I am looking for detailed information on spyware programs. I have
a couple of programs that claim they found one but I want to make
before I delete them for good.

I could dissassemble them, but don't know what to look for.

Any information appreciated.

Thanks.
Posted on 2004-11-17 15:32:05 by skywalker
Search on google for the filename. You should get some details.
Posted on 2004-11-17 22:35:15 by roticv
I have some very cool information on BHO spyware, written by the author of BHOCop (a now defunct spyware removal tool, bought out by CheckPoint - same crew who now own ZoneLabs & its ZoneAlarm product)

He describes where in the Registry they hide, and how to identify and remove them. This information is simply not available from msdn - they are happy to explain all about the com aspects of a BHO, but they don't give the slightest hint how to remove one that you did not install deliberately, or how to detect a BHO which doesn't play by the rules...

Anyone interested?
Posted on 2004-11-18 06:53:19 by Homer
I have some very cool information on BHO spyware, written by the author of BHOCop (a now defunct spyware removal tool, bought out by CheckPoint - same crew who now own ZoneLabs & its ZoneAlarm product)

He describes where in the Registry they hide, and how to identify and remove them. This information is simply not available from msdn - they are happy to explain all about the com aspects of a BHO, but they don't give the slightest hint how to remove one that you did not install deliberately, or how to detect a BHO which doesn't play by the rules...

Anyone interested?


I am interested. Please post away.
Posted on 2004-11-18 07:13:29 by skywalker
To the original author: please excuse my abridgement, I copied swabs of your article before the article was pulled down for my own reference purposes..


How does Internet Explorer know what BHOs it should load?
BHOs are registered during installation by adding a subkey to a Registry key named
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
The name of this subkey (BHO key for short) is the COM identifier (CLSID) of the
object implementing the BHO. The COM object itself is registered by the creation of a
subkey of HKCR\CLSID whose name is the same as the CLSID.
That key, in turn, has a subkey that points to the location of the
implementation module on your disk. If BHO Cop detects a problem when
walking this information chain, the BHO will be flagged with a description of the problem.

When started, Internet Explorer (or Windows Explorer) enumerates all the BHO keys
and loads the corresponding objects. The BHO then starts working.
The BHO remains loaded until Internet Explorer is shut down and all
Windows Explorer windows are closed.

BHO Cop disables an existing BHO by removing the BHO key for that object.
This way, neither Internet Explorer nor Windows Explorer can load the BHO
when starting the next session.
BHO Cop saves the CLSID in Bhocop.ini. If you decide to re-enable the BHO,
BHO Cop recreates the BHO key so the BHO is visible to IE again.
Do not delete or edit Bhocop.ini. This may put BHO Cop out of sync with your system.
If this happens, you may have to reinstall your BHOs.

CheckBHO does a lot of work. It verifies that there's an entry for the BHO in HKCR\CLSID,
then opens the implementation module location key (InprocServer32 or TreatAs)
and verifies that the implementation module exists.
If the module exists, CheckBHO uses the CVersion class mentioned above to retrieve
the most useful elements (if any exist) of the VERSIONINFO resource for this module.
CheckBHO returns information about the COM object implementing the BHO,
or returns an error code if there's a registration problem or if the
implementation module could not be found. Either way, a new entry for the BHO is
created in the ListView. Each column is loaded with the information
and status icon for that item.

BHO Cop does not uninstall a BHO or unregister the corresponding COM component.
The only information removed by BHO Cop is the subkey in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.

Upon exiting, BHO Cop stores all necessary configuration information in the INI file
and issues a warning message when there's been a change. This message depends
on the operating system settings. For example, if the user has the
WDU (Windows Desktop Update) installed and uses the Desktop in Web View mode,
exiting IE and reloading may not be enough for the Registry changes to be reflected.
The user may have to log off and log on again. In order to display the correct instructions,
BHO Cop first detects the OS version and then determines whether the WDU is installed.
If HKLM\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcserver32
doesn't point to url.dll, the WDU is not installed.
Web View mode is detected by checking the ShellState binary value of the Registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer.
If bit 6 is set in the fourth byte of the ShellState value, the Web View option is on.
Detecting the state is not hard to do, but you have to know what to look for.
BHO Cop then displays the warning message according to what it learned from the system.
Posted on 2004-11-18 20:40:44 by Homer
probably old thread ( i logged in after long time )

but many of these kind of articles are available in these sites

hxxp://www.spywareinfo.com/links.php?cat=articles#articles


hxxp://www.bleepingcomputer.com/forums/tutorial83.html

go to base of bleeping comps GRINLER has got some nice tutorials on
some of the latest spywares

also all links are hxxp you need to edit them ( idunno i formed it as a habit)
Posted on 2004-12-04 09:04:20 by bluffer
This information is simply not available from msdn - they are happy to explain all about the com aspects of a BHO, but they don't give the slightest hint how to remove one that you did not install deliberately, or how to detect a BHO which doesn't play by the rules...

The information *is* available through MS, you just gotta know what to look for. As stated in the text you quoted, all you have to do to remove a BHO is remove its reg key that points to (is) a CSLID. Although it should be pointed out that this is not the only way to get a plugin into IE. And BHOs are not only loaded into IE, they are also loaded into File Explorer and by your system shell if you have active desktop enabled. This makes them ideal for spyware/keyloggers/etc.
Posted on 2005-05-11 04:49:17 by sluggy
What i would recommend is to pref. get yourself a copy of wmvare workstation (well worth the money) or just a trial edition. Install the specific spyware and monitor its registry/file activity OR just hexedit/disassemble the program and look for registry entries (may need decryption) and you'll have every information you need. The adventure is in the learning process. Soon you'll see that the coders use the "same" methods and can track and quaratine/remove any spyware you wish. Good hunting!  8)
Posted on 2005-05-13 15:47:13 by natas