What is a Browser Helper Object?

A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

The natural question is, what do BHOs do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet. Of course, many BHOs are what is called "ad-ware" or "spyware": they do things like monitor the websites you visit and report this data back to their creators.

They can also routinely conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance.

A great little tool for viewing and, if required, disabling, the BHOs that may be installed on your machine is BHODemon, which can be downloaded here

For those interested, Merijn Bellekom, the developer of the brilliant Startuplist and Hijack This! has introduced BHOList.exe. It downloads and displays the BHO Collection in a searchable & sortable list.

Note

The Notorious LOP foistware now creates random Browser plugin identifiers as well as file names.

They'll look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66}: ssshwckfrngl.dll
{9633C13D-85BB-4271-83C1-F22BC2938585}: llbrquistglc.dll
{DCF6B0CF-5312-42B2-B783-971C107F8B91}: kstilypsm.dll

As the number of possible names and combinations could therefore literally run into the billions, I will no longer be adding LOP BHOs to the list.

Be watchful when running into unknown BHOs bearing these kinds of fancy names. If they're not on the list, and the file is located in the Application Data directory, it's almost certainly a LOP BHO

The same now goes for some WurldMedia Browser Plugins. Here are a few examples of random WM identifiers and file names:

{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll

and some semi-random ones:

{E0634852-5A3C-4E35-954C-17A0622F0BF8}: m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll
{98D9A225-9D35-4F98-A65B-85FC9A21C0E4}: MO030414S.DLL

According to research by Andrew Clover these are respectively completely and partly random filenames and class IDs; he got a new filename/ID every time he installed. However, the internal name of the object remains the same (TChk.TChkBHO), so it will fortunately remain detectable, although not by file name alone.

More random BHO's are used by Adware.GPCasino aka TalkStocks Trojan.
These are found in the System(32) directory and are called IEloader Module:

{4A2D7B5F-4E9E-839C-AC5C-768688C7DE8B}: itstgblg.dll
{AF7D42F2-29BD-D89C-3FC8-C64D7AF6B3AC}: qhgimxyy.dll
{CB3B59F7-43E6-A0D6-956F-3673E9738AA6}: ntmccdds.dll

For those looking for an engrossing read,here's the authoritative MS article:
Browser Helper Objects: The Browser the Way You Want It