BHO "evaluation" (?) and removal

I have Spybot installed on my computer (including TeaTimer), and every so often I'll get a Spybot popup screen about a Browser Helper Object "wanting to" be added to my registry. [This generally follows installation of a new program, or when I make changes to my "startup" in msconfig.] I'm never sure whether or not to allow the changes, since I don't have a clue what the BHO in question really is/does. I try to be consistent in my replies, but I know there have been times when I've allowed the changes, and others when I've denied them...
In browsing the internet today, I found a free program called BHODemon (http://www.definitivesolutions.com/bhodemon.htm) that looks like it might be useful, and it appears to come pretty well-recommended.

1) Is anyone familiar with BHODemon?
"Think of BHODemon as a guardian for your Internet Explorer browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. It also monitors your Registry and alerts you when a BHO is installed. Best of all, BHODemon knows about the most common BHOs - the good ones, and the not-so-good ones!
BHODemon is free, runs in the "tray" area, and works on Windows 95 or later operating systems (in other words, Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT4, Windows 2000, and Windows XP). "

2) The part about it acting as a guardian for your "IE browser" - does that imply it only works if you use IE as your browser? Another sentence in the program's description says, "A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser." which makes it sound like it would cover Firefox as well (which is what I use).

3) If I already have Spybot/TeaTimer (not sure which of the two is doing it) monitoring registry changes, might I be setting myself up for trouble by adding another program to do the same thing? I like the fact that BHODemon "knows about the most common BHOs ", as it makes it sound like it might be able to help me decide what to allow and what not to -- or is the same thing true of Spybot as well?

Thanks for any input!
Rebecca

 

rebecca--Yes, some BHO's are bad and others are good. Most can be found in your Downloaded Programs File (IE Tools|Internet Options|General tab|Settings|View Objects).
A good program to help you put a barrier between you and bad BHO's is SpywareBlaster.
http://www.javacoolsoftware.com/spywareblaster.html
It performs in the background and only requires that you update its database from time to time. It will also neutralize most (those in its datebase) bad BHO's already on your PC.
However, you can manually delete any BHO in that file. When you need a BHO you will be asked if you want to download it again .

 

I already have Spyware Blaster running on this computer, so maybe I'm all set as it is?
So is it a relatively safe bet (I know all things in life are relative!) that when I get a prompt about a BHO wanting to be added to my registry, if I click on "yes" to allow it and the BHO turns out to be "bad stuff ", Spyware Blaster will likely zap it away without any fuss from me?
Do you know of a way I could find my BHOs in Firefox, or should I post a question in the Mozilla forum about that? (I haven't used IE in about 6 months, so I assume I wouldn't find any new BHOs under IE Tools|Internet Options|General tab|Settings|View Objects ... or might I anyway?
Thanks,
Rebecca

 

rebecca--I must confess that I have (almost) never had a message asking if I wanted to install a BHO. (MS Windows Update is one of the few, but I don't think they called it a BHO, though it is. Perhaps they did say something about "ActiveX control ", which is what a BHO is. It has been some time ago.) Most just come along with programs and install without fanfare. (But maybe the presence of the BHO/ActiveX control was buried somewhere in the fine print.) And I do not run BHO Demon or Spybot/TeaTimer. They could be the source of your messages.
My guess is that if you get the message from a reputable site, have SpywareBlaster's data base up to date, and allow download you will be OK. I do not think SWB knows whether you have "allowed" the BHO download. It will kill any malware BHO that is in its data base when the BHO tries to install. And as mentioned it will also neutralize any malware BHO already on your PC. (Right click on any of those BHO's you already have and then Properties. Any say "Disabled "? One reason could be that SWB disabled them. You can remove them manually if you want. They are dead.)
Can't help you with Firefox, etc.
P.S. I suspect that BHO Demon and SWB are somewhat similar, except that SWB does not announce what it is doing.

 

Hi Rebbeca,

Is anyone familiar with BHODemon?

