Articles

Relevant Knowledge spyware?

June 5, 2009 at 18:40:35
Specs: Microsoft Windows XP Professional, 2.261 GHz / 1022 MB

HI There, My computer has some kind of spyware that keeps popping up a shaded window about a survey. The program is called Relevant Knowledge. The web link for removal doesn't work, nor does the removal link from their website, nor does the uninstall feature work that it came with. So annoying! I've searched and seen only manual removal instructions from the registry key. Is there another way? I could provide a hijack this file.

Thx
Tim


See More: Relevant Knowledge spyware?

Report •


#1
June 5, 2009 at 18:59:40

Hi,
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

-------------------------------------------------


Report •

#2
June 5, 2009 at 19:21:33

Thanks for responding neoark.

Here is the rapidshare link to the AVZ4 logfile:

http://rapidshare.com/files/2413244...

and here's the link to the rapidshare Hijack This logfile:

http://rapidshare.com/files/2413250...

Let me know what you find out.
Thx!
Tim


Report •

#3
June 5, 2009 at 19:30:48

Try:

Go to start Run type :

C:\Program Files\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge 

Press OK

-------------------------------------------------


Report •

Related Solutions

#4
June 5, 2009 at 19:42:10

OK this is bizarre....

When I copy and paste the script you've given me into Run, I get the following error message (exact syntax):

Windows cannot find 'C:\Program'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

Several times I tried manually typing in the first part of the script, up to Program Files, but it still didn't work. Then I checked if the Program Files menu exists, is working, etc and it's fine. Any clue why I'd get this message?

Thx neoark,
Tim


Report •

#5
June 5, 2009 at 19:45:29

Try:

C:\Progra~1\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge 

-------------------------------------------------


Report •

#6
June 5, 2009 at 19:55:32

Ok, now when I run it the error message says:

WIndows cannot find 'C:\Program~1|RelevantKnowledge\rlvknlg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

???
Tim


Report •

#7
June 5, 2009 at 20:00:07

Post a screenshot of what you are typing. "~1|Rele" << wrong

Try:

Start > Run > %WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge 

-------------------------------------------------


Report •

#8
June 5, 2009 at 21:29:52

Oops! My mistake that was a typo on the message to you, not on the Run script. I typed:

C:\Progra~1\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge

Now I've also tried:

%WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge

and I get the error message:

WIndows cannot find 'C:\WINDOWS\rlvknlg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.



Report •

#9
June 5, 2009 at 21:37:10

Moving on to other methods:

Run both these in order numbered:

1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log and Fix what it detects.

2) Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

-------------------------------------------------


Report •

#10
June 5, 2009 at 21:51:14

OK thanks I'll try those and let ya know

Report •

#11
June 5, 2009 at 22:24:09

OK the scans are taking a bit here, it's 10:22 pacific time and I'm heading to bed. I'll collect the results in the morning and post them. Thanks for all your help so far neoark.

Tim


Report •

#12
June 6, 2009 at 09:23:45

OK neoark, very interesting...

This morning when my Avast ran it's routine scan, it detected a trojan \ worm. It recommended removal and unfortunately I clicked it before I had a chance to sae the exact filename, but I remember the path \ destination.

It was in:

C:\WINDOWS\system32 and the file was called, I think 'mediaplayer.1.txt' Sorry I can't be exact on that one, BUT I rescanned that folder and it was clean. So I assume Avast got it. Nothing even resembling that now in system32.


I ran Malawarebytes and it came up with several items, including detection of Relevant Knowledge. Their recommendation was removal which I did. All were removed succesfully. Here is the logfile:

Malwarebytes' Anti-Malware 1.37
Database version: 2236
Windows 5.1.2600 Service Pack 3

6/6/2009 8:40:29 AM
mbam-log-2009-06-06 (08-40-29).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 170956
Time elapsed: 1 hour(s), 26 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
c:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\program files\ie passview\iepv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP119\A0022469.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP160\A0032486.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
e:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlph.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlxf.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.


