Common to lots of other people (I guess), 27/12/2008 @ 15:00 [Running Firefox] I clicked a Google link, the browser minimised, pop-ups appeared, you know the drill. I closed everything down and ran a full virus scan (AVG) - nothing was found.

After this all the Google results redirected me to junk/scam sites. You can see the 'waiting for 7.7.7.0 in the bottom of the browser. I have spent all night running every conceivable virus scanner, malware cleaner etc, etc. Nada - still got the problem.

I have now managed to temporarily fix the problem by disabling Javascript. I guess I'll need to wait a while until the good-guys catch-up with the baddies before I can switch it back on :-(

How it works:

The malware is inserting script src = 7.7.7.0 in the head of a Google search results page. This application is corrupting the valid urls to point to scam sites.

This problem is also affecting IE7 as well. it's not a router problem, all other pcs on the network are ok.

I also tried redirecting 7.7.7.0 to somewhere 'safe' by adding an entry in my hosts file but the browser still pulled from the bad-guys site. Maybe there is another redirect going on somewhere.

I have solved the problem - this is probably not the recommended way to clean you system but no one responded to my posts so I felt I had to sort this myself.

I ran the Kaspersky lab online virus checker http://www.kaspersky.com/virusscanner which found the infection:

Rootkit.Win32.Agent.fwt in C:/Windows/system32/wdmaud.sys

No other virus/malware checker, including Spybot found any problems, despite running the latest definition updates.

I searched my other XP computers for wdmaud.sys (for a clean copy) but it was not on any other system. I have copied the bad file to a safe place and deleted the original. Re-booted the system and so far, it's clean :-)

Why don't any of the other virus/ malware checkers find this virus?