Search Engine Redirects 3 clicks

Before I begin this is what I have tried and gotten close.

I have run HiJackThis and deleted a TCPIP redirect from another thread. This worked for that problem, now I have another more concrete. I have run Spybot - finds Pipas.A upon restart came back,CWShedder, CCleaner, BHODemon2.0 - only 3 valid BHO's, Trend Micro, Symantec, Windows Malware Remover, Windows Defender.
I have also run runkeys, newfiles.

Here is my problem now you have the background of the process I have gone through.

I used to get redirected to an ip address of 85.255.***.***/click.php-followed by a bunch of letters and numbers and then a registry entry. This would of course be a Error 404 because the address was no good. After 3 clicks I would get taken to my real search result. Then I tried HiJackThis and after some forum reads and this forum I deleted the items that pertained to changing my DNS information and those entries in the HiJackThis window. This solved the problem with the IP address forwarding. But now I get to look at the following and the list is growing until this gets cleaned off.
Upspiral.com, tooseeka.com, stopzilla,com, monstermarketplace.com, netster.com, and one time it sent me to search ebay (search.ebay.com). The above was with google.

If I search with yahoo.com I get the same thing, now I am at search.ezanga.com. On the 3rd click I get taken to my page I wanted originally.

I am very familiar with computers and I don't mind deleting or getting information. Tell me what you want and I will post it here. I need this cleaned off my machine so I can actually get work done. This machine is on a domain at work and will not be able to get plugged in until it's clean.

 

Welcome to MajorGeeks.com!

Please follow our standard cleaning procedures which are necessary for us to provide you support.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• HijackThis

 

I followed all the Read & Run first and then followed the list above. I am still having problems with the search engine redirects even though nothing was detected in the scans.
Attached are the newfiles, runkeys and bitdefender logs.

 

On this thread is the HiJackThis log and PandaScan log. Let me know if you need anything else.

 

O4 - HKLM\..\Run: [dmbiw.exe] C:\WINDOWS\system32\dmbiw.exe <== Do you know what this program belongs to? There is no information available for this program.


Did you set your Domain entries to this?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SVMOFFETT.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = SVMOFFETT.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SVMOFFETT.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SVMOFFETT.LOCAL

 

#1 I don't have the slightest clue, is there a way to turn it off and check if it solves the problem?

#2 Yes that is the domain settings issued by the company I work for. All my VPN and email stuff works.

I still get the Pipas.A everytime I check with Spybot but everything else says it's clean but Pandascan which found the TribalFusion Spyware.

 

TribalFusion is not spyware it is a cookie. TribalFusion is the AdServer used by MajorGeeks to display some of teh Ads on the site.

Post the Spybot log so that I can see what it is finding. Then I'll post a complete fix for you.

 

I didn't know how much of the log you wanted so I attached the entire report from the scan I just did 10 minutes ago. Everytime I chose fix selected it said it fixed it. I would restart and then it would be back there. I hope this is what causes m browser to go to address
http://85.255.114.122/click.php?PHPSESSID=F4DB0A9BAA474FDC96969F98F6500685&qq=tins&id=1&qnaes={F4DB0A9B-AA47-4FDC-9696-9F98F6500685}&b=0&ZZ=2

Maybe including the address will help diagnose the problem.

See attached for Spybot Log.

 

I don't want to sound like I am bumping this thread but I am. I am begging for help on getting this machine cleaned up so that I can get work done and the company I work for is hounding me to get it cleaned up.

I would appreciate any and all help on cleaning on this junk off. The search engine results clicks are getting 2 deep advertising so that I have to use the drop down arrow to get back to the search results page.

 

Download
- Pocket Killbox

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.
Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh Hijackthis log.

Be sure to tell me how the computer is running.

 

As much as I tried to follow the directions, it came down that this machine needed to be formatted and reloaded with Windows. The viruses got so bad on the machine that antivirus software wouldn't load. It was constantly in a downloader removal which causes the CPU to get very hot. I would like to thank the crew here for attempting to clean my machine.

 

Sorry you had to format teh drive and do a fresh install.

How to Protect yourself from malware!

Safe surfing.