What is a Browser Helper Object?
A Browser Helper Object, or BHO, is just a small program that runs automatically
every time you start your Internet browser. Usually, a BHO is installed on your
system by another software program. For example, Go!Zilla, the downloading
utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO
tracks which advertisements you see as you surf the Web.
The natural question is, what do BHOs do? The technical answer is "anything",
but generally, it will have something to do with "helping" you browse the
Internet. Of course, many BHOs are what is called "ad-ware" or "spyware": they
do things like monitor the websites you visit and report this data back to their
creators.
They can also routinely conflict with other running programs, cause a variety of
page faults, run time errors, and the like, and generally impede browsing
performance.
A great little tool for viewing and, if required, disabling, the BHOs that may
be installed on your machine is BHODemon, which can be downloaded here
For those interested, Merijn Bellekom, the developer of the brilliant
Startuplist and Hijack This! has introduced
BHOList.exe. It downloads and displays the BHO Collection in a searchable &
sortable list.
Note
The Notorious LOP foistware now creates random Browser plugin identifiers as
well as file names.
They'll look something like this:
{1A35419C-7394-4989-B3C5-6189EB06BD66}: ssshwckfrngl.dll
{9633C13D-85BB-4271-83C1-F22BC2938585}: llbrquistglc.dll
{DCF6B0CF-5312-42B2-B783-971C107F8B91}: kstilypsm.dll
As the number of possible names and combinations could therefore literally run
into the billions, I will no longer be adding LOP BHOs to the list.
Be watchful when running into unknown BHOs bearing these kinds of fancy names.
If they're not on the list, and the file is located in the Application Data
directory, it's almost certainly a LOP BHO
The same now goes for some WurldMedia Browser Plugins. Here are a few examples
of random WM identifiers and file names:
{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll
and some semi-random ones:
{E0634852-5A3C-4E35-954C-17A0622F0BF8}: m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll
{98D9A225-9D35-4F98-A65B-85FC9A21C0E4}: MO030414S.DLL
According to research by Andrew Clover these are respectively completely and
partly random filenames and class IDs; he got a new filename/ID every time he
installed. However, the internal name of the object remains the same (TChk.TChkBHO),
so it will fortunately remain detectable, although not by file name alone.
More random BHO's are used by Adware.GPCasino aka TalkStocks Trojan.
These are found in the System(32) directory and are called IEloader Module:
{4A2D7B5F-4E9E-839C-AC5C-768688C7DE8B}: itstgblg.dll
{AF7D42F2-29BD-D89C-3FC8-C64D7AF6B3AC}: qhgimxyy.dll
{CB3B59F7-43E6-A0D6-956F-3673E9738AA6}: ntmccdds.dll
For those looking for an engrossing read,here's the authoritative MS article:
Browser Helper Objects: The Browser the Way You Want It
|