O2-Browser Helper Browser Objects (BHO).

/ Modules / Through / 3 minutes of reading
320
5 / 5 - (3 votes)

O2-Browser Helper Browser Objects (BHO).

 This module searches for all installed Browser Helper Objects (BHO). A BHO is an application that adds certain functionality to the web browser.

Features

– The search is carried out on the CLSID subkeys of the Registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

– The line is commented with the name of the owner and the designation of the file. (.Google Inc. – GoogleToolbarNotifier.)
– In the event of absence of startup and file, and therefore of owner and description of the file, the words “Orphan key” are displayed. Orphaned keys usually come from a poorly done software uninstallation or partial disinfection.

ZHPDiag Overview

—\\ Browser Helper Browser Objects (O2)
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}. (.Google Inc. – GoogleToolbarNotifier.) — C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7}. (.No owner – No description.) — C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 – BHO: (no name) – {00000000-17A6-11D0-99CB-00C04FD64497} Orphan key

HijackThis Equivalence

O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

Equivalence OTL

O2 – BHO: (JQSIEStartDetectorImpl Class) – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.);

Example of infection

O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D}. (.No owner – No description.) — C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL => BT Infection (MyWebSearch.Spy)

– Iinfection with owner name theft:
O2 – BHO: (no name) – {27598B57-2F92-42F0-A5FE-CF22BAFFC149} . (.Microsoft Corporation – User Idle Monitor.) — c:\windows\system32\ghfuhwu.dll => BT Infection

ZHPFix action (General case)

O2 – BHO: (no name) – {CLSIDKey} – {FileName}

{Key} : Registry Base Key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{Startup} : Default value of the key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSIDKey}]
{CLSIDKey} : CLSID subkey of the Key {Key}
{FileName} : Data of the default value of the key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSIDKey}\InProcServer32]

1) The tool removes the key [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\CLSIDKey}]
2) The removed toolme the key [HKLM\SOFTWARE\Classes\CLSID\{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOT\CLSID\{CLSIDKey}]
4) The tool removes the file {FileName}

Action ZHPFix (Case of an orphan key)

O2 – BHO: {Startup} – {CLSIDKey} Orphan key

{Key} : Registry Base Key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{Startup} : Default value of the key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSIDKey}]
{CLSIDKey} : CLSID subkey of the Key {Key}
{FileName} : Data of the default value of the key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSIDKey}\InProcServer32]

1) The tool deletes the key [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\CLSIDKey}]
2) The tool deletes the key [HKLM\SOFTWARE\Classes\CLSID\{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOT\CLSID\{CLSIDKey}]

ZHPFix report (General case)

O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D}. (…) — C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL

Report of ZHPFix v1.12.3133 by Nicolas Coolman, Update of 02/08/2010

========== Registry Key(s) ==========
O2 – BHO: MyWebSearch Search Assistant BHO – {00A6FAF1-072E-44cf-8957-5838F569A31D}. (…) — C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL => Key deleted successfully
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}] => Key deleted successfully
[HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}] => Key deleted successfully

========== File(s) ==========
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL => Deleted and quarantined

========== Summary ==========
3: Registry key(s)
1: File(s)

ZHPFix report (Case of an orphan key)

O2 – BHO: (no name) – {00000000-17A6-11D0-99CB-00C04FD64497} Orphan key

Report of ZHPFix v1.12.3155 by Nicolas Coolman, Update of 20/09/2010

========== Registry Key(s) ==========
O2 – BHO: (no name) – {00000000-17A6-11D0-99CB-00C04FD64497} Orphaned key => Key deleted successfully
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-17A6-11D0-99CB-00C04FD64497}] => Key deleted successfully
[HKCR\CLSID\{00000000-17A6-11D0-99CB-00C04FD64497}] => Key deleted successfully

========== Summary ==========
3: Registry key(s)

Links

* Browser Helper Objects

Share
Tweet
whatsapp
Share
Pin it

About the Author

Nicolas Coolman is a French IT and IT security expert with a degree in software engineering. It specializes in scanning and disinfecting malware, including adware, ransomware, Trojans and other types of unwanted software. Nicolas Coolman is also the creator of several computer security tools, such as "ZHPCleaner" and "ZHPDiag", which are widely used by users to scan and clean malware from their Windows operating systems. Nicolas Coolman is very active in the IT security community and regularly shares his knowledge and findings on his website and on security forums. His expertise is recognized by many users and IT professionals, and he is considered a reference in the field of combating malware.

Similar publications

Back to top