Authentium Anti-Virus Removal

Welcome to MajorGeeks!

Please try these other appls to see if it is listed:

AppRemover 2.2.31.
Revo Uninstaller 1.94

Also please download OTL by OldTimer, saving it to your desktop:

• Close all open windows on the Task Bar. Double-click the OTL icon to start the program and let it run uninterrupted. (Right-click and "Run as administrator" if using Vista or Win7)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

The log will still be there with info from scans prior to this point. You should attach it.

 

It is very possible that this is just a left over registry key entry that is being detected. Most antivirus / security suite programs NEVER uninstall properly or completely. This had previously been intalled. Possibly with a security package from the user's ISP. Since Authentium is not installed now, let's see if we can locate a cause for this in the registry.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  Authentium
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.

• Then double click on it to run it. Do not disturb it by clicking in the window that opens or it may stall.
• After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
• If after running Combofix you discover none of your programs will open up because you receive the following error:
  • Illegal operation attempted on a registry key that has been marked for deletion
• Then you will need to reboot your computer which will normally fix this problem.

Note that your previous logs did show some signs of some other junk ( like Babylon ) that needs to be removed. We will get to this too.

 

In fact, let's get to it now. So after attaching the logs from SystemLook and ComboFix, continue with the below.


Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL]http://www.dell4me.com/myway[/URL]
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [URL]http://www.dell4me.com/myway[/URL] [binary data]
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\SearchScopes,DefaultScope = {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = [URL]http://search.babylon.com/?q={searchTerms}&affID=109935&tt=100512_2_&babsrc=SP_ss&mntrId=b885d315000000000000001320a7401c[/URL]
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = [URL]http://websearch.ask.com/redirect?client=ie&tb=PSI&o=15116&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=L6&apn_dtid=YYYYYYYYUS&apn_uid=56FF0B19-7629-4581-9C61-F868594EF1FB&apn_sauid=7287D10F-2D24-435E-A7D3-0E4B3008D3CB[/URL]
IE - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\SearchScopes\{FF248A49-B440-4EEA-B7DB-93549FDDB176}: "URL" = [URL]http://www.fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=19&tid={192008B8-D5EA-447d-9B8D-888380349F53[/URL]}
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (BrowserHelper Class) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll File not found
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
O3 - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No CLSID value found.
O3 - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
O3 - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\Toolbar\WebBrowser: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
O3 - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-2741474298-3082346143-3084441431-1005\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
:Files
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\Surlena\Application Data\Babylon
C:\Documents and Settings\Surlena\Application Data\PriceGong
C:\WINDOWS\Temp\TMP000000016C161D1D457A8F7A
C:\Documents and Settings\Surlena\Local Settings\Temp\*.tmp
C:\Documents and Settings\Surlena\Local Settings\Temp\*.txt
C:\Program Files\Ask.com
C:\Program Files\SelectRebates

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FF248A49-B440-4EEA-B7DB-93549FDDB176}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SelectRebates]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Smart PC Cleaner]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"=-

:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome and thanks. Enjoy your Thanksgiving too.

Don't worry about this. It just happens on some PCs. Not sure why. It seems to be some issue with WMI ( Windows Management Instrumentation )

Did you setup the below proxy overrides?

If not, then add it to the list of things to fix with HijackThis below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=10...HP_ss&mntrId=b885d315000000000000001320a7401c
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

After clicking Fix, exit HJT.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=10...HP_ss&mntrId=b885d315000000000000001320a7401c
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I see connectivity in your logs.

Possibly due to the AT&T stuff you installed which is running the below

You could uninstall AT&T Self Support Tool

You can run Hitman Pro and attach a new log.