After trying out everything, I got a nice tip from Australia: a discussion group on Apple’s website. I am not the only one to have the problem – it also happened in North America. In short, it seems very likely it is our local Chinese ISP who has problem, their servers could have the malicious software, explaining why we could not find anything in both the MAC and the PC connected through our router to the same ADSL line. Indeed, a PC on the same network got exactly the same problem. Deleting cookies, history, cache and all did not help.
The hijack occurs with all browsers.
The problem still comes back – occasionally. When activating tor the hijacking is disabled instantaneously – no need even to restart Firefox. Seems very much to prove the problem is with the ISP.
Interesting to note, today the ISP (public.bta.net.cn) announced they will do a serious “overhaul” to stem the flood of spam. Maybe they don’t want to mention the hacker’s success?