Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Classic

Cleaning up after WMF exploit - BHO removal

Browser helper objects (BHO's) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I've used BHOdemon in the past to…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

Browser helper objects (BHO's) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I've used BHOdemon in the past to identify and disable BHO's and a tool like that is the preferred method. However, in my case, this is a disposable virtual machine and I used the "blunt object" approach.... regedit.


I had identified one file in the infestation as a BHO by viewing it with a text editor and finding a text string identifying that it was a BHO. 3.00.13.dll was the file name. In the registry, I went to the following key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and deleted every entry. This is not the recommended way of dealing with it, but I was already several hours into cleaning up my virtual machine and didn't have any "good" BHO's that I was concerned that would disable.

Even if there were "good" BHO's that I had disabled I would image a reinstall of the BHO would fix it. (Some good one's for example might be an Acrobat reader BHO)... Anyway, I had forgot to detail that step in the earlier writeups and wanted to make sure there was a complete accounting.