How to remove any BHO from your Computer

March 8, 2008 – 3:17 PM

What I am about to suggest may not be the most correct method to remove a BHO from your system. In fact, there is no guarantee that instructions below will resolve your issue. What I can tell you, however, is that I have used the following methods to safely remove and restore many systems that have been infected with scumware / Spyware / Adware toolbars.

Before proceeding, please make a backup of your most critical files.

1. Attempt to disable the BHO.

A little while back, I came across a program called BHODemon which can disable BHO’s from launching when Internet Explorer starts. BHODemon can also be used to identify the main ‘plugin’ file associated with the BHO (typically a .DLL or .OCX file located in the Windows System folder). A full explanation of BHODemon (and the link to download the freeware program) is available in a recent Gazette issue.

2. Identify other ‘plugin’ file(s) associated with the BHO.

Some BHO’s are despicably stealthy and will reinstall themselves after your system is rebooted / restarted — even after the BHO has been disabled. Obtaining the list of files associated with the BHO will require some research:

* Use BHODemon to identify the main .DLL or .OCX file (as seen in the picture above).
* Go to Google.com and type in the BHO filename followed by the word ‘remove’ (example: “NN_BAR.DLL remove”). 9 times out of 10, Google will provide a list of web sites that have manual removal instructions, along with the list of files associated with the offending BHO.
* Finally, write down the file names and folder locations of the BHO ‘plugin’ files (example: %SystemDir%winnb40.dll).

3. Reboot into Safe Mode and remove the BHO files from your computer.

In order to permanently remove the BHO files from your computer, you must reboot into Safe Mode (or DOS mode) or your system will report a ‘sharing violation’ error when attempting to delete the file(s). To access Safe Mode:

* Click Start -> Shutdown (or Turn Off).
* Select ‘Restart’.
* Once the computer restarts, press F8 repeatedly on the keyboard until a Boot Menu appears. This *must* be done before the Windows boot screen appears.
* Choose to boot Windows in Safe Mode.

Once you are in Safe Mode, use your notes detailing the file names and paths of the offending BHO’s and rename (or remove) the files from your system. Renaming the .DLL / .OCX file will allow you to undo your changes — whereas deleting a file is not easily undone.

Side note: A safe way to rename a file is to place a few harmless characters in front of the real file name (example: if the file is popups.dll, rename it to zz_popups.dll).

4. Remove the BHO references from your System Registry.

* Click Start -> Run -> type in “regedit” (no quotes, and press Enter).
* Once RegEdit appears, click File -> Export to make a backup of your registry. In case you make a mistake, you can import your old registry to reverse the proceeding changes.
* Now you’re ready to remove the BHO references from your Registry. In the RegEdit window, press F3 to search. Next, type in the name of each BHO file you recorded in Step #2 — minus the file extension (for example: search for ‘popups’ instead of ‘popups.dll’).
* When a match is found, look on the left side of the RegEdit Window. Left click the expanded folder which encapsulates the BHO entry. Press DEL on your keyboard to delete it.
* Press F3 and until no more matches are found; repeat this process for all BHO files you recorded in Step #2.

5. Remove any suspicious references from your Startup locations.

Download Startup_CPL.exe from Mike Lin’s web site. This program will list multiple startup locations that launch programs when Windows is booted. If you see anything suspicious, disable it from launching in your startup. If you are unsure of whether or not a program entry is safe to disable, you can research it using Pac’s Portal web site.

6. Reboot your computer.

The offending BHO should now be removed from your computer. If, however, you are unable to resolve your problem, you can:

* Attempt a System Restore (if applicable).
* Import your Registry backup and reboot your computer (if you think you may have accidentally deleted the wrong registry entry and have inadvertently caused your system to become unstable), or
* Backup your most critical files and reinstall Windows. I have a downloadable eBook and video guide which explains how to do this in great detail.

Good luck!

Note: This article appeared originally in the May 25th Infopackets Gazette

http://www.spywareinfo.net/may26,2004#toolbars

Post a Comment

*