Post a screenshot of what you are typing. "~1|Rele" << wrong Try: Start > Run > %WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge -------------------------------------------------

0

Oops! My mistake that was a typo on the message to you, not on the Run script. I typed: C:\Progra~1\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge Now I've also tried: %WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge and I get the error message: WIndows cannot find 'C:\WINDOWS\rlvknlg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

0

Moving on to other methods: Run both these in order numbered: 1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log and Fix what it detects. 2) Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log. -------------------------------------------------

0

OK thanks I'll try those and let ya know

0

OK the scans are taking a bit here, it's 10:22 pacific time and I'm heading to bed. I'll collect the results in the morning and post them. Thanks for all your help so far neoark. Tim

0

OK neoark, very interesting... This morning when my Avast ran it's routine scan, it detected a trojan \ worm. It recommended removal and unfortunately I clicked it before I had a chance to sae the exact filename, but I remember the path \ destination. It was in: C:\WINDOWS\system32 and the file was called, I think 'mediaplayer.1.txt' Sorry I can't be exact on that one, BUT I rescanned that folder and it was clean. So I assume Avast got it. Nothing even resembling that now in system32. I ran Malawarebytes and it came up with several items, including detection of Relevant Knowledge. Their recommendation was removal which I did. All were removed succesfully. Here is the logfile: Malwarebytes' Anti-Malware 1.37 Database version: 2236 Windows 5.1.2600 Service Pack 3 6/6/2009 8:40:29 AM mbam-log-2009-06-06 (08-40-29).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 170956 Time elapsed: 1 hour(s), 26 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 12 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully. C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully. Files Infected: c:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully. c:\program files\ie passview\iepv.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP119\A0022469.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully. c:\system volume information\_restore{2d61b181-7ab2-4305-9e45-1d2479119ac1}\RP160\A0032486.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully. e:\downloads\Sopcast\Setup-SopCast-3.0.3-2008-4-30.exe (Rogue.Installer) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\program files\relevantknowledge\rlph.dll (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\program files\relevantknowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully. c:\program files\relevantknowledge\rlxf.dll (Spyware.Marketscore) -> Quarantined and deleted successfully. I am now running a full scan with SUPERantispyware and will post that log when done. So far so good. Thanks for the awesome help. Also, right now I am running AVAST, and Spybot S & D full time, and I have Adaware, Spywareblaster and Hijack this installed. Now I've installed the two programs you've recommended. Am I getting a bit redundant. Should I keep them all? Use them more often to prevent further infection? Your advice is appreciated. Thx! Tim

0

No need to keep all of them. Keep what you use :). Personally i like malwarebytes and superantispyware. But it really depends on what works for you :). Keep all of them for a while and see what works for you. -------------------------------------------------

0

Uh Oh! hold on here... The SUPERantispyware scan hasn't finished yet, but so far it has detected the following: RelevantKnowledge Spyware Component Detected Items 5 Spyware.RelevantKnowledge Detected Items 6 Like I say, it hasn't finished yet so when I does I'll post the Fix, results, and logfile. Unfortunately not done yet....

0

OK, The SUPER scan is done and it detected the two items and sub folders. The program recommended a quarantine \ delete, which I did, then it rebooted. After reboot, I re-opened SUPER, went to the saved logfile, and it appears to be a logfile of the detection, but not removal. Is there another logfile other than the default location? Here it is anyways SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 06/06/2009 at 09:53 AM Application Version : 4.26.1004 Core Rules Database Version : 3927 Trace Rules Database Version: 1871 Scan type : Complete Scan Total Scan Time : 00:47:59 Memory items scanned : 664 Memory threats detected : 0 Registry items scanned : 5002 Registry threats detected : 0 File items scanned : 22324 File threats detected : 11 RelevantKnowledge Spyware Component C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032482.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032483.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032485.exe C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032501.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP160\A0032502.DLL Spyware.RelevantKnowledge C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032749.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032747.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032748.exe C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032759.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032760.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{2D61B181-7AB2-4305-9E45-1D2479119AC1}\RP163\A0032761.exe I guess I could do just a modified \ specific re-scan with both programs to be sure it's now gone, instead of scanning all .5 Tb of hard disk space on my computer. Maybe just the C drive. Please advise. And thanks again. Tim

0

Your restore points are affected make sure you delete your old restore points. Follow: Response Number 1 and remake new set of logs. -------------------------------------------------

0

OK, but just to clarify, should I be turning off system restore when I go back and do the info on Response 1, or just go and start that again? Thx Tim

0

If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Then follow Response number 1. -------------------------------------------------

0

OK, I turned off system restore and went back to the beginning. Here is the rapidshare link to the logfile from AVZ4 http://rapidshare.com/files/2415674... And here is the link to the Hijack This file: http://rapidshare.com/files/2415685... Thx Tim

0

Follow these steps in order numbered: 1) Run this script in AVZ your computer will reboot: begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFileMask('C:\Program Files\RelevantKnowledge\','*.*',true); DeleteDirectory('C:\Program Files\RelevantKnowledge\'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end. 2) Run: http://onecare.live.com/site/en-Us/... 3) Run: http://onecare.live.com/site/en-Us/... 4) Enable system restore. After this if you still have original problem let me know. -------------------------------------------------

0

OK I've done the above and then rescanned with AVZ, Malawarebytes and SUPERAntiSpyware. Malawarebytes came up clean, AVZ found one tracking cookie and SUPER found a few items unrelated to the original reason for scanning, which it deleted. So I'm now clean. Thanks for all your help neoark...it was a marathon but it feels worth it to have that done. Gracias Tim

0

Its always a marathon to remove something especially virus/trojan/Ad-ware. You can uninstall everything you install. For AVZ just delete the folder. -------------------------------------------------

0