SOS!! Virus and Spyware attack!!

Hi guys!

I wish that you all could help me clean up my desktop. I have tried every antispyware software i came across and nothing works. I ran Avast and thought to have quarantined the infection. However, when i tried an online scan, i found that the problem did not go away. My comp. is infected with mucho spyware and a trojan (W32/Trojan-gen. {other}

I cannot use my keyboard because each time i touch a key, windows open up like crazy and/or the desktop shows. I am no wusing my laptop to communicate. In addition, the volume mutes and switches on at will.

I have finally run HijackThis and i now await some real solid advice on how to clean up this desktop so that i can do some work here. I am going to post its report here.

Someone, anyone, plz help!!! Thanks! Fank you!!!

HijackThis file.

Logfile of HijackThis v1.99.1
Scan saved at 6:52:31 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [AWMON] “C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe”
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Malevi Service (MaleviSrv) - Unknown owner - C:\WINDOWS\System32\malevi.exe
O23 - Service: Sahydul Service (SahydulSrv) - Unknown owner - C:\WINDOWS\system32\sahydul.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’

Fix
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

Suspect no hit on google search
O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O23 - Service: Malevi Service (MaleviSrv) - Unknown owner - C:\WINDOWS\System32\malevi.exe
O23 - Service: Sahydul Service (SahydulSrv) - Unknown owner - C:\WINDOWS\system32\sahydul.exe

Suspect hits for nterceptor.dll note this might be a part of spycatcher (if you have it) however since it is mentioned with the other two which have zero hits on google, I woulf think this is mor likely to be malicious. Some hits even believe it to be part of a rootkit.

O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll

BackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

What programs did you use exactly ? Boot-Time scanning is your best bet now, so use some of the programs that utilizes it, like Spybot S&D and Avast!.

Have you tried to get into safe mode ? When booting, right at the lil’ beep (after a few seconds) hit the keyboard’s F8 key, and use the arrow keys to get into Windows XP safe mode. Then try your scanners then, or if you can, check you Add/Remove Programs list and remove any “new” malware programs (my sister had something like that once, it was weird).

Anyway, good luck. Once you restore functionality, but some malware still roams, rescan your PC and a few good utilities are mentioned at www.techsupportalert.com. Your your hand at these programs :).

Thanks, guys. Just woke! ;D

I will try ur advice and keep u posted.

best program i have ever seen is ZONELABS. Zonelabs WILL run with avst side-by-side. I do alot of downloading and there has not been a virus in my computer for about 2 1/2 years. I used to have a lot of viruses. they cleaned them all without damaging windows.

Zone Alarm Firewall is good, but the Security Suite in combination with avast! would invite problems since it’s also a resident antivirus. I’m not sure which you meant :slight_smile:

Anyway, it looks like Nature already has Sygate Firewall

O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

Thanks, Officer429.

Still working on that boot scan, DavidR.

Thanks 4 the advice all. I have already made some progress weeding out some spyware. So, i am on my way to recovery, i believe!

Hey, DavidR, how do i delete/correct the items in the HijackThis report that you indicated? I tried but after running another HijackThis scan, the items are still there.

I have removed some spyware but an online Symantec scan shows i have a virus and about 4 spyware-infected files left. Also, my comp. still mutes and switches on its internal speakers at will.

I ran a bootscan with Avast as suggested. I am going nuts here!!

The following are the reports:

  1. Symantec.

C:\WINDOWS\system32\maleviv.exe is infected with Spyware.SpyLantern
C:\WINDOWS\system32\sahydulv.exe is infected with Spyware.SpyLantern
C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog

  1. HijackThis[b]

Logfile of HijackThis v1.99.1
Scan saved at 8:02:21 AM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\VEXPLITE\viritsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\spinsavc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\runprf32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O4 - HKLM..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [AWMON] “C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe”
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O17 - HKLM\System\CCS\Services\Tcpip..{9AE2FD39-5FAF-4E98-9455-640018EDE7E4}: NameServer = 216.226.64.9 216.226.64.8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Malevi Service (MaleviSrv) - Unknown owner - C:\WINDOWS\System32\malevi.exe (file missing)
O23 - Service: Sahydul Service (SahydulSrv) - Unknown owner - C:\WINDOWS\system32\sahydul.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

In addition, whenever i start up the comp., Ad-aware says that my registry has been modified by a “04” listed above: “O4 - HKLM..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S”

How do i correct this?

