I'm a professional Windows system administrator, but I've been caught off-guard (or maybe some malware writer has been very clever) and I caught some unknown malware on my home computer (Windows 7 x64 SP1); it must be a very recent one and/or of a rootkit kind, because no antivirus/antimalware/antitrojian/antianything seems to be able to find it, and I've tried quite some of them (and I have quite some experience using them).
It went in two days ago via Internet Explorer 8, which was fully patched, so this is worrying on its own because it clearly exploited some still-unpatched hole (I didn't download or run anything, just opened some web page); it then did some obvious malware-y things like hiding files and icons, flashing system error popups and rebooting the system, and then I found the main executable and removed it... but it left something behind; something that managed to hide so deeply in the system that no tool was able to find it, from popular antivirus programs to highly specific malware detection tools. Of course, I've also checked all the common malware hiding spots (Registry, services, hosts file, browser add-ons, etc.).
How do I know it's there? Google searches (on the Google site, not through the search bar) get sometimes redirected to completely unrelated ad sites, and I have two iexplore.exe processes constantly running in the background (and automatically respawning if I kill them), being launched by nobody else than svchost.exe
(as Process Explorer dutily documented) and connecting to obviously fake search sites.
Apart from the obvious question "how do I get rid of it?", what I'm more interested in is how to get some expert to analyze my system in order to find what kind of beast it is, so that it may be stopped before it goes out in the wild... if it already hasn't.
Edit: looks like it actually was a rootkit; I finally got rid of it by rewriting the MBR and boot sector of the system drive. Don't know yet what the boot code was actually loading, some executable must still be lingering around... but at least it's inactive now.