How to manually identify and remove spyware and unauthorized Browser Helper Objects in Windows XP

Spyware is a general term that is used for a program that performs certain operations, such as the following:

• Advertising

• Collecting personal information

• Changing the configuration of the computer without consent


Typically, spyware is installed together with file sharing programs and with other programs that are available for free on the Internet.

When you install a program from the Internet on a computer, make sure that you carefully read the End User License Agreement (EULA). The inclusion of unwanted software in a given software installation may be documented. However, the documentation may appear at the end of a license agreement or of a privacy statement.

Spyware programs may also be installed when you visit a Web site and are prompted to install some components before you can access the Web page. Trojan viruses and other viruses may also install spyware programs on the computer.

This post discusses how to remove spyware that is loaded by using Browser Helper Objects (BHOs) in Microsoft Windows XP.


Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You can identify a spyware program that is loaded by using BHOs. To do this, you can use the Microsoft system configuration utility (Msconfig.exe) and the Microsoft system information utility (Msinfo32.exe).

BHOs are Component Object Model (COM) components that Microsoft Internet Explorer loads whenever it starts. BHOs run in the same memory context as the browser. BHOs can perform any action on available windows and modules.


Note Legitimate programs, such as Microsoft Money, also use BHOs.

After you identify the unauthorized BHOs, remove the BHOs.

To manually remove BHOs, follow these steps:

1. Click Start, click Run, type regedit , and then click OK.

2. Locate and then double-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

3. Under the Browser Helper Objects key, you may see ClassIDs (CLSIDs) that have a format that is similar to the following:

{XXXXXXXX - XXXX – XXXX – XXXX – XXXXXXXXXXXX}

Note CLSIDs are 128-bit numbers in hexadecimal notation that are enclosed in a pair of braces.

4.Note the CLSID.

5.Locate and then click the following registry subkey:

HKEY_CLASSES_ROOT\CLSID\{ CLSID }\InprocServer32

Note { CLSID } is the CLSID that you noted in step 4.

6.In the right pane, double-click (Default).

7.Click Value data to see the path of the .dll file. The path may be similar to the following:

C:\Windows\ Program_Name .dll

Note Program_Name can be a spyware program or a legitimate program that is using a BHO.

8.If Program_Name is not a recognized or legitimate program, unregister the .dll file, and then remove the { CLSID } subkeys. To do this, follow these steps:

a. At a command prompt, type the following command to unregister the .dll file:

regsvr32 -u Path \ Program_Name .dll

Note Path is the path of the Program_Name .dll file that is contained in the Value data box in step 7.

b.Locate and then delete the following { CLSID } registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\CLSID\{ CLSID }

•HKEY_CLASSES_ROOT\CLSID\{ CLSID }

Note { CLSID } is the 128-bit number that you noted in step 4.

9.Exit Registry Editor.

10.Restart the computer

No comments:

 
©2009 Antivirus Support | by TNB