Difference between revisions of "BrowserHelper"

From SpybotWiki
Jump to: navigation, search
(added info box)
m (fixed index of params in info box)
Line 5: Line 5:
 
|GROUP = Registry
 
|GROUP = Registry
 
|MINUPDATE = n/a
 
|MINUPDATE = n/a
|ADVFILEPARAMS = yes (third)
+
|ADVFILEPARAMS = yes (second)
 
|ADVREGPARAMS = no
 
|ADVREGPARAMS = no
|ADVBUILDPARAMS = yes (third)
+
|ADVBUILDPARAMS = yes (second)
 
|ADVSPECIALPARAMS = [[flagfile]]<br />[[flagifnofile]]
 
|ADVSPECIALPARAMS = [[flagfile]]<br />[[flagifnofile]]
 
}}The most common way spy- and adware links into Internet Explorer is creating a browser helper object.
 
}}The most common way spy- and adware links into Internet Explorer is creating a browser helper object.

Revision as of 13:38, 22 February 2008

BrowserHelper
Group Registry
Main Application Version 1.3
Required Update n/a
File Parameters yes (second)
Registry Parameters no
Build Parameters yes (second)
Special Parameters flagfile
flagifnofile

The most common way spy- and adware links into Internet Explorer is creating a browser helper object.

Usage

BrowserHelper:<bho or clsid name>[,advanced file parameters]

Examples

BrowserHelper:"abadbadBHO"
BrowserHelper:"Dummy spyware browser helper"

The first one would detect the following browser helper object:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12345678-ABCD-EFAB-CDEF-909876543210}]
@="abadbadBHO"

As for the second example, it detects the browser helper using the class name, identifying these two entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{12345678-ABCD-EFAB-CDEF-909876543210}]
[HKEY_CLASSES_ROOT\CLSID\{12345678-ABCD-EFAB-CDEF-909876543210}]
@="Dummy spyware browser helper"

Description

While using RegyKey might be more fitting for just matching a browser helper object with a static name, you might encounter situations where a random name requires you to use the name of the associated class, or properties of the file the browser helper points to.

  1. The first parameter can identify both the BHO name, or the name of the class associated with the BHO. You may use the wildcard * (use with care) if you specify advanced file parameters for the CLSID related InprocServer32. Algo-Prefixes are supported only after 1.5.2. AP
  2. The second parameter, though optional, is highly recommended to refine the scan to be limited to BHO that point to a to be identified file, where the filename is gathered from the CLSID associated with the BHO.

Important to point out is that while this is actually named after BHOs, it also detects Internet Explorer toolbars and Windows Explorer toolbars.

If you want to catch the associated file as well, you need to use BrowserHelperEx.

Scan Results

  • The BHO/toolbar registry entry identified by the first parameter; or a BHO/toolbat registry associated with the CLSID identified by the first parameter.
  • If the first parameter identifies a CLSID, the CLSID in addition to the associated BHO.

See also

Similar commands