Merijn has written a tutorial (http://www.spywareinfo.com/~merijn/htlogtutorial.html) on what to remove with HijackThis.
It is well worth reading, but please remember, HijackThis is a very powerful tool. If you want to try and fix things yourself using HijackThis, always keep in mind, the program makes no difference between good or bad. It just does what the user instructs it to do, no matter what the consequences might be. You could end up disconnecting yourself from the internet or being unable to reboot at all.
So if you are in any doubt, post your log on a board that offers a adware, spyware & hijack cleaning forum (http://www.malwarecomplaints.info/viewtopic.php?t=63)
Make sure you have the latest version as it is updated often to keep up with the latest threats.

You will find some of these links in that tutorial, but I'd like to make them available here as well.

For running (mostly system) processes: http://www.liutilities.com/products/wintaskspro/processlibrary/ (you'll need to scroll down some)
For BHO's and Toolbars: http://computercops.biz/CLSID.html
For Startup entries: http://computercops.biz/StartupList.html
Startups and running processes: http://www.answersthatwork.com/
For ActiveX elements: use the find feature in SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or look here: http://www.castlecops.com/ActiveX.html
For items in the LSP stack: http://computercops.biz/LSPs.html
Rare Startup-locations:
ShellServiceObjectDelayLoad: http://www.castlecops.com/O21.html
Shared Task Scheduler: http://www.castlecops.com/O22.html
AppInit_DLLs and Winlogon Notify: http://www.castlecops.com/O20.html

Services: http://www.castlecops.com/O23.html

And then, if all else fails, there is always your favorite search engine.

Further on in this thread you will find instructions on how to recognize and remove malware, that needs special attention and that uses random filenames and/or CLSID's

If you run across something you can't identify, feel free to IM me (or one of the other staff members) a link to the log it concerns. We are always on the lookout for new malware to submit to the developers.


Where no special credits are mentioned in the posts below, these should go to the expert groups at SpyWareInfo (http://forums.spywareinfo.com/index.php) and ComputerCops (http://www.castlecops.com/).

First example of spyware using random names and CLSID's for startup entries as well as BHO's.

C2.lop aka lop.com

Information: http://www.doxdesk.com/parasite/lop.html
Some example logs and removal instructions: http://www.wilderssecurity.com/showthread.php?t=7487

Sacnning with spyware-removing software will take care of the main executable most of the times, but the BHO and Toolbar are often not recognized so the victim will get stuck with the annoying bar.

A redirect-fee stealer using random names and CLSID's for its BHO's

WurldMedia

Examples from HijackThis logs from computers with different versions of Windows:
O2 - BHO: (no name) - {C76D8D39-9C48-4D6E-AA77-D4A149B00C52} - C:\WINNT\system32\azake.dll

O2 - BHO: (no name) - {93DABE7D-CD45-47C0-BBB9-9AD2853B8E10} - C:\WINDOWS\SYSTEM32\moaa030425s.dll

O2 - BHO: (no name) - {EC306669-5056-4707-8AA9-F639F6A8E589} - C:\WINDOWS\SYSTEM\BRMIMLWM.DLL

To identify these BHO's as WurldMedia:
Rightclick that file > Properties > Description.
If it says it's a "TC Module" it will be WurldMedia.

http://www.wilderssecurity.com/attachments/Wurldmedia23-11P_A.jpg

A toolbar BHO that slows down IE significantly, using random file names.

ToolbarCC

Log example:
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslagp.dll

The CLSID's range from {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA2} till {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}

Note: the very similar {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} also using ms(+4 random letters).dll is a CWS variant

A family of hijackers is known under the name:

CWS

A special program to remove it, was developed and is kept up to date by Merijn, it is called CWShredder. We are mirroring it. A direct download link and a list of the sites the hijacks are leading to, can be found here:
http://www.wilderssecurity.com/showthread.php?t=14086

More info on the variants covered by CWShredder and a very good read, also including examples of HijackThis logs: http://www.spywareinfo.com/~merijn/cwschronicles.html

Variants that have been discovered, but are not added to CWShredder are added to this thread:
http://www.wilderssecurity.com/showthread.php?t=28658
Our staff will try and update that thread as often as we can. Variants that are added to CWShredder will be marked as such there.

Downloading and displaying advertisements, changing filenames

RapidBlaster

A special program called RapidBlaster Killer (http://www.wilderssecurity.net/specialinfo/rapidblaster.html) was written by Javacool to remove this pest.

