Sign in to follow this  
Wolvesfan62

Relevant Knowledge Spyware

Recommended Posts

Hi

I am using Windows 7 and before this infection I used AVG with Adaware,Zone Alarm, Hijack This and Spybot for security (all are up to date).

I believe relevant Knowledge was installed by a utility I downloaded from download.com to convert mp3 files (for my son so he could listen to Queens of the Stone Age on his DS). Wherever it came from, I did not install it intentionally.

When I noticed it, I uninstalled it via control panel.

I thought that had got rid of it, but AdAware keeps finding it on scans, then suggests it will remove it, but it never does.

I have run Hijack this a few times and it also finds relevant Knowledge, but when you select 'fix checked' to remove it, it appears to go but keeps reappering.

I have tried downloading various other programs to try and remove it but none have helped. This includes 'Avast free anti virus' and '1-ClickPCfix' - but avast keeps blocking 1-Click and describing it as an infection. I will be removing both programs when this is sorted.

I have looked at other posts on RelevantKnowledge here but none appeared to have a solution.

My laptop appears much slower since the arrival of relevantknowledge.

Can anyone help me to remove it please?

Thanks in advance.
Derek

I have attached the OTL generated files and the Hijack This log:
[attachment=9153:Extras.Txt]
[attachment=9154:OTL.Txt]
[attachment=9155:hijackthis.log]

Share this post


Link to post
Share on other sites
Hi,

Let's run OTL.[list]
[*]Under the [color=#0000FF][b]Custom Scans/Fixes[/b][/color] box at the bottom, paste in the following


[code]:OTL
SRV - (RelevantKnowledge) -- C:\Program Files (x86)\RelevantKnowledge\rlservice.exe (TMRG, Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}: C:\Program Files (x86)\RelevantKnowledge [2011/11/10 22:54:37 | 000,000,000 | ---D | M]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
:Files
C:\Program Files (x86)\RelevantKnowledge
:Commands
[emptytemp]
[/code]
[*]Then click the [color=#FF0000][b]Run Fix[/b][/color] button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then post a new OTL log
[/list]

* Go [url="http://www.eset.eu/online-scanner"][color=red][b][u]here[/u][/b][/color][/url] to run an online scanner from ESET.[list]
[*][color=red][b]Note:[/b][/color] You will need to use [color=blue][b]Internet explorer[/b][/color] for this scan
[*]Tick the box next to [b]YES, I accept the Terms of Use.[/b]
[*]Click [b]Start[/b]
[*]When asked, allow the activex control to install
[*]Click [b]Start[/b]
[*]Make sure that the option [b]Remove found threats[/b] is UNchecked and the option [b]Scan unwanted applications[/b] is checkmarked.
[*]Click [b]Scan[/b]
[*]Wait for the scan to finish. Copy-paste findings (if any) back here.
[/list]

Share this post


Link to post
Share on other sites
Thanks for the advice Blade81.

I ran OTL twice as the first time it hung, then appeared to restart the next time I logged on. I have attached the 2 log files it produced.

I then ran the EST scanner and have attached the log file.

I'd be very happy about uninstalling '1-click' as I only loaded that to try and remove relevant knowledge.

I'm keen on keeping the 'prey' program but the log suggests the installer may be a problem so really happy about getting rid of all of those.

I work in ICT but all this is far beyond my skill set so will be following your advice.

Thanks again.

Derek

Share this post


Link to post
Share on other sites
Hi,

Uninstall [b]1-Click PC Fix v4[/b] via Control Panel. Then run OTL again (like you did to get logs in your starting post). Post back contents of fresh OTL.txt log.

Share this post


Link to post
Share on other sites
Hi Derek,

Let's run OTL again.

Under the Custom Scans/Fixes box at the bottom, paste in the following

[code]:OTL
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}: C:\Program Files (x86)\RelevantKnowledge
:Files
C:\Program Files (x86)\1-Click PC Fix v4
C:\Users\Dad\Downloads\cnet_disk-defrag-setup_exe.exe
C:\Users\Dad\Downloads\cnet_Setup_FreeConverter_exe(1).exe
C:\Users\Dad\Downloads\cnet_Setup_FreeConverter_exe.exe
C:\Users\Derek Hart\Downloads\cnet2_1ClickPCfix_exe.exe
C:\Users\Maria Hart\Downloads\cnet_prey-0_5_3-win_exe.exe
[/code]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log.

How's the system now?

Share this post


Link to post
Share on other sites
Hi Blade81,

Thanks again for the advice. This certainly seems to have cleared up the issue. I have attached the new OTL & EST log files.

I'll delete the cnet install files which the scanner keeps thinking may be Win32 variants.

I presume deleting the OTL directory will remove the last trace of the relevant Knowledge!?

Would you recommend anything else?

I'll probably use the EST scanner every now and again in future just to check everything is clear?

Kind regards
Derek

Share this post


Link to post
Share on other sites
Hi,

Delete these manually:
C:\Users\Dad\Downloads\[b]cnet_disk-defrag-setup_exe.exe[/b]
C:\Users\Dad\Downloads\[b]cnet_Setup_FreeConverter_exe(1).exe[/b]
C:\Users\Dad\Downloads\[b]cnet_Setup_FreeConverter_exe.exe[/b]
C:\Users\Derek Hart\Downloads\[b]cnet2_1ClickPCfix_exe.exe[/b]
C:\Users\Maria Hart\Downloads\[b]cnet_prey-0_5_3-win_exe.exe[/b]

[quote]I presume deleting the OTL directory will remove the last trace of the relevant Knowledge!?[/quote]
Yep, instructions below will take of that.


If no issues let's see the final steps then :)


[color=blue]THESE STEPS ARE VERY IMPORTANT[/color]

[color=purple]Let's reset system restore[/color]
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.


[list]
[*]Double-click [b]OTL.exe[/b].
[*]Click the [b]CleanUp![/b] button.
[*]Select [b]Yes[/b] when the

Begin cleanup Process?
prompt appears.
[*]If you are prompted to Reboot during the cleanup, select [b]Yes[/b].
[*]The tool will delete itself once it finishes, if not delete it by yourself.
[/list]
Note: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.


[color=orange]UPDATING WINDOWS AND INTERNET EXPLORER[/color]

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to [url="http://windowsupdate.microsoft.com/"][color=blue]the windows update site[/color][/url] to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

[color=purple]Make your Internet Explorer more secure[/color]

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Download and run [url="http://secunia.com/vulnerability_scanning/personal/"]Secunia Personal Software Inspector (PSI)[/url] and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


[b]Just a final reminder for you. I am trying to stress these two points.[/b]
[color=green][size=3]UPDATE UPDATE UPDATE!!![/size][/color] Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
[color=purple]Visit Microsoft's Windows Update Site Frequently[/color] - It is important that you visit [url="http://www.windowsupdate.com"]http://www.windowsupdate.com[/url] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

[color=green]Have a great day,[/color]
Blade B)

Share this post


Link to post
Share on other sites
Hi Blade81,

All actions followed through succesfully. I was only 1 version out on java, otherwise all software was up to date.

I have learned of some useful tools, had good advice and got my laptop sorted. Really helpful.

Many, many thanks.

Cheers
Derek :D

Share this post


Link to post
Share on other sites
You're welcome. Glad I was able to help :)

Share this post


Link to post
Share on other sites
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this