Each time a new instance of Internet Explorer starts, it checks the Windows Registry for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
The Adobe Acrobat plug-in that allows Internet Explorer users to read PDF files within their browser is a BHO.
[2][3] For example, the Download.ject malware is a BHO that is activated when a secure HTTP connection is made to a financial institution, then begins to record keystrokes for the purpose of capturing user passwords.
The C2.LOP malware adds links and popups of its own to web pages in order to drive users to pay-per-click websites.
For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.
This utility displays a list of all installed BHOs, browser extensions and ActiveX controls, and allows the user to enable or disable them at will.