Examples from logs:

Version 1
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"

Version 2
O4 - HKLM\..\Run: [newsgroup ml097e] "c:\program files\newsgroup\newsgroup.exe"

Version 3
O4 - HKLM\..\Run: [nvd32 ml710e] "C:\Program Files\NvidStar\nvd32.exe"

An overview of the filenames it has been known to use, and additional information can be found here:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

A randomly named trojan that creates new ones, when you try to disable or remove it. Displays porn pop-ups.

Peper Trojan

Log examples:
C:\WINDOWS\SYSTEM\ONP3E.EXE
C:\WINDOWS\SYSTEM\FPES3.EXE
O4 - HKLM\..\Run: [2L8FCMP467GN8D] C:\WINDOWS\SYSTEM\LhoK8W3.exe

C:\WINDOWS\System32\Njw7.exe
C:\WINDOWS\System32\Pnt4SuR.exe
O4 - HKLM\..\Run: [4HLQDEJ4W8T9B9] C:\WINDOWS\System32\AozDF.exe

The startup name between brackets is 14 characters long and starts with a number ranging from 2 to 6

Special instructions

Download and run this file to fix Peper Trojan:
http://www.memorywatcher.com/uninst.exe
The program needs internet access to complete the removal.

IRC trojan that attaches itself to the System(32) folder using a random filename.

AFlooder

Log example:
O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1

The name consist of seven letters (a-z)

Special instructions

Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"

Adware and hijacker requiring special instructions

MS T-Media Display

Total Velocity Hijacker also called, MS T-Media Display, is an adware and hijacker component. It is bundled with a program called Memory Meter. Total Velocity Hijacker connects to totalvelocity.com (66.159.219.201).

Log example:
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE

Special instructions

Go offline and uninstall: 'MS T Media Display' in Add/Remove Software
That is msmgt.exe.
Reboot, Find and delete: C:\WINDOWS\MSMGT.EXE

Then have HijackThis Fix:
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE

and delete MSMGT.exe and TINYINSTALLER.exe in the same directory.


Source: http://www.kephyr.com/spywarescanner/library/tvhijacker/index.phtml

Generates porn-popups and hijacks IE, using random filenames.

Winpup

Version one (there are more :( ) uses filenames that are 6-8 numbers long.

Log example:
O4 - HKLM\..\Run: [32577151.exe] C:\WINNT\System32\32577151.exe
O4 - HKLM\..\Run: [18626040.exe] C:\WINNT\System32\18626040.exe
O4 - HKLM\..\Run: [88517397.exe] C:\WINNT\System32\88517397.exe

The filesize is 36 kb and they show winpup under properties.

Special instructions

Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
Note: the filenames may not correspond with the ones showing in the log.

Then use the regfile below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\pup]

Write-up done by FreeAtLast.

Adware that uses random filenames starting up, that check if nCase has been removed. It offers to reinstall the original program.

nCase

Log examples:
O4 - HKLM\..\Run: [AKVC] C:\WINDOWS\AKVC.exe
O4 - HKLM\..\Run: [ISAN] C:\WINDOWS\ISAN.exe
O4 - HKLM\..\Run: [ALVCQ] C:\WINDOWS\ALVCQ.exe
O4 - HKLM\..\Run: [GQLVDN] C:\WINDOWS\GQLVDN.exe

The above are from one log. They often come in groups.

The name between brackets and the name of the exe are always in capitals and always identical.

The original program will show up like this:
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE

Advertiser suspected of spying, using random filenames. Some installs come bundled with lop.com.

FreeScratchCards (FreeScratchAndWin variant)

Log example:
O4 - HKLM\..\Run: [fxwnccbr] C:\WINDOWS\SYSTEM\fxwnccbr.exe

Always uses 8 letter filenames and is located in the System(32) folder. In the same folder you will find another exe file that has a dollar sign ($) as an icon.

Downloads and displays advertisements.

Purityscan/Clickspring (version 1)

Besides the winservn variant described here (http://www.symantec.com/avcenter/venc/data/adware.purityscan.html) they also use a lot (maybe even random) 4 letter filenames as a startup entry.

Log examples:
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\[username]\Application Data\iebs.exe

O4 - HKCU\..\Run: [Soar] C:\Documents and Settings\[username]\Application Data\rwod.exe

Hijacks to search-aide.com and changes the function of the F9 key.

