Hi.
I'm totally infected by these viruses. They're all showing in my browser history: doginhispen, tribalfusion, skitodayplease, 88.80.7.66. Anti-Spyware software not helpfull. I downloaded FindAWF.exe, but need some help how to step through the cleanup process. Would be greatly appreciated.
Thanks,
DreamofSun

• Double-click on FindAWF.exe to start.
• If a "Security Alert" shows, allow the program to run.
• A command prompt will open and ask you to "Press any key to continue...".
• You will be presented with a Menu.
  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT
• Press 1 then 'Enter' to scan for bak folders
• The FindAWF tool will begin scanning your computer for the infected AWF files and backups created by the trojan.
• It may take a few minutes to complete so be patient.
• When complete, it will open a text file in notepad called awf.txt which will be saved to your desktop.
• Copy and paste the contents of the awf.txt file in your next reply.

Hi Qietman7,
thanks for helping. Here's the contents of the awf.txt file:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 02/14/2008
The current time is: 19:32:00.21


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

11/15/2007 01:11 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/07/2006 06:14 PM 576,320 itype.exe
1 File(s) 576,320 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

07/07/2006 06:15 PM 600,896 ipoint.exe
1 File(s) 600,896 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/14/2007 11:43 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 11:20 AM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK

12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 10:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 04:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 4 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer

Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14860 Feb 4 2008 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
14860 Feb 4 2008 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
14860 Feb 4 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Double-click the FindAWF icon once again.

• If a "Security Alert" shows, allow the program to run.
• A command prompt will open and ask you to "Press any key to continue...".
• You will be presented with a Menu.
• Press 2 then 'Enter' to restore files from bak folders
• A text file named files.txt will then open.
• Click below the line and copy/paste the following list of files in the quote box into the text file:

• Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list (if running).
  • Deletes the rogue file from the parent folder (if present).
  • Copies the original file to the parent folder.
• When done, it automatically runs a new scan and opens a new log.
• Please copy/paste the contents of the new awf.txt log in your reply.

OK then, below is the result of the AWF Option 2 text file. I did reboot by the way between running option 1 and option 2. I hope that doesn't mess anything up? Thanks again....


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 02/15/2008
The current time is: 6:37:23.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

11/15/2007 01:11 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/07/2006 06:14 PM 576,320 itype.exe
1 File(s) 576,320 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

07/07/2006 06:15 PM 600,896 ipoint.exe
1 File(s) 600,896 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/14/2007 11:43 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 11:20 AM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK

12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 10:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 04:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

267048 Nov 15 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Double-click the FindAWF icon once again.

• A command prompt will open and ask you to "Press any key to continue...".
• You will be presented with a Menu.
• Press 3 then 'Enter' to remove bak folders.
• A text file named files.txt will then open.
• Click below the line and copy/paste the following list of folders in the quote box into the text file:

• Close the text file and click Yes to save the changes.
• When done, it automatically runs a new scan and opens a new log.
• Please copy/paste the contents of the new awf.txt log in your reply.

Hi again Quietman7. Here's the result of running AWF option 3 txt file (looks good huh?):


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 02/15/2008
The current time is: 19:06:35.70


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Bummer,
hasn't fixed it. I still get a.doginhispen.com showing up in my history as soon as I open IE7. What now?

Double-click the FindAWF icon once again.

• A command prompt will open and ask you to "Press any key to continue...".
• You will be presented with a Menu.
• Press 4 then 'Enter' to reset domain zones.
• You will receive a warning to reset domain zones.
• Press 1 then 'Enter'.
• When done, you will receive a message: "Done! Zones have been reset".
• After resetting the domain zones, the program will return to the main menu.
• Press E then 'Enter' to EXIT.
• Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.

Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Thanks Quietman7!
So far so good. This morning on bootup and again after cleansing the system with ATF, the rogue history entries are not showing. Do you by any chance know what information may have been snatched by these rogue sites/groups (tribalfusion/doginhispen/etc)? My wife made an online purchase while these trojans were in place. Wondering if there's any chance they could have snatched credit card or other personal info?

Your infection was related to Downloader.Agent.awf. IMO anytime your machine is infected its always "best practice" to change all your passwords and let credit card companies know that your machine may have been compromised.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Malware Prevention - Preventing Re-infection".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1".
• "Hardening Windows Security - Part 2".
• "IE Recommended Minimal Security Settings".

Thanks Quietman7. Seems however that I'm not yet clean. I still have tribalfusion showing in IE history. It popped up after we finished everything. In IE7 history it reads as follws:
a.tribalfusion (a.tribalfusion.com)
Can you assist to remove that as well. It seems also to be a virus.

One more thing...I just scanned with Spybot and found/killed DSSAgent. Not sure if that's related to tribalfusion?

Use ATFCleaner again to remove all your cookies.

