Hi, The BHO you are talking about is part of a banking malware toolkit which is being sold probably. Among other things (password stealer), this BHO has backdoor and "botnet" capabilities, implementing several remote commands: + upload + run + update .... This toolkit also comprises various "infection management system" php scripts : + statistics about infections, countries... + users/victims tracking + logs parsing .... The BHO communicates directly with those scripts for sending and/or receiving captured information and remote commands respectively. Watch out for unexpected http traffic containing commandack.php,mailwab.php.. Cheers, -Rub幯.