IETray

Uses a Windows filename as a startup entry.

Log example:

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM32\IEMsg.dll
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM

Fix the entries above and delete the CSRSS.EXE in the Windows directory, not the one in System(32).

Changes your AIM profile and redirects to talkstocks dot com and/or realphx dot com

TalkStocks trojan

Besides the executables random named BHO´s are installed.

Log examples:

O2 - BHO: (no name) - {4A2D7B5F-4E9E-839C-AC5C-768688C7DE8B} - C:\windows\system\itstgblg.dll

O2 - BHO: (no name) - {CB3B59F7-43E6-A0D6-956F-3673E9738AA6} - C:\WINDOWS\system32\ntmccdds.dll

The BHO´s can be recognized because they call themselves IEloader Module.

http://www.wilderssecurity.com/attachments/Talkstocks23-11P_A.jpg

Hijacker and advertiser that uses randomly named BHO's with random CLSID's

AdGoblin

Log examples:

O2 - BHO: (no name) - {230E68F5-3CB6-4144-8A3D-360216EE3B2C} - C:\WINDOWS\System32\insatfunc.dll

O2 - BHO: (no name) - {A64C7BBA-EBDF-4AA2-9212-B601CD508D3B} - C:\WINDOWS\System32\oexts.dll

O2 - BHO: (no name) - {AA3832A0-02DC-11D8-A667-0004754CD6E5} - C:\WINDOWS\SYSTEM\MOCIOLE.DLL

O2 - BHO: (no name) - {8DC6F55B-AA4E-4FE0-9F6B-91C77BF7DCED} - C:\WINDOWS\System32\igcm32.dll

There are two variants. One has a filesize of 100 KB and a MD5 value of 1ff2edc905384d75ead352a56bc9466a
The other has a filesize of 120 KB and a MD5 value of 31ff532b8363d531f75583466ef49dd3

Research by mjc : http://www.s89223352.onlinehome.us/tinc?key=AbZ0JojL&formname=crapware

Spyware that slows down your computer, and sometimes disables the possibility to close windows with the X-button. Uses random filenames for the BHO and the running executable.

roings jimmyloader

Log examples:

O2 - BHO: (no name) - {6430BC19-3DA0-44CB-86A6-9BA9DFAFE16C} - C:\WINDOWS\f5QK.dll
O4 - HKLM\..\Run: [xGQH7sL] C:\WINDOWS\g176X9J.exe

O2 - BHO: (no name) - {F999B30F-6A4B-4E4F-8610-0D06FFD93B3E} - C:\WINNT\hkH4TG.dll
O4 - HKLM\..\Run: [iQusLz] C:\WINNT\fAhg6Ofp.exe

How to recognize:
Under properties > Version tab the Original filename for the exe will show load.exe and the BHO will be wat.dll

In the log also look for:
O16 - DPF: {B8A04596-1C1B-48B6-9268-F2F86C9D55BC} (jimmyloader.jimmyform) - hxxp://bins.roings.com/crack.cab

O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - hxxp://bins.roings.com/roing.cab

Downloads and displays advertisements. Produces a lot of popups.

PurityScan/Clickspring (Version 2)

Usually found in the company of version 1 (see Reply #12)

Log examples:

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

There seems to be some consistency in the filenames but they sure look the same. (See attachment)
The description is always sear1 MFC Application.

Generates porn-popups and hijacks IE, using random filenames. Winpup renames itself each time the process is started, making it both hard to find and remove.

Winpup (aka Atoque)

Version two (there are more) uses filenames that are 6-8 digits long.

Log example:
O4 - HKLM\..\Run: [tmsmgrn] C:\WINDOWS\System32\tmsmgrn.exe
O4 - HKLM\..\Run: [xdiagnd] C:\WINDOWS\System32\xdiagnd.exe
O4 - HKLM\..\Run: [tildllu] C:\WINDOWS\System32\tildllu.exe

On the version tab these have the name pupdate.exe

Special instructions

Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
Note: the filenames may not correspond with the ones showing in the log.

Then use the regfile below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]

Credits to Unzy and Kephyr.com (http://www.kephyr.com/spywarescanner/library/winpup/index.phtml)

Hijacker that uses random CLSID's for it's BHO and Toolbar.

