Ok, I have spent much of the evening going through ALL your HJT logs and suddenly noticed something... Legal or Good BHO's (Browser Helper Objects) which are items like Spybot Helper, Adobe Acrobat, Google Toolbar, Your Printer, Java, Windows Live Toolbar Helper, Windows Live Sign In Helper, All always will show with their SAME CLSID number, that is the number between {****}

BUT the one we want to get rid of ALWAYS shows a DIFFERENT CLSID number! On each and every HJT scan the number for that one is different. I believe this is why you cannot get rid of it...delete one number and it just creates a new one.

O2 - BHO: (no name) - {4F4B9EB1-ABBC-4048-8814-1A02BB87E2D0} - H:\WINDOWS\system32\sstts.dll

A new Vundo infection which has recently cropped up, is being installed with a rootkit.

A hidden service called DP1112 and a Blacklight log which contains an entry for C:\WINDOWS\qaz4.txt will confirm the presence of the rootkit.

Let's try these steps and see if "maybe" this is what you have been dealing with. Now you will see these instructions refer to "C" drive as this is the usual drive which contains your os..etc. Since yours if "H" then you will of course want to scan "H" drive and where "C" is noted yours would probably say "H"

First please delete ALL copies of VundoFix on the computer and all Backups of VundoFix.

1. Download the F-Secure BlackLight Beta by clicking accept and then clicking download on the next page.

* Save to a folder of your choice or the desktop.
* Start the program by double-clicking on its icon.

Note: While scanning, it is important to observe the following precautions:

1. Close all browser, program and Explorer windows.
2. Disconnect from the internet to prevent background programs from autoupdating during the scan.
3. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

* Click Accept
* Click Scan - see Note
* When the scan is complete, press Next
* Only rename H:\WINDOWS\qaz4.txt if present, even if other hidden items are found
* Close all other programs before continuing, and then select Next -> Finish.
* Select Restart now to reboot the computer so the changes take effect
* After the reboot, the hidden items should be renamed and visible on the computer.
* Re-run BlackLight to verify that H:\WINDOWS\qaz4.txt is no longer found.

BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.
For more detailed instructions please refer to the BlackLight Help file and Tutorial

2. Stop and delete the service DP1112 via the command prompt
  • Click start -> Run -> type cmd -> Click OK
  • Type or paste sc stop DP1112 at the command prompt
  • Hit enter
  • Type or paste sc delete DP1112 at the command prompt
  • Hit enter
  • Close the command prompt window
3. Reboot to make the Vundo files visible to Windows and HJT

4. Confirm DP1112 is no longer present in the Device Manager

* Right-click My Computer
* Click Properties -->Hardware --> Device Manager
* On the toolbar menu, click View--> Show Hidden devices.
* Double-click Non-Plug and Play Drivers
* Verify that DP1112 is no longer present in the list of drive

Enable Viewing of Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
6. Delete the file H:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt

7. Delete H:\WINDOWS\system32\Drivers\DP.sys


8. Download VundoFix.exe by Atribune to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* When the scan is complete, click the Remove Vundo button
* You will receive a prompt asking if you want to remove the files, click yes
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Restart your computer
* A log called vundofix.txt will be created in your H:\ directory
* Inspect H:\vundofix.txt with Notepad to be sure the fix completed properly
* Please retain H:\vundofix.txt should you need to post a HijackThis log.

9. Run WinPFind to make sure there are no undetected infected files remaining

* Download WinPFind by OldTimer
* Right Click WinPFind.zip and extract all to H:\ folder (do not open the program yet, as it should be run Safe Mode)
* Boot into Safe Mode by doing the following:

1. Restart the computer
2. Once the BIOS memory check is done, start tapping the F8 key
3. If done correctly, the Windows Advanced Options Menu will appear.
4. Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

* Once in Safe Mode, Double-click WinPFind.exe located within the H:\ WinPFind folder
* Click on Start Scan
* Wait for the scan to finish (it may take over 30 minutes)
* The results will be displayed when you see Scan Complete
* A log file called WinPFind.txt will be automatically generated in the WinPFind folder
* If you see an Umonitor entry bearing the same creation date as the other infected files you've removed with a random consonant executable file name similar to this:

Checking %System% folder...

* Umonitor 1/28/2006 10:57:20 AM 57364 H:\WINDOWS\SYSTEM32\ljbpjbqn.exe

* This file should be located on your system and deleted.

Please run either Trend Micro HouseCall or Bitdefender online scanner and tell it to fix anything found.

Post back with all requested logs.