Download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates...". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the Control Center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
• Click Close to exit the program.

Then add Tribalfusion to your hosts file to block that site. Better yet, download and use a custom HOSTS file which already has that site added for blocking along with numerous others.

MVPS HOSTS File zipped version: http://www.mvps.org/winhelp2002/hosts.zip
Download includes a batch file (mvps.bat) that will rename the existing HOSTS file to HOSTS.MVP, then copy the included updated HOSTS file to the proper location.

MVPS HOSTS File text version: http://www.mvps.org/winhelp2002/hosts.txt
Extract the zip file to the following location and let it replace your existing hosts file: C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Blocking Unwanted Parasites with a Hosts File Instructions

Hi again Quietman,
its back again, and again, and again.
a.doginhispen keep showing up. I re-ran the entire FindAWF process + ATF Cleaner + Superantispyware last night. Rebooted and then its back along with skitoftheday. I rescrubbed again, taking all 4 steps with FindAWF, etc, etc. Turned computer on again and there it is a.doginhispen in the history. In between I was deleting all history, cookies, temp files, etc. I just now ran AWF step 1 and it's clean (attached below). Why then does this keep showing in history. Do you know where it resides? Any other more comprehensive way to find/kill it? Please help again. Thanks.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 02/28/2008
The current time is: 15:56:02.67


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Very interesting!
When I turned the computer on now, I only had a.doginhispen in my history, with a clean AWF file (no bak's). While I was typing the previous message to you, b.skitodayplease showed up also in history on its own (without any web activity besides sitting here on bleepingcomputer). Now while I'm sitting here typing this reply, also 88.80.7.66 has shown up in my history also all by itself (no activity other than sitting here on bleepingcomputer). I just reran the AWF 1 option and low and behold, its full of crap bak (attached below). I need a next step please! Thanks.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 02/28/2008
The current time is: 16:11:09.48


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

01/17/2008 11:51 AM 486,856 daemon.exe
1 File(s) 486,856 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

11/15/2007 01:11 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 11:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/07/2006 06:14 PM 576,320 itype.exe
1 File(s) 576,320 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

07/07/2006 06:15 PM 600,896 ipoint.exe
1 File(s) 600,896 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/14/2007 11:43 PM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 11:20 AM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
10/08/2004 04:52 AM 221,184 LVCOMSX.EXE
2 File(s) 236,544 bytes

Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK

12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

01/18/2005 10:47 AM 458,752 ISStart.exe
01/18/2005 10:37 AM 217,088 LogiTray.exe
01/18/2005 10:07 AM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\REMOTE~1\BAK

10/08/2003 04:35 PM 139,264 RCMan.EXE
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

02/04/2008 09:17 PM 14,860 CTSysVol.exe
1 File(s) 14,860 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK

01/24/2007 03:13 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

02/27/2008 09:49 PM 14,348 jusched.exe
1 File(s) 14,348 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 04:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Feb 28 2008 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
14348 Feb 28 2008 "C:\Program Files\DAEMON Tools Lite\daemon.exe"
486856 Jan 17 2008 "C:\Program Files\DAEMON Tools Lite\bak\daemon.exe"
14348 Feb 28 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14348 Feb 28 2008 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
14348 Feb 28 2008 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
14348 Feb 28 2008 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
14348 Feb 28 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 28 2008 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 Feb 28 2008 "C:\WINDOWS\system32\LVCOMSX.EXE"
221184 Oct 8 2004 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
14348 Feb 28 2008 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
14348 Feb 28 2008 "C:\Program Files\Logitech\Video\ISStart.exe"
458752 Jan 18 2005 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
14348 Feb 28 2008 "C:\Program Files\Logitech\Video\LogiTray.exe"
217088 Jan 18 2005 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
14348 Feb 28 2008 "C:\Program Files\Logitech\Video\ManifestEngine.exe"
196608 Jan 18 2005 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
14348 Feb 28 2008 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
14348 Feb 28 2008 "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
139264 Oct 8 2003 "C:\Program Files\Creative\MediaSource\RemoteControl\bak\RCMan.EXE"
14348 Feb 28 2008 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
14348 Feb 28 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
52272 Jan 24 2007 "C:\Program Files\Google\googletoolbar4user.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
26694 Dec 9 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
138168 Jan 24 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
14348 Feb 28 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
171448 Jan 24 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
11817800 Dec 28 2005 "C:\Documents and Settings\Ron Ritz\Local Settings\Temp\Temporary Internet Files\Content.IE5\GH0ABU45\GoogleEarth-0762[1].exe"
14348 Feb 28 2008 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
14348 Feb 27 2008 "C:\Program Files\Java\jre1.6.0_04\bin\bak\jusched.exe"
14348 Feb 28 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

The removal tool does not seem to be as effective as it once was. Looks like further investigation will be needed but in order to do that you need to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.