Mirar aka NetNucleaus

The filenames are WinNB4*.dll where * ranges from 0 to 2 (for the moment) and the file itself is in the System(32) folder

Log examples:
O2 - BHO: (no name) - {FADEEE2B-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL
O3 - Toolbar: Related Page - {FADEEE2A-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL

O2 - BHO: (no name) - {F464C39B-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll
O3 - Toolbar: Related Page - {F464C39A-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll

Dutch porndialer. The filenames are not really random, but using so many of them that it may seem that way.

Switch dialer

Log examples

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/eMakeSV/Portal/portal.html

O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\ls.exe
O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\lu.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\SYSTEM\MSTAR2.EXE
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\SYSTEM\EMAKESV.EXE

Other reported filenames: web.exe, patch.exe, cp.exe

You will have to end-task the running process or boot into safe mode to be able to remove the exe file.
Also remove the folder in the Program Files directory that holds the Portal subfolder.

This malware makes the infected system act as an HTTP proxy. It also opens TCP ports 6690 and 5590, possibly to notify a third party.

Agent.X trojan

Log example:

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BQHPKFGM.EXE

On every subsequent execution, this Trojan drops another copy of itself in the SR64 directory using a different random file name, which is always 8 characters long.

Fix the entry in HijackThis and delete the entire sr64 folder in the System(32) directory.

Credits to TrendMicro (http://www.trendmicro.com/offers/banners/ve/iframe.asp?VName=TROJ_AGENT.X)

This Trojan Horse installs itself as a BHO and steals online banking information from web forms.

PWSteal.Refest

Log example:

O2 - BHO: (no name) - {DE862734-0DD8-49A2-91BD-0B98BB1718F9} - C:\WINDOWS\System32\lcnnn.dll

The BHO uses a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.
The CLSID is random as well. The dll will be found in the System(32) folder.

Removal instructions and write-up by Symantec (http://www.symantec.com/avcenter/venc/data/pwsteal.refest.html)

Adware that uses contextual advertising. It uses a BHO that can be randomly named.

Midaddle by AdSypre

Log examples:
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -
C:\Program Files\Common Files\midaddle\midaddle.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\6PSEAG.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\nz.dll

The CLSID is always the same (for now).

Adware causing popups, specifically from 680180.net

Adlogix™

Log examples:

When they were not random they looked like this:
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe

Now they have random filenames and CLSID's and look like this:
O2 - BHO: SDWin32 Class - {E9079510-297A-44DA-960E-6040FD3BD74D} - C:\WINDOWS\System32\igpir.dll
O4 - HKLM\..\Run: [igpirc] C:\WINDOWS\System32\igpirc.exe

The name of the exe has a "c" extra at the end of the filename of the dll.
Original filename of the dll is still SWin32.DLL
Original filename for the exe: localFilemove.EXE

Hijacker using random named dll's, usually posing as part of another popular program:

SafeGuard aka Veevo

Log examples:

O2 - BHO: Core Library - {F281FFC7-6C63-4bf9-83F2-AB7A6157B109} - C:\WINDOWS\System32\KDP0d92.dll
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater (required)] regsvr32 /s C:\WINDOWS\System32\KDP0d92.dll

O2 - BHO: (no name) - {6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} - C:\WINDOWS\System32\veev2506.dll
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\System32\veev2506.dll

CLSID's in use and the corresponding filenames are:

{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} sfg_****.dll
{6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} sfg****.dll, veev****.dll (* = random char)
{6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} veev****.dll (* = random char)
{6E34D984-4054-45E3-8452-0159A2F0D232} Veevo.dll
{83B3E0C1-DEF1-4df5-A3F5-92D10B7A396A} sfg****.dll (*=random char)
{A23AB93D-6CFF-442c-BB8A-41F6145F47E7} PDF****.dll (* = random char)
{A44B961C-8C36-470f-8555-EDA0EFC1E710} popupblocker.dll, popupDefence.dll
{B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} Sgpopupblocker.dll
{D4D505DF-D582-400c-91B6-84921012AFE3} pdfupd.dll / PDF****.dll
{E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} kdp****.dll (* = random char)
{F281FFC7-6C63-4bf9-83F2-AB7A6157B109} kdpupd.dll, kdp****.dll (* = random char)

Using random filenames it downloads and installs

SaveNow

Log examples:

O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\nftvqvk.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\wgsstip.exe

Fix the Startup entries, delete the files and check under Add/Remove Programs for the presence of Save aka SaveNow aka WhenUSave and uninstall it.

