This last sunday my wife made a mistake. Ran a file that had a keylogger that targets world of warcraft accounts.

When she mentioned "That was weird" and I asked what she did, she had gone to (removed malicious website) and ran the file thinking it was a game video, Wow.exe closed and the file deleted itself. Got her off the computer, updated and ran Norton AV, malwarebyte and spybot S&D just to be sure. Nothing found by anything. Ran ad-aware. Nothing. Stupidly assuming maybe it wasn't anything malicous I stopped looking. 5am Monday someone cleaned out her game account. Got it back and started the search anew.

Re-ran every AV, spyware and malware tool I could find. Nothing. Uninstalled everything she didn't need, ran microsofts malicous software tool, nothing. Ran X-NetStat (port scanner), ran wow.exe with a bogus userid/password and 20 seconds later wow.exe makes two connections. One to "Customer.krypt.com and one to the "Yangjiung police bureau" (yeah right) at 61.146.79.137. Ran wireshark and both connections start receiving packets containing the userid every 60 seconds. Nothing, not windows firewall, norton or anything is bothered by this.

Submitted the video.exe to Symantec. Today got a reply that it contained Infostealer.Gampass. Followed the directions but no registry entries it said to look for were there and only one key value was different, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2", it was set as 1 I believe.

Liveupdated, safebooted, scanned. Nothing found. Rebooted and ran wow.exe and connections made in 20 seconds.

This is driving me mad

[edit: Please do not post malicious websites per the Participation Guidelines and Terms of Service.]