How to manually Remove BHOs

Printable View

22-01-2009
matthewforu

How to manually Remove BHOs

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You can identify a spyware program that is loaded by using BHOs. To do this, you can use the Microsoft system configuration utility (Msconfig.exe) and the Microsoft system information utility (Msinfo32.exe).

BHOs are Component Object Model (COM) components that Microsoft Internet Explorer loads whenever it starts. BHOs run in the same memory context as the browser. BHOs can perform any action on available windows and modules.

To manually remove BHOs, follow these steps:

1. Click Start, click Run, type regedit , and then click OK.

2. Locate and then double-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

3. Under the Browser Helper Objects key, you may see ClassIDs (CLSIDs) that have a format that is similar to the following:

{XXXXXXXX - XXXX – XXXX – XXXX – XXXXXXXXXXXX}

Note CLSIDs are 128-bit numbers in hexadecimal notation that are enclosed in a pair of braces.

4. Note the CLSID.

5. Locate and then click the following registry subkey:

HKEY_CLASSES_ROOT\CLSID\{ CLSID }\InprocServer32

Note { CLSID } is the CLSID that you noted in step 4.

6. In the right pane, double-click (Default).

7. Click Value data to see the path of the .dll file. The path may be similar to the following:

C:\Windows\ Program_Name .dll

Note Program_Name can be a spyware program or a legitimate program that is using a BHO.

8. If Program_Name is not a recognized or legitimate program, unregister the .dll file, and then remove the { CLSID } subkeys. To do this, follow these steps:

a. At a command prompt, type the following command to unregister the .dll file:

regsvr32 -u Path \ Program_Name .dll

Note Path is the path of the Program_Name .dll file that is contained in the Value data box in step 7.

b. Locate and then delete the following { CLSID } registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\CLSID\{ CLSID }

• HKEY_CLASSES_ROOT\CLSID\{ CLSID }

Note { CLSID } is the 128-bit number that you noted in step 4.

9. Exit Registry Editor.

10. Restart the computer
22-01-2009
rupesh

Re: How to manually Remove BHOs

Thread Moved.
22-01-2009
ChrisUlrich

Re: How to manually Remove BHOs

Use the Ad Aware program along with SpyBot Search and Destroy to scan your computer. You should also use a good virus scanner to scan the whole unit. I suggest that you use an online scanner too. Trend Micro has a good online scanner which is absolute free.

Ad-Aware and SpyBot Search tries to Destroy and thus can be easily located on the web using Yahoo or Google search engines. – free
22-01-2009
SpearMan

Re: How to manually Remove BHOs

Instructions For destroying Win32.BHO.gok manually.

Trojan horse installs itself in background as a browser helper object (BHO). As a BHO it starts along the Internet Explorer and is able to control the Internet Explorer's connections without user consent.

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at <$SYSTEM DIRECTORY>\<$REGMATCH1>.dll.

Make sure you set your file manager to display hidden and system files. If Win32.BHO.gok uses root kit technologies, use our Root Analyzer or our Total Commander anti-root kit plug ins.

You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

You can use regedit.exe to locate and delete these registry entries.

Delete the registry key [2A8D06B4-1B40-009F-E531-629A59080F43] at HKEY_CLASSES_ROOT\CLSID\.

Delete the registry key [2A8D06B4-1B40-009F-E531-629A59080F43] at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects\.

Delete the registry value [2A8D06B4-1B40-009F-E531-629A59080F43] at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Explorer\Shell Execute Hooks\.

Remove <regexpr><$SYSTEM DIRECTORY>\\(\S[4,8])\.dl from registry value at HKEY_CLASSES_ROOT\CLSID\[2A8D06B4-1B40-009F-E531-629A59080F43]\InprocServer32\.

If Win32.BHO.gok uses root kit technologies, use our Reg Analyzer, Root Analyzer or our Total Commander anti-root kit plug ins.