So how did I & What the heck is a BHO?

TonyKlein

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

And some more advice:

4) Install Javacool's SpywareBlaster

It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

There's a board at Wilderssecurity as well.

Let's also not forget that SpyBot Search and Destroy has the Immunize feature which works roughly the same way.
It can't hurt to use both.

5) Another brilliant program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
It now also features Download Protection and Browser Hijacking Protection!

6) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

Incidentally, another site with an enormous amount of information on computer security, and which is well worth a visit is http://www.wilders.org/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests.
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.

phoenix22

From the UnderSheriff by Tony (the saint) Klein

"What is a Browser Helper Object?
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

The natural question is, what do BHOs do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet.
Of course, many BHOs are what is called "ad-ware" or "spyware": they do things like monitor the websites you visit and report this data back to their creators."

They can also routinely conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance.

For those looking for an engrossing read, here's the authoritative MS article:

Browser Helper Objects: The Browser the Way You Want It

A great little tool for viewing and, if required, disabling, the BHOs that may be installed on your machine is BHODemon, which can be downloaded here

We at CCSP are maintaing a comprehensive list of all known BHO's and Toolbar CLSIDs, which can be viewed here:

http://www.computercops.biz/CLSID.html

It is continuously being updated.

Listed BHO's and Toolbar Class IDs are tagged X for certified spyware/foistware, or other malware, L for legitimate items, O for 'open to debate' and ? for items of unknown status.

NOTE: The Notorious LOP foistware now creates random Browser plugin identifiers as well as file names.

They'll look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

As the number of possible names and combinations could therefore literally run into the billions, I will no longer be adding LOP BHOs to the list.
Be watchful when running into unknown BHOs bearing these kinds of fancy names. If they're not on the list, and the file is located in the Application Data directory, it's almost certainly a LOP BHO

The same now goes for Adgoblin/InContext and WurldMedia Browser Plugins, and there are others. Here are some examples of random WurldMedia identifiers and file names:

{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll

and some semi-random ones:

{E0634852-5A3C-4E35-954C-17A0622F0BF8} - m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 824 pages served in previous 5 minutes. Page Rendered: 0.385 seconds.