Malware for my trophy case: 2_0_1browserhelper2.dll

The short form:
2_0_1browserhelper2.dll is a nasty adware toolbar with no UI. See my 3-19-04 journal article at http://lee.org/journal. It took me 2 friggin hours to figure this one out. It mangles Google search results in IE and sticks ads for the “websearch toolbar” in the results.

Kill it by removing the BHO 2_0_1browserhelper2.dll

——————
I was at a client’s house cleaning off spyware and I came across some particularly insidious malware. I’d do a Google search and the results would take a long time to come back. But more importantly, half of the search results were crap. They were ads for some “websearch toolbar”, directing me to www.websearch.com and such. The worst thing was that the Google results page looked almost normal. It almost looked like Google had sold out to these Websearch people.. allowing them to flop 1/2 of their content toward Websearch.com.

So I downloaded Netscape and made sure that Google hadn’t sold out. a search for “Prussian medals” on Internet Explorer returned about 50% junk while the same search in Netscape looked just fine. IE was being hijacked.

Now I just had to find what was doing it…. 2 hours later, bull’s-eye. Here’s the low-down:

The www.websearch.com toolbar is bad news.

Here’s an excerpt from their Terms of Use:

By installing the Service you understand and agree that the following changes may be made to your Internet Explorer browser and that the following functions may be performed by the Service: install a Search Toolbar in your browser which may (i) block certain pop-up ads and pages; (ii) display links to related websites and keywords based on the information you view and the websites you visit; (iii) store non-personally identifiable statistics of the websites you have visited; (iv) redirect certain URL’s including your browser default address bar search, DNS error page and Search Button page to or through the Service and; (v) automatically update the Service and install added features or functionality conveniently without your input or interaction unless you have chose to be notified of such update in advance.

The Terms of Use also says how to uninstall the software. (“When the Add/Remove Programs Properties window opens, locate the listing for ‘Search Toolbar’ that you would like to uninstall from the list of installed programs.”) But, like any good malware, the uninstallation instructions didn’t work.

Spybot Search and Destroy shows this software as a BHO

Spybot-S&D Browser helper object report, 3/18/2004 9:26:07 PM

{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
Class file: 2_0_1browserhelper2.dll
Path: C:\WINDOWS\

One reason it took so long to figure this out was that this BHO, which normally shows up as an IE toolbar has no visible user interface… Jerks.

All you have to do is disable that BHO in Spybot and you’re good to go. Another way is to rename c:\windows\2_0_1browserhelper2.dll. You might have to reboot into Safe mode to rename the file.

I’ve got another client with the same malware. It’ll take 5 minutes to get rid of her Websearch malbar (to coin a term).

Leave a Comment

Do not write "http://" in your comment, it will be blocked. It may take a few days for me to manually approve your first comment.

You can edit your comment after submitting it.