Google redirects, among other things

You seem to have three Antivirus programs installed(Norton, Mcafee and Avast). You should only have one AV program Installed at a time(Preferrebly avast).

Run HJT again and remove the following:

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Mama\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Remove Viewpoint Toolbar from Start > Control Panel > Add/Remove Programs

General question;
Does anyone know what this is?

O17 - HKLM\System\CCS\Services\Tcpip\..\{E29A5C6D-EDD6-4157-BD16-2B3FAA90E94A}: NameServer = 64.223.217.2,192.168.123.254

Click to expand...

That O17 entry is legitimate. I get your point on Viewpoint, but the other O4 entries do not need to be removed, in fact every single one of them is legit. We should not be messing with a user's settings without his/her authorization.

The reason why I did not provide HJT cleaning instructions is because it is easier to do the cleaning at one go. If you check his SAS log you'll realise his system is pretty badly infected, and cleaning the infection is not so simple as fixing some HJT entries. Thus, we do not wish to confuse the user with too many different instructions from different people. Your input on the Viewpoint, the 3 AV and O17 entry is valid though, and that is appreciated.

momok said:

That O17 entry is legitimate. I get your point on Viewpoint, but the other O4 entries do not need to be removed, in fact every single one of them is legit. We should not be messing with a user's settings without his/her authorization.

Click to expand...

Unnecessary startup entries, which slows system, but you are right.

Thanks for the responses guys, youve been very helpful.

@tw0rld
Done and deleted. But i guess it wasnt needed momok? Either way, theyre gone.

@momok
Ive DLed Panda, CCleaner, and Combofix, just need to run them. Only thing holding me back is that my computer never came with an OS disk, so I dont think i have the Recovery Center, and i cant install it. Ive tried searching for "recovery" and "Center" on my computer but nothing comes up. Can i run those programs without the Recovery Center, or is RC required for it to work?

PlayTheCharade said:

Thanks for the responses guys, youve been very helpful.

@tw0rld
Done and deleted. But i guess it wasnt needed momok? Either way, theyre gone.

Click to expand...

The O4 entries I told you to delete were startup entries, which tends to slow windows down, no big deal really.

The link which I gave provides some alternative ways to create the Recovery Console through Combofix by downloading a file.

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:
.
.
.

Click to expand...

Go back to the link and scroll down a little and you'll find it.

@tw0rld
Yea from what i saw the files didnt look like anything i used extensively anyways, so getting some space and a faster boot was appreciated, thanks for that.

@momok
Ah, right. Sorry i didnt see that. Ill post back in a bit after running the programs and for new logs.

Thanks for being patient and helping me out, you guys are lifesavers.
Alright so here are the results:

EDIT: Its working so far (can visit Symantec, Mcafee, google searches not redirected) but im going to go ahead and do the reboot that SAS said it needed to delete the things it found. Do i just do a normal restart (Start>ShutDown>Restart)? Or is there a command that SAS has to ensure that the items are removed?

-Panda didnt detect anything

-Attached

Hi,

1. Open notepad and copy/paste the text in the quote box below into it:

   File::
   C:\WINDOWS\3DMHook.INI
   C:\pltemp.ini
   C:\WINDOWS\UnSiSUSB.exe
   C:\WINDOWS\system32\1_ssetup.ini
   C:\WINDOWS\system32\sunistlog.ini
   C:\FOUND.000
   C:\Documents and Settings\Czar\mc-110-12-0000137.exe
   C:\Documents and Settings\Czar\n.bat
   C:\WINDOWS\system32\tlvrrc.exe
   
   Registry::
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pagks]
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdajra]

   Click to expand...

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
4. Run CCleaner.
5. Continue with the SAS scan. Restart as and if needed.
6. Run HJT and save a log

Post your new logs (HJT, Combofix, SAS) here after that, thanks.

Updated logs:

Your logs are clean and you're good to go. But before that,

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Thank you very much guys, your help really saved me on this.
Truth is, if i wasnt able to find a way to get rid of the infections i would have been forced to hire a somewhat "shady" self proclaimed computer tech again. I say "shady" because he installed a copy of windows xp pro on my sister's laptop which was apparently pirated, as we were greeted with a message from Microsoft when we booted the computer a couple days later.
Anyways, I saw how most of the things in your guides are for XP. I was planning on buying a new laptop and protecting it with freeware like the ones you guys showed me for this (as you saw, this comp has mcafee and norton. Obviously neither of them ever work very well, especially not when one isnt completely uninstalled and the other is sporadic. My parents think the only good protection is bought haha). Are they mostly Vista compatible? Has there been an updated guide for Vista, or can i probably follow you guide on Vista easily enough?

You're welcome.
Most of the programs are compatible with Vista, no worries about that. =)

For antivirus, AVG/Avast are compatible.
For firewalls, Zonealarm and Comodo are good, but I personally experienced some problems with Zonealarm (probably rare, but BSOD's not something to joke about) though.
I'd recommend Spybot and CCleaner to just about anyone too.

Personally I use Vista too, with AVG, Comodo and Spybot running, and I haven't been infected ever since I joined Techspot and fixed my malware issue and learnt how to deal with such issues.

That said, the best defence is nothing in the hands of an uninformed user. So good habits definitely help you go a long way

Well looks like i found a place to stick around at, ive been looking for an informed crowd like this. Especially good is that I can probably learn something useful here.
And agreed on your uninformed user point, a soldier could go into war with a bulletproof vest, but if he doesnt learn to hide and adapt to the circumstances...well we could say hes gonna get a BSOD in the near future =p
Will definitely jump on those tips, thanks guys.