL (Aureate/Radiate)
    {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}: NZDD.DLL (NetZip Download Demon, Real Download)

    To be sure, they're not all harmful: If you remove the Adobe BHO, for example, you won't be able to open on line PDF files, but most of them just don't belong there.

    Now this is only a short list, of course.

    Anyone has other BHOs for my collection?  :D
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hey!

    Found three new ones:

    {004A5840-FF59-11d2-B50D-0090271D3FD4} :  Yahoo Companion (probable)
    {A586BE00-52AC-11D3-A075-E51A86A6C62B}:  ParentPresent - PP Browser
    {139D88E5-C372-469D-B4C5-1FE00852AB9B}: FavoriteMan - ofrg.dll

    :D
     
  3. FanJ

    FanJ Guest

  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Jan,

    Thanks, I know, but I use BHO Cop myself,  which I like better.

    If I remember well, BHO captor doesn't let you uncheck the BHO's but deletes them straight away (I may be off the mark here).

    Anyhow, I found three on my system, 2 of them required (Roboform and Adobe), and the third one a Comet leftover.

    Nothing spectacular.

    I think it would be useful to have such a list, which could be consulted if one's in doubt where certain BHO's belong to.

    Cheers,  Tony
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Tony, you are right about BhoCop. Much better.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Additionally, if you just want to disable the BHO in question instead of killing it completely, you can just edit its CLSID in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects by inserting a minus sign in front of it like so:

    -{00000000-5eb9-11d5-9d45-009027c14662}

    Greetz,  Tony
     
  7. FanJ

    FanJ Guest

    Hey Tony and Mickey,

    Thanks !  :)

    I must have missed BHO Cop somehow  :oops:
    Just installed it; thanks again.

    Cheers, Jan.
     
  8. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    litlle omparison on these 2: http://www.morelerbe.com/cgi-bin/ubb-cgi/ultimatebb.cgi?ubb=get_topic;f=14;t=000387
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    BHODemon is pretty good, too, guys - actually, it seems to be more informative.

    When you click on whatever BHOD finds to highlight, then click 'Details'. Not enough details, you say? Then click on 'More Details' on that screen. Pretty neat.

    And BHOD lets you activate/de-activate whatever BHO you're dealing with, too, just like BHOCop.

    Check it out here, if you like: http://www.definitivesolutions.com/bhodemon.htm .  Pete
     
  10. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Pete, great catch !
    already added to my page: http://pages.infinit.net/carbo1/bho.html
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Just tried BHOdemon. I like it. (love the price) It detected adshield but nothin else. I didn't expect it to, I run a pretty tight ship, getting tighter every day.
     
  12. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I'm sold!  I'll try it tonight.
     
  13. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Out of curiosity, what software do you use?
     
  14. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    TDS-3
    wormguard
    regprot
    adsheild
    SpyCop S&D
    NOD32
    Labrea@home
    Proximotron
    mailwatcher
    Kerio Personal Firewall
    BHO demon
    Surf in Peace
    InCtrl5
    adaware
    dso stop

    hope I didn't forget anything

    oops, I am behind a 3com 3c510 router/firewall
     
  15. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I guess I should list my own inventory...ah well, something for me to do tonight!
    Tx, Uni.
     
  16. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Labrea@home tarpit http://www.hackbusters.net/LaBrea/lbathome.html
    monitors suspicious connctions to port 80 (mainly codered, bluecode and any port scanner) at the packet level and attempts to trap them in its pit. a port scanner will be unable to continue scanning, and it will forever be stuck connected to your machine. Very minor bandwidth used and you are helping slow down all the scanning that goes on. 532k mem and 0 cpu when idle. Free.

    I won't say it works as good as all that, but it is neat to see it in action. It does not interfere with my webserver at all.

    mailwatcher
    http://www.webattack.com/get/etrustmail.shtml
    does alot of what you wanted WG to do, and it is free. I recommend it. Jan recommended it to me to evaluate a few days ago, and I am sold. No script can run at all anywhere on your machine untill you allow it. Problem is you can't see what the script it so you have to guess at whether to allow it or not. It also blocks all attempts to access the MAPI mail object (most malware likes to send emails) Its settings are crude, so it is not perfect but works very well. I stongly recommend you evaluate it. It uses 132k of mem and 0 cpu time when idle. Free.

    Surf in Peace
    http://www.iconlabs.net/sip.html
    is a rules based pop up killer, somewhat un-nessessary with proximotron running but it treated me well before so it can stay. It still does intercept windows sometimes but not nearly as much as befor proximorton was installed. 1.25 MB mem used and 0 cpu time when Idle. Free.

    InCtrl5
    http://www.zdnet.com/downloads/stories/info/0,10615,77424,00.html
    is a tool that takes a snap shot of all your registry keys, and files folders ect, then after you install some software, you run it again and it will show you all the differences. Those keys that get tucked away inside MS land can not hide from this app. Doesn't run resident. Free.
     
  17. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I really like the sound of Labrea.  How does it work?  Alternatively, where can I dl it?  Also, yes, I'd like to try mailwatcher, if you'd be so kind as to provide a link.

    Aren't you sleepy yet?  :)
     
  18. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    RE: BHODemon

    I've been talking to this guy and convinced him to make a new version, this one with a text log of what it finds. I've submitted two or three BHOs to lavasoft that my visitors have found, but I've had to it with screenshots. That is going to come in very handy.


    DLExpert's URL catcher which adaware thinks is transponder:
    IEHELPER.DLL {A6927151-F5B4-11D4-AE7A-00D00925CF52}
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Mike,

    Sounds very interesting indeed. Would you mind keeping us posted?

    regards.

    paul
     
  20. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Sure.
    I started  mirroring it on my site a few months ago. My site and his BHODemon both ended up in the same newsletter the same issue and I contacted him about it.
    I'm waiting for word from Urizen to see if that log output is good enough for a reflist addition. If I don't hear from him by tomorrow, I may tell the guy "sure that looks fine".
     
  21. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Checkout, I included links to the sofware in my previous post. You can find out the whats and hows there.
     
  22. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Duh!  Oh well.  BTW, do you run LaBrea on a Windows system?  According the the product's blurb, it won't tarpit intruders under Windows' PPP.  Correct?
     
  23. FanJ

    FanJ Guest

    About MailWatcher:

    It's nice that it is still available!
    (I thought you couldn't get it anymore).
     
  24. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    But...but...but...

    Hmm.

    Is there a product out there which can parse web pages in real time and intelligently filter out scripts/controls with bad intentions?
     
  25. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Hey Checkout: EXCELLENT QUESTION! I have been thinking of this very thing myself. No matter how protected we are with email, ports closed, etc. I worry about malicious code from websites. Thinking about that, I have been wondering the very question you asked. Something real time that can immediately identify a scumsite. Hope somebody has an answer. If not, there's an opportunity for some ambitious programmer!

    John
     
Loading...
Thread Status:
Not open for further replies.