Solved Google Redirect - Logs?

[Army420]

Google links taking me to www . coollook . com and an assortment of others, happens on every browser I own and also really lags the internet.

I have the four logs from the 8-step removal process. Tried Combofix once, ended up giving me an error that flashed the screen then closed back into the desktop. Will try again if need be.

Much appreciated, Thanks!

 

[Broni]

You have some Norton's leftovers. Please run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
You have some McAfee leftovers. Please run McAfee Consumer Product Removal Tool: http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

==========================================================================

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.

======================================================================

Then, we're dealing with a rootkit here.

Delete your Combofix file.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, rename combofix.exe to broni.com BEFORE downloading it to your desktop
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Please open Notepad
   • Click Start , then Run
   • Type notepad .exe in the Run Box.
5. Now copy/paste the entire content of the codebox below into the Notepad window:
   
   

   TDL::
   C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

6. Save the above as CFScript.txt
7. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
   
   
   
   
   
8. After reboot, (in case it asks to reboot), please post the following logs into your next reply:
   • Combofix.txt

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Army420]

I followed your steps through Combofix, except I forgot to rename Combofix into the Broni file instead. Since it was already running, I figured I'd let it go and it seemed to work just fine( The virus gods being merciful? )

The only problems I encountered was a window that popped up and said I had a CD-Emulator running and that Combofix would disable it, but when it tried, it gave an " Application failed to initialize" error, but that was the last I saw of it and combofix continued running normally ( From what I could tell. )

The second problem came after Combofix completed it's 50 stage process, and deleted several files after that. An error window popped up giving a file named something like "Avewiyohupo.dll" after it rebooted from the file delete and stage complete process. Though I have yet to see that file again, after a follow-up reboot.

Here are both logs from Combofix. One from the first time, and then the second after dragging the CFScript.txt onto Combofix.

After Combofix finished, I opened up google and tried surfing the web, and there seemed to be no sign of redirecting websites.

Is that CD-Emulation error or the .dll error going to be a problem?

 

[Broni]

Very good
Rootkit is gone...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\youja_.dll
c:\windows\system32\fycwdn11.dll
c:\windows\system32\tmp.tmp
c:\windows\Hgejesidac.dat
c:\windows\Bzadejoxiredox.bin
c:\windows\system32\1335C2AFE4.sys
c:\docume~1\Owner\LOCALS~1\Temp\cdiskdun.sys


Folder::
c:\program files\Common Files\Symantec Shared


DirLook::
c:\documents and settings\Owner\Local Settings\Application Data\{6C59FFD2-06FE-45DD-9475-E52DE84A0AA6}


Driver::
cdiskdun


Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\youja_]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC5738BF-72C3-416F-9D09-24A21222BE58}]


RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Army420]

The following contains both your logs, Combofix and Hijack this.

IEXLORER is still taking up over 700k worth of memory when it opens, and I tried surfing the web today and it gave me the reach-around. Not sure what happened. I haven't downloaded anything lately except for the programs designed to remove this problem.

Thanks for your commitment and help, as always!

 

[Broni]

IEXLORER is still taking up over 700k worth of memory

If you mean iexplore, 700K is close to nothing.
What do you mean by "reach-around"?

========================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[Army420]

Sorry, I meant 700,000. K as in per thousand. And reach-around I mean that the links I click in google still take me to random websites. Sometimes it'll work.

 

[Army420]

Here are those logs you requested as well.

 

[Broni]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c	
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c	
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c
C:\WINDOWS\cache329\B_329_0_1_570600.htm	
C:\WINDOWS\cache329\B_329_2_1_570600.htm	
C:\WINDOWS\cache329\B_329_3_1_570600.htm
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I mean that the links I click in google still take me to random websites.

Which browser is affected?
Delete your GMER file....

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

 

[Army420]

The memory boost only happens when using iexplore.exe, neither Netscape nor Mozilla/Firefox do but each browser redirects.

Here are the OTM results:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c moved successfully.
File/Folder C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c not found.
File/Folder C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\1\45adc881-106cc41c not found.
C:\WINDOWS\cache329\B_329_0_1_570600.htm moved successfully.
C:\WINDOWS\cache329\B_329_2_1_570600.htm moved successfully.
C:\WINDOWS\cache329\B_329_3_1_570600.htm moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Application Data

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 105884687 bytes
->Temporary Internet Files folder emptied: 5281283 bytes
->Java cache emptied: 128923 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 618 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 106.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05032010_204629

Files moved on Reboot...

Registry entries deleted on Reboot...



And the new gmer log.

 

[Broni]

Please download Profiles by noahdfear.

* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.

==========================================================================

Download Kenco.exe to your desktop

• Close all windows and run the program.
• It wont take long to run.
• Kenco will reboot the system if it finds anything.
• Post the log it gives you ( it will be saved in the same place as Kenco.exe).

 

[Army420]

Profiles log :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-507921405-484061587-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-507921405-484061587-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS


Kenco scan log :

Kenco by jpshortstuff (31.12.09.1)
Log created at 22:03 on 04/05/2010 (Owner)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
Scheduled Update for Ask Toolbar.job -> [18:37 04/05/2010] 234 bytes

-=E.O.F=-

 

[Broni]

Hmm....
Delete your Combofix file, download fresh one, run it and post new log.

 

[Army420]

New Combofix log. Browser still being redirected, I also noticed it happens sometimes when I copy and paste a link into the address instead of actually clicking the link. All browsers do it. Sometimes the links work just fine, as well as pasting into the address, sometimes it redirects into a w w w.google.com link with random letters and numbers on the right side of it. ( I.E. w w w.google.com#WH )

 

[Broni]

Uninstall Ask.com and WebSavingsfromEbates through Add\Remove.

When done....

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Army420]

I was able to remove Ask.com from the add/remove section but did not find the WebSavingsfromEbates there, I even ran a search for it and found nothing.

Considering the size of the logs, theyre too big for one post. The OTL log itself is over twice the maximum post limit for the forums. Is it okay if I attached them as .txt's instead?

 

[Broni]

Yes, please.

 

[Army420]

Here you go then, sir

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - [2010/04/20 11:37:53 | 000,075,264 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\dbaf.sys -- (dbaf)
  FF - HKLM\software\mozilla\Firefox\extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin File not found
  FF - HKLM\software\mozilla\Firefox\extensions\\{6C59FFD2-06FE-45DD-9475-E52DE84A0AA6}: C:\Documents and Settings\Owner\Local Settings\Application Data\{6C59FFD2-06FE-45DD-9475-E52DE84A0AA6} [2010/04/19 15:05:27 | 000,000,000 | ---D | M]
  O2 - BHO: (no name) - SOFTWARE - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/i263_32.cab (Reg Error: Key error.)
  O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37939.5108680556 (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: cpcScanner http://www.crucial.com/controls/cpcScanner.cab (Reg Error: Key error.)
  O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB (Reg Error: Key error.)
  O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll File not found
  O29 - HKLM SecurityProviders - (mekmeeux.dll) -  File not found
  [2010/04/26 13:47:00 | 000,003,834 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\b08620CF7A25y
  [2010/04/26 13:47:00 | 000,003,834 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b08620CF7A25y
  [2010/04/19 15:35:35 | 000,003,519 | ---- | M] () -- C:\WINDOWS\System32\gzdjl
  @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:290A724C
  @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DA424AA
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
  "EnableFirewall" =dword:00000001
  "DisableNotifications" =dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
  "139:TCP" =-
  "445:TCP" =-
  "137:UDP" =-
  "138:UDP" =-
  
  
  :Files
  C:\WINDOWS\system32\dbaf.sys
  
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Army420]

Here you go.

 

[Broni]

How is redirection?

 

[Army420]

95% of the time it doesn't redirect anymore, It's redirected once in the ten links or so I tried over a few different searches and then didn't do it again. Not sure if the redirects because of something else or it's one of those "When you're looking for it, you don't see it. " kind of things. When it did redirect it was to some pursuit2you.com website, same website in both netscape and mozilla/firefox. It never redirected in iexplore, from what I could tell through the links.

If that's the only thing that happens, it's pretty much fixed, I can deal with 95% working browsers as long as whatevers on my computer can't hijack my financial info or steal passwords, etc.

It all seems to be running smoother and faster than it did before.

Like I said, it redirects once in a million. I've seen it do it twice to the same site over 20 something links tried in all three browsers. (Netscape, Mozilla, Internet Explorer.)

 

[Broni]

Let's try few more steps...

***** Make sure, your computer is set to obtain IP address automatically.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.

*****Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


***** Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

 

[Army420]

It seemed to be a lot better, but still as before, It still redirects every so often. It was redirecting almost everytime on Netscape, just a minute ago, but then I closed it out and restarted the browser and it didn't do it at all.

All in all the computer's running fine, it just redirects a little bit, I think there are probably more infected computers out there than mine.

Mine's more like a sore stomach or a headache now, someone that knows as much as you should be in the ER of tech support.

 

[Broni]

Are there any specific sites, you're getting redirected to?
Does it happen in Netscape only?