• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7850
  • Last Modified:

Google links redirect to ad sites

For the last month everytime i clcik a google search result the link gets redirected to random ad sites.

I've done scans in safe mode with Avast (my resident protection), ad-aware, spybot s&d, spyware doctor, window defender and others. It seemed to work at first but after a couple days the links redirected again.
I've just done a hijack this log and I'm worried with the amount of 5 letter .exe's eg:
O4 - HKLM\..\Run: [SSOTRAY] C:\PROGRA~1\PASSGO~1\SSOPLU~1\ssotray.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.cgomd] C:\WINDOWS\system32\dmogc.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.apjmd] C:\WINDOWS\system32\dmjpa.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.cyomd] C:\WINDOWS\system32\dmoyc.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.ggrmd] C:\WINDOWS\system32\dmrgg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.slsmd] C:\WINDOWS\system32\dmsls.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.dromd] C:\WINDOWS\system32\dmord.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.oefmd] C:\WINDOWS\system32\dmfeo.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.xwnmd] C:\WINDOWS\system32\dmnwx.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.golmd] C:\WINDOWS\system32\dmlog.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.vazmd] C:\WINDOWS\system32\dmzav.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.wjomd] C:\WINDOWS\system32\dmojw.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot    
Safe.   Part of RealPlayer
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [exe.rsnmd] C:\WINDOWS\system32\dmnsr.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.cvvmd] C:\WINDOWS\system32\dmvvc.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.iwimd] C:\WINDOWS\system32\dmiwi.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.dfrmd] C:\WINDOWS\system32\dmrfd.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.kpomd] C:\WINDOWS\system32\dmopk.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.iaimd] C:\WINDOWS\system32\dmiai.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.gwnmd] C:\WINDOWS\system32\dmnwg.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.nyamd] C:\WINDOWS\system32\dmayn.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.gnnmd] C:\WINDOWS\system32\dmnng.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.bxxmd] C:\WINDOWS\system32\dmxxb.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.bqkmd] C:\WINDOWS\system32\dmkqb.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.avsmd] C:\WINDOWS\system32\dmsva.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [exe.npnmd] C:\WINDOWS\system32\dmnpn.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.

Should I be worried about these entries and is there a way to stop the redirecting permently? ( or for at least a few months).

I could just use Opera but I actualy like IE




0
DuarteR
Asked:
DuarteR
  • 7
  • 3
1 Solution
 
rpggamergirlCommented:
All those entries belongs to a wareout infection!

Uninstall UnSpyPC from Add/Remove Programs

You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
0
 
rpggamergirlCommented:
After you've done what I posted above, please scan your system with hijackthis again so we can check if all bad entries are gone. Just post the link to your log.

You can either;
Paste your Hijackthis log to this site -->  http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log to this site --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
DuarteRAuthor Commented:
rpggamergirl

just done what you said

heres the new log

http://www.hijackthis.de/logfiles/0ed1daccf772af34d1f1180bb562009a.html

seems theres alot of '85.255.116.84' ip's which look just like the prefix to the url's that the links would redirect to
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
rpggamergirlCommented:
Yes those need fixing, they are part of the wareout infection.

Put a check next to these entries and click "Fix Checked" button for hijackthis to remove these entries:
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1010CEA8-336F-4911-9C64-A2F8D83E4542}: NameServer = 85.255.116.84 85.255.112.137    
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D4B5729-3F6E-42A9-A08B-BE5BECC733FD}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{43ED1AF5-63F7-4FB2-93C1-F35F63DA9709}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B4FC67-1E4C-4FD6-A892-BA25427A9519}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{5827B2A1-2280-4D3C-9747-2DF1B78BABD8}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{76103A18-71DD-40A7-A6A4-DAD2770222F8}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{93DFD8B8-09FB-42BA-8C39-CB1F176C07FB}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAB20E55-2D2E-418C-B0A6-28DE274CEE73}: NameServer = 85.255.116.84    
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2C965FF-99DB-4466-BAC1-8B917AD9AE61}: NameServer = 85.255.116.84    
O17 - HKLM\System\CS1\Services\Tcpip\..\{1010CEA8-336F-4911-9C64-A2F8D83E4542}: NameServer = 85.255.116.84 85.255.112.137    

0
 
rpggamergirlCommented:
BTW, can you please post the fixwareout report.txt?
0
 
rpggamergirlCommented:
Did you install "Pop-Up Sentry"?--> "SSO Plus"  it's from PassGo technologies.
0
 
DuarteRAuthor Commented:
fixwareout report:

ixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\npnmd
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"exe.cgomd"=-
"exe.apjmd"=-
"exe.cyomd"=-
"exe.ggrmd"=-
"exe.slsmd"=-
"exe.dromd"=-
"exe.oefmd"=-
"exe.xwnmd"=-
"exe.golmd"=-
"exe.vazmd"=-
"exe.wjomd"=-
"exe.rsnmd"=-
"exe.cvvmd"=-
"exe.iwimd"=-
"exe.dfrmd"=-
"exe.kpomd"=-
"exe.iaimd"=-
"exe.gwnmd"=-
"exe.nyamd"=-
"exe.gnnmd"=-
"exe.bxxmd"=-
"exe.bqkmd"=-
"exe.avsmd"=-
"exe.npnmd"=-
...
 
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMNPN.EXE
C:\WINDOWS\SYSTEM32\DMNPN.EXE
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool
 
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMNPN.EXE       51,260 2004-08-04


I did install SSO plus (fills in logins and passwords for me automatically)

That 85.255.116.84 ip is in my connection properties as my preffered DNS server address - will it effect me by fixing those entries?
0
 
rpggamergirlCommented:
Just make sure that this file is no longer present in your system --> C:\WINDOWS\SYSTEM32\DMNPN.EXE

>>That 85.255.116.84 ip is in my connection properties as my preffered DNS server address - will it effect me by fixing those entries?<<

I'm fairly sure that they are part of the wareout infection,
But for your own peace of mind, make sure that you are not running hijackthis from .rar or .zip file, so it can create a backup, also make sure that you're not running hijackthis from the temp folder.

By default, hijackthis creates backups of all the entries that it fixed. So that if you fixed a legit entry you can put them back. As long as you are not running from a .rar or .zip file.( you need to extract hijackthis first before running it so it can create backups)

If you have problems with your connection after fixing those entries:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.
0
 
Dushan De SilvaTechnology ArchitectCommented:
try with

http://www.tune-up.com/


BR Dushan
0
 
DuarteRAuthor Commented:
thanks rpggamergirl
0
 
rpggamergirlCommented:
No problem DuarteR, glad to know you've sorted it out.

thanks for the points with an "A" grade!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now