I use an earlier version that simply lists BHO's and allows disabling the way your quote describes. Didn't want to use v2.0 which is another process running at bootup.

I have Spybot installed on my computer (including TeaTimer), and every so often I'll get a Spybot popup screen about a Browser Helper Object "wanting to" be added to my registry. [This generally follows installation of a new program, or when I make changes to my "startup" in msconfig.] I'm never sure whether or not to allow the changes, since I don't have a clue what the BHO in question really is/does

Shouldn't allow BHO's unless you expect them - in this case, if you install software and along with that software, BHO's are part of the deal. Acrobat reader for instance has a BHO and if someone does a lot of work with PDF files on the internet, it's useful. Otherwise, disable it. You can still read or download PDF files and read them. I set up a new system for my Brother, came with Acrobat, and I immediately disabled Acrobat's BHO - in this case, it's a gratuitus install. In other words, BHO's are like program startups, you have to make judgements about whether its useful or not. The nice thing about BHODemon is that you can disable one and see the effects. If needed, then can be re-enabled.

If you get a BHO "out of the blue ", this site http://computercops.biz/CLSID.html may have info on it or google. It's always safer to disable one if unexpected and then try to find out about it.

EDIT: Forgot to add - in spybot > tools > reports gives you among other things, a list of the BHO's on the system and commnetary about them from Patrick Kolla the author.

So mine looks like this:

--- Browser helper object list ---
{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: D:\Program Files\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 3/21/2002 8:22:20 AM
Date (last access): 11/28/2004
Date (last write): 2/27/2002 11:07:30 AM
Filesize: 102400
Attributes: archive
MD5: 3AB9B9A20D4D8B6A1632910AB6C56FD9
CRC32: FBF10F3A
Version: 0.8.0.0

{CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} (SpoofStick BHO)
BHO name: SpoofStick BHO
CLSID name: CBHO Object
Path: D:\Program Files\CoreStreet\SpoofStick\
Long name: SpoofStickBHO.dll
Short name: SPOOFS~2.DLL
Date (created): 8/18/2004 12:10:40 AM
Date (last access): 11/28/2004
Date (last write): 8/18/2004 12:10:40 AM
Filesize: 94208
Attributes: archive
MD5: C5BE2601F7109B4FB5C0383B9D1119CD
CRC32: C22F07BF
Version: 0.1.0.0

Regards - Charles

 

Hi Jim,

AFAIK, ActiveX is a different animal. It's a programing language - does not add a browser component, already built into IE, it allows access to the system thru the browser, which is why it's so dangerous. The only place a user has control over ActiveX is under IE's Security tab > Custom Level.

Regards - Charles

 

Thanks Charles and Jim!
I think I'll hold off on BHODemon for the time being, and just stick with Spyware Blaster and Spybot/TeaTimer.
I did some scouting around in my Spybot reports, and I found what you were talking about, Charles - all the BHOs I spotted offhand were classified as "legitimate ". From here on out, though, my policy will be to deny any BHOs requesting to be added to my registry until I've scoped them out at the link you gave me!
As always, thanks for the help and advice!
Rebecca

 

charlesvar --Thanks for putting me straight. For years I thought BHO's were related to ActiveX. I think it is PCWorld's download page for SpywareBlaster that got me thinking that way.
http://www.pcworld.com/downloads/file_description/0,fid,23106,RSS,RSS,00.asp
But it is the only place that I can that implies ActiveX is part of a BHO .
I did find one interesting sentence
"Malicious Browser Helper Objects are mainly installed by Browser Hi-Jackers using ActiveX controls." here
http://www.stopzilla.com/glossary/Browser_Helper_Object.asp

 

Hi Jim,

Quote from the Stop Zilla reference. LOL, not only users can "open common desktop applications within their Browsers ", it's the web site that can do that as well, and that is the heart of problem with ActiveX.

Quote from Tony Klein on ActiveX, you may have seen it on various security boards:

So why is activex so dangerous that you have to increase the security for it?

When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.

Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Regards - Charles