I once told a high level Unix System Admin I HATE that sqllite3 DB that Firefox is using. They are now hiding malware in it just like I predicted I will bet. See the asterisked item below. I think it is the most relevant to this problem. Scan Tools: =========== http://www.computerhope.com/forum/index.php?topic=106028.0 But it did not come to a successful conclusion AFAIK. A MAYBE successful remove session (OLD): ======================================== http://www.geekstogo.com/forum/topic/178670-help-with-wormwin32netsky-virus-resolved/ Another Scan session that is more current: ========================================== http://www.help2go.com/forum/spyware-help/106654-google-seems-hijacked.html ComboFix Instructions: ====================== http://www.bleepingcomputer.com/combofix/how-to-use-combofix apmebf.com Spyware Designation: =============================== http://forums.cnet.com/5208-7813_102-0.html?messageID=3370581 This one is HOT! It is only slightly more than a week old but Spyware Doctor rates the S.apmebf.com spyware as high risk. This may be what Rodney has but I can't understand why if he use AdBlockPlus with either the EasyList or the newer (but not necessarily better) FanBoy ad block list. Both of them block the apmebf.com domain COLD. I will be adding another one because they are starting to show up a lot in newer logs. Most of what you will find are just cookies in HJT logs. I don't pay much attention to them. Yes, they are spy cookies but I have not heard of this redirect problem for almost three years now so this is new. (***) A classic on the redirection issue: =================================== http://www.computerforum.com/179949-fake-malware-scanner-virus-please-help.html Unfortunately, they didn't come to a successful conclusion (it looked very clean but he did have stuff at the start). More to the point this is fairly current and he has used some tools that are newer and better but he should have used GMer's rootkit. I didn't see it anywhere in the list of stuff he used. SEE HIS SECOND RESPONSE ON PAGE 2! This was why I asked Rodney to compare IE with Firefox. Frequently the infection is nothing more than some JavaScript that is stuffed into the user's browser config folder. That was why I also gave him the instructions for blowing away Firefox and trying to start fresh. There is a slight chance there could be somthing nasty in the bookmarks but usually it is some place else. Note that there is no relationship here except for a cookie. The web sites he was being redirected to were: samantasay.com mx2.38855.asklots.com (I block this domain because it is a notorious redirector to ads - EasyList and FanBoy also both block the domain for the same reason. But I have also caught it redirecting to low order malware. AFAIK, it has not gone to something like the xorg.pl domain - a sure fire trip into malware HELL!) www.tazinga.com Current list of who is using what: =================================== http://jeremiahgrossman.blogspot.com/2010/02/web-20-pivot-attacks.html Here is what I found for what he has listed there: TechCrunch.com (he lists mp.apmebf.com - not in ABP panel) USAToday.com (he lists mp.apmebf.com - not in ABP panel) WashingtonPost.com (he lists mp.apmebf.com - not in ABP panel) In short, NOT there.