Home Browser Helper Object Nebuler.BHO

Nebuler.BHO

Posted: August 5, 2011

Nebuler.BHO is a specialized subtype of the Nebuler Trojan that affixes itself to your web browser and degrades its performance on a gradual basis. SpywareRemove.com malware research team has found that Nebuler.BHO is flexible enough to be used for multiple types of attacks, although the most popular uses involve the installation of concealed spyware programs like Trojan-PSW.Win32.Delf.d and PWSteal.Sacanph.A. Even though Nebuler.BHO will try to conceal its presence, you may be able to notice a Nebuler.BHO infection by looking for the relevant symptoms. If you believe that Nebuler.BHO is on your PC, don't wait to use the best available anti-malware program to remove Nebuler.BHO, since allowing Nebuler.BHO to remain on your computer is the same as reducing your PC security to nil.

Finding Nebuler.BHO Before Your Privacy is Compromised

Most Trojans like Nebuler.BHO are distributed by fake media updates, including fake codec downloads, browser updates and movie player links. Since SpywareRemove.com malware researchers have found that many Nebuler.BHO infections originate from Russia, you may want to be particularly cautious around file sources from that region. Nebuler.BHO will, once on your PC, launch itself without your permission, by making Registry changes that attach Nebuler.BHO to your default Windows startup routine.
 
Nebuler.BHO can be detected by signs like the following:

  • First and foremost, Nebuler.BHO can be seen by a serious degradation in the performance of Internet Explorer. This will show itself in the form of lag or slow response times, as well as possible interface stuttering or ignored input. As a browser-specific Browser Helper Object, Nebuler.BHO can't affect the performance of other web browsers besides Internet Explorer. Although this problem may not be visible at first, the severity may increase with the duration of Nebuler.BHO's stay on your PC.
  • You may also see the IE process, iexplore.exe, use up excessive system resources or remain open even if you think that all Internet Explorer windows are closed. SpywareRemove.com malware analysts have seen that most variants of Nebuler.BHO will prevent you from closing these processes or restart them immediately after they've been shut down.
  • Your web browser may behave strangely and show signs of being hijacked. Browser hijacks can change your homepage, redirect you to malicious websites or display fake errors that prevent you from visiting safe websites.

Wiping Nebuler.BHO Off of Your Browser

Using Safe Mode or a similar strategy to stop Nebuler.BHO from launching is a crucial step in removing Nebuler.BHO from your PC. Once you've done this, it's strongly encouraged to use an anti-malware product to delete Nebuler.BHO, since this will insure the removal of advanced Nebuler.BHO components such as its Registry entries.
 
Using web browsers other than Internet Explorer may spare you from Nebuler.BHO's obvious symptoms, but any spyware that Nebuler.BHO installs may still be active. A thorough system scan with updated security products should catch any malicious security program that was installed by Nebuler.BHO, as well as Nebuler.BHO itself.
 
However, any information that Nebuler.BHO or related infections sent to criminals may still be open to exploitation. After cleaning up a Nebuler.BHO infection, SpywareRemove.com malware analysts recommend changing passwords and other identification information to avoid any risks of fraud or identity theft.

Aliases

Nebuler.BHO

Technical Details

File System Modifications

The following files were created in the system:



%PROGRAM_FILES%\RANDOM.exe. File name: %PROGRAM_FILES%\RANDOM.exe.

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic32p\Security net64 = "%Windir%\svhoster.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *NewlyCreated* = 0x00000000 ActiveService = "amsint32"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000\Control EnableLUA = 0x00000000HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Loading...