still happening.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Btw, I don't use Firefox browser. I use Safari and sometimes IE.

Complete GooredFix scan. Here is the logfile.

GooredFix by jpshortstuff (24.09.09.1)
Log created at 01:59 on 01/11/2009 (admin)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extens ions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework \v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:06 21/08/2009]

-=E.O.F=-

I'm very close to being stumped by this issue

Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.


I want you to turn computer off, disconnect modem/router for 1 minute.
Power everything back on.

-------------------------------------------------------------------------------------------------------
explorer.exe

MD5: 4f554999d7d5f05daaebba7b5ba1089d
First received: 2009.02.12 14:01:16 UTC
Date: 2009.11.01 13:11:04 UTC [<1D]
Results: 0/41
Permalink: analisis/178d20aaecbd408dffda71ae4d70ad61c278229b4cd7dcd7b8 54a9a8404ca657-1257081064


-------------------------------------------------------------------------------------------------------
userinit.exe

MD5: 0e135526e9785d085bcd9aede6fbcbf9
First received: 2009.02.11 09:10:12 UTC
Date: 2009.10.31 13:32:24 UTC [+1D]
Results: 0/41
Permalink: analisis/75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8 738364e6fb45db-1256995944


-------------------------------------------------------------------------------------------------------
svchost.exe

MD5: 3794b461c45882e06856f282eef025af
First received: 2008.03.30 18:47:38 UTC
Date: 2009.11.01 19:25:12 UTC [<1D]
Results: 0/41
Permalink: analisis/d4f79d7bc639fe86ac68961e6273836b9d7af491773fd05439 5b33d317017beb-1257103512


-------------------------------------------------------------------------------------------------------


A friend, who researched this problem, mentioned the search redirect problem might be caused by something being changed to the Windows\System32\drivers\etc\host folder/file.

Here's a copy of the Windows\System32\drivers\etc\host logfile.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost



What do you think?

I checked your hosts file before. It looks fine.

Did you?

I want you to turn computer off, disconnect modem/router for 1 minute.
Power everything back on.

Yes.

Let's try couple more things...
one redirection goes to:
http://z43523673.cn
What is the other one?

I want you also clear Opera cache: How do I clear cache in Opera? and IE cache: How to Clear Your Browser's Cache - wikiHow