Another downloader for adware using random filenames contacting these domains:
newupdates.lzio.com
updates.lzio.com

TROJ_VIVIA.A

Log examples:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://newupdates.lzio.com/augnew_1.htm...1086746781
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dhxpgpk.exe

O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\nmryaph.exe

A BHO in the Windows directory that uses random CLSID's but a fixed filename (lbbho.dll).

RelatedLinks

Log examples:

O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

O2 - BHO: C:\WINDOWS\lbbho.dll - {7FEFE602-B07B-42B7-BDB9-E321342F999B} - C:\WINDOWS\lbbho.dll

Removal instructions and write-up by Kephyr (http://www.kephyr.com/spywarescanner/library/relatedlinks.lbbho/index.phtml)

Using a randomly named .dat file as a BHO, this adware logs keystrokes and displays advertising messages periodically.

VirtuMonde aka Troj/AgentSpy

Known CLSID's that are used with this BHO:

{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
{18722863-6D1D-4300-BF29-406948EDA7CB}
{2316230A-C89C-4BCC-95C2-66659AC7A775}
{2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0}
{30279F2D-1A38-4785-97D4-5C3508BDB289}
{3EC8E271-FAB9-418a-8A8E-65AEB4029E64}
{446CF8A5-617E-4D91-95AE-AE78CE0D06AF}
{44E5B409-35A2-4E8D-BF94-344222323A53}
{55E301E5-BA44-4095-BB0B-14E0123CCF71}
{60112085-E1CE-4e0e-823A-EBB1AD98804C}
{68132581-10F2-416E-B188-4E648075325A }
{6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B}
{72AC6865-B1D3-4C32-A27B-4B3BF04DE655}
{73529697-D46A-4F7D-8A93-01378FCAEDA4}
{77849D67-5672-4B68-93E2-CCEFF1E3949E}
{8109AF33-6949-4833-8881-43DCC232B7B2}
{870B70D4-F6DA-47AE-9158-D146440A0A4D}
{98BC949B-3D81-4750-836F-4BC57BD032EE}
{BB54DE33-E539-4749-BFAC-CC49617E8F2A}
{BF755B85-EA69-4F58-9A59-D85F384A15FF}
{C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B}
{D487068E-9B04-4FE5-8A83-08344F800BF5}
{D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6}
{DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F}
{ED5ABC42-8E4F-4C39-9972-F0CF619D672F}
{F32F8ECD-6CF3-459D-82F2-9738392C85A8}
{FD8609EC-7D7C-4778-AB8F-0053245550EF}
{FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E}

Log examples:

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\[username]\LOCALS~1\Temp\4dpUswodniW.dat
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\WINDOWS\TEMP\YEKCBDO.DAT

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe

( Example of O4's with * but without rerun or ren at end of file name.)
O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD\JAVAAD.EXE
O4 - HKLM\..\Run: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE

( Examples of O4's with * and rerun or ren at end of file name.)
O4 - HKLM\..\RunOnce: [*IISINFO] C:\WINDOWS\APPPATCH\IISINFO.EXE rerun
O4 - HKLM\..\RunOnce: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\SYSTEM\MUI\040B\WMSCOM.EXE ren
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\HELP\NUTHARD.EXE ren
The files with rerun or ren at the end of the file name should also be found in running processes, you should find one of each.
( If they are in the same subfolder you may only find one in running processes.)

Connections found in firewall log.
virtumonde.com [209.123.150.14]
updates.virtumonde.com [208.48.15.13] or [208.48.15.11]
scripts.affiliatefuture.com [80.253.103.154]

Additional methods of infection and removal are described here:
http://securityresponse.symantec.com/avcenter/venc/data/pf/adware.virtumonde.html
http://www.pestpatrol.com/pestinfo/v/virtumonde.asp
http://www.giantcompany.com/antispyware/research/spyware/spyware-VirtuMonde.aspx
http://www.kephyr.com/spywarescanner/library/virtumonde/index.phtml
http://www.sophos.com/virusinfo/analyses/trojagentspyb.html
http://vil.nai.com/vil/content/v_127690.htm

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html <= with a link to a removal tool

Special credits to Trpm

Using a randomly named dll, it Registers itself as a Browser Helper Object, connects to a preset remote server, downloads and executes other files from there.