I am now running a full scan with SUPERantispyware and will post that log when done. So far so good. Thanks for the awesome help.

Also, right now I am running AVAST, and Spybot S & D full time, and I have Adaware, Spywareblaster and Hijack this installed. Now I've installed the two programs you've recommended. Am I getting a bit redundant. Should I keep them all? Use them more often to prevent further infection? Your advice is appreciated.

Thx!
Tim


Report •

#13
June 6, 2009 at 09:41:56

No need to keep all of them. Keep what you use :). Personally i like malwarebytes and superantispyware. But it really depends on what works for you :). Keep all of them for a while and see what works for you.

-------------------------------------------------


Report •

#14
June 6, 2009 at 09:50:16

Uh Oh! hold on here...

The SUPERantispyware scan hasn't finished yet, but so far it has detected the following:

RelevantKnowledge Spyware Component Detected Items 5
Spyware.RelevantKnowledge Detected Items 6

Like I say, it hasn't finished yet so when I does I'll post the Fix, results, and logfile.

Unfortunately not done yet....


Report •

#15
June 6, 2009 at 10:05:52

OK, The SUPER scan is done and it detected the two items and sub folders. The program recommended a quarantine \ delete, which I did, then it rebooted. After reboot, I re-opened SUPER, went to the saved logfile, and it appears to be a logfile of the detection, but not removal. Is there another logfile other than the default location? Here it is anyways

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/06/2009 at 09:53 AM

Application Version : 4.26.1004

Core Rules Database Version : 3927
Trace Rules Database Version: 1871

Scan type : Complete Scan
Total Scan Time : 00:47:59

Memory items scanned : 664
Memory threats detected : 0
Registry items scanned : 5002
Registry threats detected : 0
File items scanned : 22324
File threats detected : 11

RelevantKnowledge Spyware Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032482.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032483.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032501.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032502.DLL

Spyware.RelevantKnowledge
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032749.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032747.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032759.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032760.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032761.EXE


I guess I could do just a modified \ specific re-scan with both programs to be sure it's now gone, instead of scanning all .5 Tb of hard disk space on my computer. Maybe just the C drive. Please advise. And thanks again.

Tim


Report •

#16
June 6, 2009 at 10:14:42

Your restore points are affected make sure you delete your old restore points. Follow: Response Number 1 and remake new set of logs.

-------------------------------------------------


Report •

#17
June 6, 2009 at 10:20:18

OK, but just to clarify, should I be turning off system restore when I go back and do the info on Response 1, or just go and start that again?

Thx
Tim


Report •

#18
June 6, 2009 at 10:21:59

If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q...

Then follow Response number 1.

-------------------------------------------------


Report •

#19
June 6, 2009 at 11:32:37

OK, I turned off system restore and went back to the beginning.

Here is the rapidshare link to the logfile from AVZ4

http://rapidshare.com/files/2415674...

And here is the link to the Hijack This file:

http://rapidshare.com/files/2415685...

Thx
Tim


Report •

#20
June 6, 2009 at 11:56:14

Follow these steps in order numbered:

1) Run this script in AVZ your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFileMask('C:\Program Files\RelevantKnowledge\','*.*',true);
 DeleteDirectory('C:\Program Files\RelevantKnowledge\');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Run: http://onecare.live.com/site/en-Us/...

3) Run: http://onecare.live.com/site/en-Us/...

4) Enable system restore.

After this if you still have original problem let me know.

-------------------------------------------------


Report •

#21
June 6, 2009 at 17:12:08

OK I've done the above and then rescanned with AVZ, Malawarebytes and SUPERAntiSpyware. Malawarebytes came up clean, AVZ found one tracking cookie and SUPER found a few items unrelated to the original reason for scanning, which it deleted. So I'm now clean. Thanks for all your help neoark...it was a marathon but it feels worth it to have that done.
Gracias
Tim

Report •

#22
June 6, 2009 at 17:19:12

Its always a marathon to remove something especially virus/trojan/Ad-ware. You can uninstall everything you install. For AVZ just delete the folder.

-------------------------------------------------


Report •


Ask Question