I've written an article on how to block BHOs and such, so you might check there.
You will need to add exclusions and even additions blocks in it, but it's stopped some rogue stuff here.
Forget checksums as those babies change every few hours! Block generically, add specific exclusions or exceptions - for example, I had to exclude Outlook and Word due to custom email signature HTML files folks here use, otherwise I block most htings that attempt to install EXE, DLL and other files in the user profile area (common target today as even casual users have FULL RIGHTS there)