Troj/Dloader-NL

Log examples:

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\System32\kuzok.dll

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINNT\system32\aouox.dll

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\hadicuie.dll

The CLSID is a constant.

For more information:
http://www.sophos.com/virusinfo/analyses/trojdloadernl.html

A new hijacker that has second copies of all the files to reinstall itself if any of them are deleted
It makes copies in localsettinhgs/temp folder in NT based computers I haven't seen it in 9x computers yet

you might or might not have start ups to the other files in a hjt log frequently not

You might not see all entries in a hjt log but I can guarantee that all the files will be there

Download pocket killbox from http://download.broadbandmedic.com/Killbox.exe put it on the desktop where you can find it easily
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\System32\msshed32.exe

and any other O4 start ups taht correspnd to the named files

now run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting must be ticked at all times , then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, after the last line has been pasted let it reboot

C:\command.exe
C:\WINDOWS\System32\msshed32.exe
C:\WINDOWS\System32\moneyspj.exe
C:\WINDOWS\System32\atiupdate.exe
C:\DOCUME~1\User name \LOCALS~1\Temp\atiupdate.exe
C:\DOCUME~1\User name \LOCALS~1\Temp\msshed32.exe
C:\DOCUME~1\User name \LOCALS~1\Temp\moneyspj.exe

If any ONE file is missed on a delete on reboot the whole cycle starts again

the original downloader is msshed32 and if you block it's access to the net with a firewall before it downloads the others then it normally deletes easily

example of logs
http://forums.techguy.org/showthread.php?t=290449

A hijacker that tries to install itself as the default browser, using random filenames.

Adware.Inetex

Description and removal instructions:
http://sarc.com/avcenter/venc/data/pf/adware.inetex.html

Also using randomly named BHO's

Log example:

O2 - BHO: WSearch - {4EB644C7-A12A-409A-8304-DC16E87D48C2} - C:\Program Files\WebSearch\Util\84IQEVLF.dll

Adware using random filenames for BHO's and executables.

AdBlaster

HijackThis log examples:

OLD versions

O2 - BHO: (no name) - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - c:\windows\ngpw34.dll

O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - C:\WINDOWS\NGSW31.DLL

New version

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\43152.dll

and a running process called adprot.exe

Removal:

- Stop adprot.exe as a running process
- Have HijackThis fix the line with the BHO (called ngsh33.clsIS) with al IE windows closed.
- Find and delete *****.dll and *****.exe after a reboot. * are numbers that are the same for the dll and the exe.

A hijacker that modifies the hosts file and adds favorites, a BHO and a Toolbar.

The Simple Toolbar aka TROJ_FAVADD.C

It will show up in a log looking like:

O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\system32\3kuubuqrhi.dll

O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\gm2v6xjqnl.dll

The CLSID's are fixed, the filenames are random.

For more information:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_FAVADD.C

A trojan using a random CLSID and a partly random filename as a BHO.

Trojan.Eman

Trojan.Eman is a Browser Helper Object which attempts to download and execute arbitrary code from a predetermined website.
The filename consist of msxxx.dll where xxx are three random lower case letters.

It can be recognized because it adds the value:
"emandislc"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

logexample:
O2 - BHO: Name - {9CCA572C-7BBF-4D12-B5BF-F6AA6EE098A9} - C:\WINNT\system32\msfxj.dll
O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL

More information and removal instructions (http://securityresponse.symantec.com/avcenter/venc/data/trojan.eman.html)

A Startpage trojan which registers as a COM object and a Browser Helper Object (BHO) under a random clsid.

Trojan.Win32.StartPage.xb aka Troj/StartPa-FR

When the Trojan is installed it creates the file <Windows system folder>\spqap.dll. which is registered as a COM object and a Browser Helper Object (BHO) for Microsoft Internet Explorer is registered under a random clsid.

However, reference to the random clsid can be found at
HKLM\SOFTWARE\Microsoft\Internet Explorer\cslnam

Where corresponding clsid can be found in:
HKCR\CLSID\{clsid}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{clsid}

Write-up by Sophos (http://www.sophos.com/virusinfo/analyses/trojstartpafr.html)

Using a few CLSID's, foldernames and filenames, displays advertisements on the infected computer.

MSEvents aka Trojan Vundo.B

Log examples:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\ServicePackFiles\fontsrv.dll

Symantec offers a removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

Attached to this post find a regfile (I stole from dvk01) to remove some more registry entries.