{"id":757,"date":"2004-03-19T12:01:38","date_gmt":"2004-03-19T20:01:38","guid":{"rendered":"http:\/\/lee.org\/blog\/archives\/2004\/03\/03\/3-19-04\/"},"modified":"2007-03-06T03:34:21","modified_gmt":"2007-03-06T11:34:21","slug":"malware-for-my-trophy-case-2_0_1browserhelper2dll","status":"publish","type":"post","link":"https:\/\/www.lee.org\/blog\/2004\/03\/19\/malware-for-my-trophy-case-2_0_1browserhelper2dll\/","title":{"rendered":"Malware for my trophy case: 2_0_1browserhelper2.dll"},"content":{"rendered":"<p>The short form:<br \/>\n2_0_1browserhelper2.dll is a nasty adware toolbar with no UI. See my 3-19-04 journal article at http:\/\/lee.org\/journal. It took me 2 friggin hours to figure this one out. It mangles Google search results in IE and sticks ads for the &#8220;websearch toolbar&#8221; in the results.<\/p>\n<p>Kill it by removing the BHO 2_0_1browserhelper2.dll<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>\nI was at a client&#8217;s house cleaning off spyware and I came across some particularly insidious malware. I&#8217;d do a Google search and the results would take a long time to come back. But more importantly, half of the search results were crap. They were ads for some &#8220;websearch toolbar&#8221;, directing me to www.websearch.com and such. The worst thing was that the Google results page looked <strong>almost<\/strong> normal. It almost looked like Google had sold out to these Websearch people.. allowing them to flop 1\/2 of their content toward <a href=\"http:\/\/www.websearch.com\/\">Websearch.com<\/a>.<\/p>\n<p>So I downloaded Netscape and made sure that Google hadn&#8217;t sold out. a search for &#8220;Prussian medals&#8221; on Internet Explorer returned about 50% junk while the same search in Netscape looked just fine. IE was being hijacked.<\/p>\n<p>Now I just had to find what was doing it&#8230;. 2 hours later, bull&#8217;s-eye. Here&#8217;s the low-down:<\/p>\n<p>The <a href=\"http:\/\/www.websearch.com\/\">www.websearch.com<\/a> toolbar is bad news.<\/p>\n<p>Here&#8217;s an excerpt from their Terms of Use:<\/p>\n<blockquote><p>By installing the Service you understand and agree that the following changes may be made to your Internet Explorer browser and that the following functions may be performed by the Service: install a Search Toolbar in your browser which may (i) block certain pop-up ads and pages; (ii) display links to related websites and keywords based on the information you view and the websites you visit; (iii) store non-personally identifiable statistics of the websites you have visited; (iv) redirect certain URL&#8217;s including your browser default address bar search, DNS error page and Search Button page to or through the Service and; (v) automatically update the Service and install added features or functionality conveniently without your input or interaction unless you have chose to be notified of such update in advance.<\/p><\/blockquote>\n<p>The Terms of Use also says how to uninstall the software. (&#8220;When the Add\/Remove Programs Properties window opens, locate the listing for &#8216;Search Toolbar&#8217; that you would like to uninstall from the list of installed programs.&#8221;) But, like any good malware, the uninstallation instructions didn&#8217;t work.<\/p>\n<p>Spybot Search and Destroy shows this software as a BHO<\/p>\n<blockquote><p>Spybot-S&amp;D Browser helper object report, 3\/18\/2004 9:26:07 PM<\/p>\n<p>{83DE62E0-5805-11D8-9B25-00E04C60FAF2}<br \/>\nClass file: 2_0_1browserhelper2.dll<br \/>\nPath: C:\\WINDOWS\\<\/p><\/blockquote>\n<p>One reason it took so long to figure this out was that this BHO, which normally shows up as an IE toolbar has no visible user interface&#8230; Jerks.<\/p>\n<p>All you have to do is disable that BHO in Spybot and you&#8217;re good to go. Another way is to rename c:\\windows\\2_0_1browserhelper2.dll. You might have to reboot into Safe mode to rename the file.<\/p>\n<p>I&#8217;ve got another client with the same malware. It&#8217;ll take 5 minutes to get rid of her Websearch malbar (to coin a term).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The short form: 2_0_1browserhelper2.dll is a nasty adware toolbar with no UI. See my 3-19-04 journal article at http:\/\/lee.org\/journal. It took me 2 friggin hours to figure this one out. It mangles Google search results in IE and sticks ads for the &#8220;websearch toolbar&#8221; in the results. Kill it by removing the BHO 2_0_1browserhelper2.dll &#8212;&#8212;&#8212;&#8212;&#8212;&#8212; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-757","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/posts\/757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/comments?post=757"}],"version-history":[{"count":0,"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/posts\/757\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/media?parent=757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/categories?post=757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lee.org\/blog\/wp-json\/wp\/v2\/tags?post=757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}