I realise I shouldn't have run Combofix but did it before reading & joining this forum.
Before running Combofix
On 8 Jan, Trojan-Downloader.Win32.Agent.cyzf was located on my PC by Kaspersky Internet Security 7 (KIS 7) as file cltest.exe (used by Power DVD to check the external DVD). This file has been on my PC for many years. At this date, VirusList.com did not know of this trojan.
I accepted the KIS instruction to delete it to the KIS backup together with two files in the Restore folder and then started a full scan of my PC.
The event log strangely reports KIS turned off at for about 6 minutes. I do not think I turned it off.
I panicked because a similar trojan Agent.alby turns off KIS, captures screens and is a key-logger.
Early on 9 Jan, I reported everything to Kaspersky Support and sent the files and the GetSystemInfo (GSI) file.
I conducted a full computer scan followed by a rootkit scan and KIS reported no problems found.
However, it seemed that everything had slowed down so I was concerned that during the time KIS7 was off, the virus had established itself as a legitimate programme.
I could not get a quick answer to my GSI report, but I was "informed" that Combofix would tell me more.
Combofix was downloaded from Kaspersky.com and was saved to my desktop as 999fix.exe as instructed.
I followed the instructions on bleepingcomputer and ran "999fix.exe.
It ran and updated itself.
The instructions (as on this site) said it would perform restore and back up of registry but registry backup "activity" progress bar" did not appear.
It started scanning but at 6A, reported " Windows error - PEV.exe, needs to close - report etc" but I did nothing and the scans continued.
All finished and Combofix rebooted and the report was produced. Apart from Combofix deleting three file, it all went as your instructions. I did not make any changes to my PC
and Combofix didn't tell me to do anything.
The report file is attached.
Note: RoboMaster, Graphtec, Grape Systems, Gedpage, Gedcom to HTML are programs I have added.
Zone Alarm, early Kaspersky KAV 5 and 6, Broadjump/CFD, Ad-Aware are no longer used.
Post running Combofix
All appears to be running ok - I may have imagined that things were "not right" - so there may not have been an infection.
KIS has updated it self and performed startup scans each time and nothing suspicious is reported.
Because PEV.exe may show as a problem, I have not run a full scan or rootkit scan until I hear from you.
I note that there is not a restore point for the day that Combofix was run
PEV.exe dated 9 Dec 2009 256Kb is in C:\Windows
There is a 999fix folder in C:\ containing files and a sub folder N_
The deleted twain file does not seem to have affected the scanner, printer and camera
I have run a CD with a .wmf file and it appears to work so not sure if the missing cltest.exe file (that was deleted) is having any effect.
Being wise after the event, it could be something as simple as cltest.exe giving a false positive.
Because no one at Kaspersky was able to give me the answer, I feared it is something worse?
Finally- can I remove Combofix/999fix (as per instructions on this site)?
if I do, will it matter if the deleted files are restored?
can I just manually delete the 999fix folder and PEV.exe