Google searches being redirected downloads made impossible

[souldragon777]

Hi I'm new to this site and Im having a big problem with some malware. My googles search results are being redirected to random site it seems whenever I click a search result. This happens on google and yahoo and both on IE and firefox. I use firefox regularly. Some sites it redirects to is primosearch, crackle, in one instance it redirected me to a youtube video of howie mandel, its really random. Another effect is that anything I download from the internet becomes incomplete even though it says its done. For example if I download a 3MB music file it will download about 90KBs and say its done when it clearly is not. This happens with any download I do with the browser. It also blocks many sites such as anti-slyware and antivirus sites. It also will not let me update any of the anti-spyware or anti-virus software I have. I have symentic anti-virus. I have ran scans using symentic, malware bytes, register booster, super anti spyware and have cleaned out as much as I can but still have this problem.
I also receive an error from the generic host process for win 32 when I start up my computer. Occasionally I also receive errors saying the WMI has failed and needs to be closed as well.

I've done all that I can on the pre-post instructions. Combo fix will not work. All it keeps saying everytime I run it is that rootkit is detected and it has to reboot and it doesn't scan or anything. so I don't have that file. The other program you suggested seems to have some detrimental effects to computers so I am reluctant to download that.

Here is my hijack this log and malware bytes log.

 

[souldragon777]

okay I ran antirootkit and it came back it has detected an unknown rootkit. The name of the file is oembios.exe and it was found in the C:/windows/system32 folder. I have not taken any action on this.

 

[kimsland]

From MalwareBytes log:
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken

You needed to fix (or remove) this registry entry)

From HJT log:
I'd remove all these (the party poker ones, at your choice)

C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [DeadAIM] "rundll32.exe" "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKUS\S-1-5-21-1409082233-1757981266-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1409082233-1757981266-725345543-1003\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-1409082233-1757981266-725345543-1003\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-1409082233-1757981266-725345543-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - S-1-5-21-1409082233-1757981266-725345543-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

OEMBIOS.EXE can be removed too

 

[souldragon777]

okay I removed the item that malware bytes found (I removed it after it took the log) now when I ran antiroot again it found nothing however I ran Hijack this after I removed the entries you suggested (less the partypoker stuff and now an interesting little item popped up namely the oembios.exe I will post my log again here.

 

[kimsland]

Yes I see that, you can remove that shortcut entry too

Actually I'd do a full reset of IE Settings (hey you prefer Firefox anyway) Here's how to do that:

How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7

You can also download and run:
Startup Control Panel (and remove any not required startups): http://www.mlin.net/StartupCPL.shtml

 

[souldragon777]

okay I've done all that but I'm still having trouble with the google redirecting. I have flushed as many trojans and spyware with the programs but it is still happening. Is it possible that it just changes some settings somewhere in the host file? I've seen people with similar problems but I don't know how they fixed them. Anyway here is my hijackthis log... umm okay I fixed the oembios.exe several times yet it keeps coming back... could this be the root of the problem? ALso I don't know if this has to do with anything but whenever I run Hijackthis it hangs during the scan but it finishes within a few minutes. Just thought I should let you know.

 

[kimsland]

Hosts ?

Good idea, go here and download it: http://www.mvps.org/winhelp2002/hosts.htm

Edit:

I found another:

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

Obviously, this needs to be removed again too:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\oembios.exe,

 

[souldragon777]

Hey great news it seems the problem has been fixed! After I fixed what you had said I was still having the redirect and download problem, however by some miracle I was able to update my software again! So I updated symantec, super anti-spyware, malwarebytes and windows. Next I went into safe mode and ran both the anti virus scan and super anti spyware. Super anti-spy required me to restart so I did and then ran malware bytes as well in regular mode. It found a bunch of trojans and I had it quarantined. Should I go ahead and delete everything that has been quarantined. I will post my hijack this log and malware bytes. I also got rid of the things you told me to get rid of in hijack this. Also it may say no action taken on the log but I DID quarantine that after the log was taken. Also I didn't download the hosts file because i wasn/t sure how to implement it but it looks like I won't need it

 

[kimsland]

Get the Hosts file (ie download it)
Extract the hosts.zip file (I usually extract to a new folder on the Desktop)
Run mvps.bat (inside the extracted hosts folder)
Restart

As for the rest --> :grinthumb

I don't need the logs anymore, I'm happy if you are