Saturday, August 06, 2005

What is a BHO?

BHO stands for Browser Helper Object. This is a small program, usually a DLL file, originally developed to enhance or customize the features of the Internet Explorer. Whenever a BHO is installed, this is registered in Windows Registry. When Internet Explorer is started, it checks the Registry for the entries of BHOs (which indicates the installation of BHO); these entries are known as CLSID's.
So, whenever the Internet Explorer is opened, the BHO is instantiated (created), and then this BHO has full access to the Page that is being viewed.
For example, if you have Google Toolbar, it installs a BHO, through which it can provide functions such as "Search within the Page", "Auto Fill", and “Page Info” etc. Another one, a BHO from Adobe Acrobat Reader, which enables to open .pdf directly in the IE windows itself or Downloading Software such as DAP, DEX will create one BHO to integrate with IE and to catch the clicks on the download link.
So, using BHOs IE can be tweaked so that, it will be one mean browser....

If BHO enhance the functionality of IE, then why is it avoided?
Time for some bad news! Windows does not provide any direct way to see the installed BHOs. This adds some amount of stealth capability to the BHOs. Due to this stealthy nature of the BHOs, it provides an easy way for Spywares, Adwares, Trojans or Viruses to attack. Let’s see the effects of these bad programs on IE and your Computer.

Some Spywares add a BHO without the knowledge of the user. So what happens is, whenever IE is opened that Spyware BHO will run and it keep an eye on what you do in that browsing session. It can monitor what pages you visit frequently, which services are used by you etc. Even worse case is that, they can hijack the Browser that is they can change the Default or Search page, and they can not be easily recovered.
Adwares go one step further and they can bring you Popup Ad's or bad tasted WebPages randomly or they even can bring you context sensitive Ad's, that is Ad's based on the content of the Web pages you were viewing.
Trojans/Viruses can contact their creator's website and download “latest” version of Trojans to your system.
If you see any HijackThis Log of Spyware/Trojan affected system, you will certainly see some BHOs, which will have links to suspicious Websites and also they will have links to download some files.
So, in all the cases, your privacy is at stake and your computer/data is at risk.

Since BHOs have virtually full access to the system, they can do anything. Some improperly coded or deliberately coded can cause Runtime Errors or Illegal Operation errors.
From Windows 98 onwards, MS has extended the support for BHOs to not only IE but also Windows Explorer. As you might know Windows Explorer (Explorer.exe) is THE application that should be running anytime to use Windows.
If any “bad” BHOs are installed, then they will get loaded whenever Explorer.exe starts. This is certainly not desirable.

What to do?
BHOs can be removed manually or by using any tools.
Manual removal can be done in two ways:-
1] By renaming the DLL file corresponding to the BHO which is to be disabled.
2] By deleting the DLL file and removing CLSID entry in the Registry.

We can make use of HijackThis to know the installed BHOs and delete thier Registry entries and then we can delete the DLL file associated with it.
A typical CLSID and DLL file of a BHO (Google Toolbar, in this case) is shown here,

CLSID = {AA58ED58-01DD-4d91-8333-CF10577473F7}
DLL File= c:\program files\google\googletoolbar1.dll


But, using some tools BHOs can be directly dealt with. There are many tools to view the BHOs installed in the system directly. Some of them are BHODemon, BHOInfo. These tools list all the BHOs present in the system, so that user can decide which one to keep or remove.
Popular one is BHODemon, which runs in System Tray, and scans for existing BHOSs and continuously monitor the system for any BHO installs. It provides the list of installed BHOs, and it also has some extra information about the most common good and not-so-good BHOs, so any new user can know about them.


Conclusion
So, BHOs are powerful means through which anything can be done, be it good or bad.
So be careful, while browsing, while installing suspicious looking software etc. Update Antivirus regularly and run full system scans. Use Anti-Spywares and tools mentioned above to ward off Spywares, Adwares from your system.

Links to Tools
BHODemon
BHOInfo
HijackThis

0 Comments:

Post a Comment

<< Home