Finished
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, May 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, May 01, 2010 08:28:14
Records in database: 4021421
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
B:\
C:\
D:\
P:\
Z:\

Scan statistics:
Objects scanned: 149625
Threats found: 4
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 04:50:59


File name / Threat / Threats count
C:\Program Files\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.s 1
D:\Downloads\AutoIT.zip Infected: not-a-virus:Monitor.Win32.Hooker.s 1
D:\Downloads\SciTE4AutoIt3.exe Infected: not-a-virus:Monitor.Win32.Hooker.s 1
D:\Users\MCornall\Desktop\AutoIT.zip Infected: not-a-virus:Monitor.Win32.Hooker.s 1
Z:\Software\xp key viewer\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.g 1
Z:\Software\xp key viewer\kf151.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 6
Z:\Software\xp key viewer\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1
Z:\Software\xp key viewer\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 1
Z:\Software\xp key viewer\produkey.zip Infected: not-a-virus:PSWTool.Win32.ProductKey.ae 1
Z:\Software\xp key viewer\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.ae 1

Selected area has been scanned.

Please delete these files:

C:\Program Files\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll
D:\Downloads\AutoIT.zip
D:\Downloads\SciTE4AutoIt3.exe
D:\Users\MCornall\Desktop\AutoIT.zip
Z:\Software\xp key viewer\kf151.zip
Z:\Software\xp key viewer\kf151.zip
Z:\Software\xp key viewer\keyfinder.exe
Z:\Software\xp key viewer\keyfinder.exe
Z:\Software\xp key viewer\produkey.zip
Z:\Software\xp key viewer\ProduKey.exe

Hi Dragonmaster Jay,
This computer does not normally get access to the z drive. I do know what these programs are and they are safe. AutoIT is a testing tool that can control a PC for testing by running macros. and the other one can read the product key of xp installs ;o)

I don't think there is any need to delete these. They have not been run in ages either.

I think you cured the infection with the combofix tool. Certainly the symptoms have gone away after that and still seems to be clean.

H5N1Duck

Ok. The reason they were detected is because they are macros. Antivirus software detects all macros; good or bad.

No biggie.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Here is the log. Don't worry about ie6 I can't do anything about that one!
I use firefox mostly

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec Endpoint Protection
Nyelvi csomag a Microsoft .NET-keretrendszer 3.5-ös verziójához – HUN
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player 10.0.42.34
Adobe Reader 9.3.0 MU P1.1
Mozilla Firefox (3.6.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

See this page for more info about malware and prevention.

If you would like to make a small donation, please see the link in my signature below.

If you ever need help in the future, feel free to come back to this site for any computer issue, and we shall help.

Thank you very much. Certainly seems to have fixed the issue. Strange that nothing apart from combofix spotted it!
And couldn't find any solutions anywhere else with this issue.

Already donated...couple of days ago once it was fixed
Thank you again

You're welcome. Thanks for donation.