Difference between revisions of "BrowserHelper"
(New page: The most common way spy- and adware links into Internet Explorer is creating a browser helper object. ==Usage== BrowserHelper:[name],<advanced file parameters> ===Examples=== BrowserHe...) |
(No difference)
|
Revision as of 14:35, 16 February 2008
The most common way spy- and adware links into Internet Explorer is creating a browser helper object.
Usage
BrowserHelper:[name],<advanced file parameters>
Examples
BrowserHelper:"abadbadBHO" BrowserHelper:"Dummy spyware browser helper"
The first one would detect the following browser helper object:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12345678-ABCD-EFAB-CDEF-909876543210}] @="abadbadBHO"
As for the second example, it detects the browser helper using the class name, identifying these two entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12345678-ABCD-EFAB-CDEF-909876543210}] [HKEY_CLASSES_ROOT\CLSID\{12345678-ABCD-EFAB-CDEF-909876543210}] @="Dummy spyware browser helper"
Description
While using RegyKey might be more fitting for just matching a browser helper object with a static name, you might encounter situations where a random name requires you to use the name of the associated class, or properties of the file the browser helper points to.
- The first parameter can identify both the BHO name, or the name of the class associated with the BHO.
- The second parameter, though optional, is highly recommended to refine the scan to be limited to BHO that point to a to be identified file, where the filename is gathered from the CLSID associated with the BHO.