HI There, My computer has some kind of spyware that keeps popping up a shaded window about a survey. The program is called Relevant Knowledge. The web link for removal doesn't work, nor does the removal link from their website, nor does the uninstall feature work that it came with. So annoying! I've searched and seen only manual removal instructions from the registry key. Is there another way? I could provide a hijack this file. Thx
Tim
Hi,
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.
ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin ExecuteStdScr(3); RebootWindows(true); end.
Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here
-------------------------------------------------
Thanks for responding neoark. Here is the rapidshare link to the AVZ4 logfile:
http://rapidshare.com/files/2413244...
and here's the link to the rapidshare Hijack This logfile:
http://rapidshare.com/files/2413250...
Let me know what you find out.
Thx!
Tim
Try: Go to start Run type :
C:\Program Files\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
Press OK-------------------------------------------------
OK this is bizarre.... When I copy and paste the script you've given me into Run, I get the following error message (exact syntax):
Windows cannot find 'C:\Program'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.
Several times I tried manually typing in the first part of the script, up to Program Files, but it still didn't work. Then I checked if the Program Files menu exists, is working, etc and it's fine. Any clue why I'd get this message?
Thx neoark,
Tim
Try:
C:\Progra~1\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge-------------------------------------------------
Ok, now when I run it the error message says: WIndows cannot find 'C:\Program~1|RelevantKnowledge\rlvknlg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.
???
Tim
Post a screenshot of what you are typing. "~1|Rele" << wrong Try:
Start > Run > %WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge-------------------------------------------------
Oops! My mistake that was a typo on the message to you, not on the Run script. I typed: C:\Progra~1\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
Now I've also tried:
%WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
and I get the error message:
WIndows cannot find 'C:\WINDOWS\rlvknlg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.
Moving on to other methods: Run both these in order numbered:
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log and Fix what it detects.
2) Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.
-------------------------------------------------
OK thanks I'll try those and let ya know
OK the scans are taking a bit here, it's 10:22 pacific time and I'm heading to bed. I'll collect the results in the morning and post them. Thanks for all your help so far neoark. Tim
OK neoark, very interesting... This morning when my Avast ran it's routine scan, it detected a trojan \ worm. It recommended removal and unfortunately I clicked it before I had a chance to sae the exact filename, but I remember the path \ destination.
It was in:
C:\WINDOWS\system32 and the file was called, I think 'mediaplayer.1.txt' Sorry I can't be exact on that one, BUT I rescanned that folder and it was clean. So I assume Avast got it. Nothing even resembling that now in system32.
I ran Malawarebytes and it came up with several items, including detection of Relevant Knowledge. Their recommendation was removal which I did. All were removed succesfully. Here is the logfile:Malwarebytes' Anti-Malware 1.37
Database version: 2236
Windows 5.1.2600 Service Pack 36/6/2009 8:40:29 AM
mbam-log-2009-06-06 (08-40-29).txtScan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 170956
Time elapsed: 1 hour(s), 26 minute(s), 55 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.Files Infected:
c:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\program files\ie passview\iepv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP119\A0022469.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP160\A0032486.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
e:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlph.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlxf.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
I am now running a full scan with SUPERantispyware and will post that log when done. So far so good. Thanks for the awesome help.Also, right now I am running AVAST, and Spybot S & D full time, and I have Adaware, Spywareblaster and Hijack this installed. Now I've installed the two programs you've recommended. Am I getting a bit redundant. Should I keep them all? Use them more often to prevent further infection? Your advice is appreciated.
Thx!
Tim
No need to keep all of them. Keep what you use :). Personally i like malwarebytes and superantispyware. But it really depends on what works for you :). Keep all of them for a while and see what works for you. -------------------------------------------------
Uh Oh! hold on here... The SUPERantispyware scan hasn't finished yet, but so far it has detected the following:
RelevantKnowledge Spyware Component Detected Items 5
Spyware.RelevantKnowledge Detected Items 6Like I say, it hasn't finished yet so when I does I'll post the Fix, results, and logfile.
Unfortunately not done yet....
OK, The SUPER scan is done and it detected the two items and sub folders. The program recommended a quarantine \ delete, which I did, then it rebooted. After reboot, I re-opened SUPER, went to the saved logfile, and it appears to be a logfile of the detection, but not removal. Is there another logfile other than the default location? Here it is anyways SUPERAntiSpyware Scan Log
http://www.superantispyware.comGenerated 06/06/2009 at 09:53 AM
Application Version : 4.26.1004
Core Rules Database Version : 3927
Trace Rules Database Version: 1871Scan type : Complete Scan
Total Scan Time : 00:47:59Memory items scanned : 664
Memory threats detected : 0
Registry items scanned : 5002
Registry threats detected : 0
File items scanned : 22324
File threats detected : 11RelevantKnowledge Spyware Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032482.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032483.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032501.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032502.DLLSpyware.RelevantKnowledge
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032749.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032747.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032759.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032760.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032761.EXE
I guess I could do just a modified \ specific re-scan with both programs to be sure it's now gone, instead of scanning all .5 Tb of hard disk space on my computer. Maybe just the C drive. Please advise. And thanks again.Tim
Your restore points are affected make sure you delete your old restore points. Follow: Response Number 1 and remake new set of logs. -------------------------------------------------
OK, but just to clarify, should I be turning off system restore when I go back and do the info on Response 1, or just go and start that again? Thx
Tim
If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Then follow Response number 1.
-------------------------------------------------
OK, I turned off system restore and went back to the beginning. Here is the rapidshare link to the logfile from AVZ4
http://rapidshare.com/files/2415674...
And here is the link to the Hijack This file:
http://rapidshare.com/files/2415685...
Thx
Tim
Follow these steps in order numbered: 1) Run this script in AVZ your computer will reboot:
begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFileMask('C:\Program Files\RelevantKnowledge\','*.*',true); DeleteDirectory('C:\Program Files\RelevantKnowledge\'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end.2) Run: http://onecare.live.com/site/en-Us/...
3) Run: http://onecare.live.com/site/en-Us/...
4) Enable system restore.
After this if you still have original problem let me know.
-------------------------------------------------
OK I've done the above and then rescanned with AVZ, Malawarebytes and SUPERAntiSpyware. Malawarebytes came up clean, AVZ found one tracking cookie and SUPER found a few items unrelated to the original reason for scanning, which it deleted. So I'm now clean. Thanks for all your help neoark...it was a marathon but it feels worth it to have that done.
Gracias
Tim
Its always a marathon to remove something especially virus/trojan/Ad-ware. You can uninstall everything you install. For AVZ just delete the folder. -------------------------------------------------
