General Malware/possible keylogger question

[vergisst]

I've run Avast!, it detects the problem in my AppData folder and regardless of whether I move it to chest or delete it, it shows up in my next scan. I've removed it multiple times, i've tried deleting/moving to chest while disconnected from the internet, i've used SUPERAntiSpyware, Spybot S&D, Avast! antivirus and the Avast! Antirootkit. SUPER and Avast! claim they've fixed the problem, but the messages persist.

My suspicion is that this is some kind of keylogger as a couple online gaming accounts have been hacked and gutted which I repaired, only to be locked out later due to 'suspicious activity' and multiple password reset emails that I did not request myself. Any help you guys can offer would be greatly appreciated.

[DavidR]

What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Does it always come back to the same location with the same file name ?

Another one for you to try (download, update, Quick scan and report the findings):
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[vergisst]

This is the notification I get from Avast:
Object:      C:\Users\me\AppData\Local\Temp\0.exe
Infection:   Win32:Malware-gen
Process:     C:\Windows\SysWOW64\rundll32.exe

Always the same location and name, though sometimes it's something like Temp\0[1].exe


MBAM quick scan:
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysinfo (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Files Infected:
C:\Users\me\AppData\Local\Temp\76284632Wsy.dll (Trojan.Downloader) -> No action taken.

[DavidR]

Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

Then clear your Temp files (see below), etc. and run another avast scan.

CCleaner - Temp File Cleaner, etc.
or
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

[vergisst]

Did as you said, scanned the AppData folder and it came up clean! Thanks so much for all your help, it's good to feel safe on my own computer again.

[DavidR]

No problem, glad I could help.

Welcome to the forums.

[vicky00]

Norton can be effective for that

[DavidR]

Running XP with Norton antivirus.  Last spyware cleanup about 60 days ago.  Norton firewall is indicating gamedrive is trying to access the internet.  Best of my knowledge no app with that id is installed.  Seems like malware but....?

Seems like you are on the wrong forum, sorry I couldn't help it.

If you can find the gamedrive file (whatever it might be) then - You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

See http://www.softpedia.com/get/CD-DVD-Tools/Virtual-CD-DVD-Rom/GameDrive-CDDVD-Emulator.shtml, seems as it has a live update, so if you have installed this software (CD Emulator) then it could be the live update connecting.