HELP!!! >:(

HJT doesn’t do anything (like an AV) other present you with information (see tutorial links), you have to fix (by checking the box to the left of the entry) those items deemed harmful by analysis. Fix the ones I first listed, including the new O4 - HKLM..\Run: [My Web Search Bar] rundll32 and then run HJT again.

I can only assume from the increased size of this log that the first was run in safe mode.

HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2 Investigate those Nasty, possibly Nasty or Unknown, etc. using searches on google, etc. for the file names, etc.

Thanks.

I did try to fix the HJT items as u suggested (checking and clicking on “fix checked”). Then, i rescanned. Yet, the items reappear in the new HJT log file.

I will try the online analysis.

Big thanks!

[b]Okay! I did the analysis and tried 2 remove the items manually. They either reappear or i am blocked from removing them for some reason. E.g when i try to remove: C:\WINDOWS\spinsavc.exe, a message says: “Cannot delete spinsavc.exe. Access denied. Make sure the disk is not full or write …”

Any further advice? Thanks all![/b]

Did you reboot after fixing the items, because changes to the registry, etc. won’t be implimented until reboot ?

In use files are usually protected by windows even malware, that is why it is important to first stop them from running. This can be achieved either by Task Manager, End Process or as I said by fixing and rebooting.

Cool stuff here, DavidR! Thanks. I will reboot and try everything u suggested.

Thanks man/girl!

Spy Lantern is a retail keylogger that must be manually installed. ie Its not a drive by install malware afaik.

Here’s the home page

http://www.spy-lantern.com/

(yes - the link is safe)

Maybe there’s someone (a parent or spouse?) you need to talk to about this.

In addition, whenever i start up the comp., Ad-aware says that my registry has been modified by a "04" listed above: "O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S"
Unless the My Web Search Toolbar shows up when you open Internet Explorer this might be an orphaned registry entry from a previously cleaned infection. If My Web Search was still active there should be additional registry entries as outlined here

http://www.pchell.com/support/mywebsearch.shtml

C:\WINDOWS\spinsavc.exe
Prevx identifies a process using this name as a (trojan) dropper

http://virusinfo.prevx.com/viruscenter.asp?GRP=4850000015

The free trial version of Prevx may be able to fix it

http://www.prevx.com/

(this is time limited trial that some will argue is a bad business practice. I say if it fixes the problem use it for what its worth).

EDIT: Added pchell link

@ Nature
Your welcome, its man ;D

Wow! I believe the My Web Search thingy is a left over.

Thanks, man. You have given me a lot to work with. I am running out of comp. time (got to get to work) but i will apply the combination of fixes u’ve recommended.

Cheers!

No problem.

One more thought about that keylogger before you accuse your little brother of anything. I see 4 possibilities

  1. It could be a Symantec false positive (I doubt this is the case)
  2. It could be a 100% correct identification by Symantec which is what I assumed when I posted earlier
  3. It could be that Symantec is correctly identifying a keylogger but giving the wrong name (in which case the dropper installed it)
  4. It could be two different keyloggers, one intentionally installed and one installed by the dropper

If no one owns up to installing it then #3 seems most likely.

Thanks 4 the advice, all!

Alas! I am still here fighting to remove two suspicious-looking files:

O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll

In fact, i now receive the following message from HJT:

[b]"An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:

  • What you were trying to fix when the error occurred, if applicable
  • How you can reproduce the error
  • A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan."[/b]

My comp. appears to be working fine, though. Maybe the nasty little bugs are simply bidding their time?! >:(

Am I correct in thinking that you’ve been able to delete these 4 files

spinsavc.exe
malevia.dll
sahydula.dll
interceptor.dll

but HJT still reports these

O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll

Or have you not been able to delete anything?

I have not been able to clear them totally. I have isolated/quarantined “spinsavc.exe” but it still shows up in HJT. As for the others, i have not seen them anywhere else but in HJT.

However, the comp. has been working fine. Dunno what’s up here!

Any ideas?

Ok. We’re making progress.

I would like to concentrate on this for a bit

C:\WINDOWS\system32\maleviv.exe is infected with Spyware.SpyLantern C:\WINDOWS\system32\sahydulv.exe is infected with Spyware.SpyLantern C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog

In the first line you typed maleviv.exe. Should this be malevia.exe?

Was Symantec able to quarantine or delete these, or did it simply report the infection.

If Symantec did not take any action, did you possibly delete these with one of DavidR’s suggested programs (eg Move On Boot)?

Also, have you ever had Spy Catcher installed on this computer?