I seem to have found a new / yet-undocumented type of browser/OS hijacking.
This particular method aims to redirect all my searches (yahoo, msn, google, etc) to a page full of advertisements (see attachement). It started with my searches being hijacked in Internet Explorer. Downloaded and installed Firefox 3.x - same behavior, from first try. [so the infection mechanis for Firefox was inserted even before the browser was installed??]
Strange fact #1: It seems it is the actual Google, Yahoo or MSN page that my search query is sent from: the MSN page displays the same news items / cover stories as the Yahoo.com page seen on a clean computer.
Strange fact #2: However, when the search starts, the browser calls IP 220.127.116.11 !! (see picture) That doesn't seem to be a Google IP.
Strange fact #3: If I try a regular seach, my results are hijacked. If I try an advanced search, I get the proper results!
Strange fact #4: In the list of hijacked search results, only the link (URL) to the result is hijacked. The titles and descriptions of the search results are what they should be.
Spybot S&D, Ad-aware, Malware Bytes, found nothing. Combofix crashes. AVG Anti-Vir finds nothing.
file is clean. The network connection is set to DHCP IP, automatic DNS. System Restore can't load any of the old restore points.
How do I get rid of this thing / where is it installed?