Posted on 2004-10-24
Last Modified: 2008-01-09
A friend of mine runs AVG anti-virus software and Zone Zlarm.  She has recieved a report saying she has the "trojanhorse downloader.Keenval.P" in C/:Program files/commonfiles/searchupgrader/searchupgrader.exe. Extensive Google searches have given little if any information on the trojan although AdAware will sell you a tool to remove it. I am begining to wonder if it is exists at all. Has anyone got any more information on what the trojan does and how to get rid of it?
Question by:lizmunro
    LVL 65

    Expert Comment

    Hello lizmunro =)

    >> C/:Program files/commonfiles/searchupgrader/searchupgrader.exe

    This C/:Program files/commonfiles/searchupgrader is not a known or system folder,,,,,,, u dont require it !!
    Delete this whole folder from C/:Program files/commonfiles/ in safemode,,,, and then run adaware and AVG in safemode to make sure they are not reporting it !!
    restart and check again for the problem ??
    LVL 1

    Expert Comment

    Have you tried booting up in SAFE mode and scanning with AVG?
    LVL 2

    Expert Comment

    Download The Following Link it is designed to remove your virues
    LVL 7

    Expert Comment

    KeenValue is adware operated by

    KeenValue/v1, original version, consisting of a single process (keenvalue.exe) run at startup, which spawns pop-ups.

    KeenValue/Incredifind adds a second process, kwm.exe, to monitor web sites viewed for ad targeting. It also includes a hosts-file hijacker redirecting Netscape Search and Verisgn Sitefinder to, an address-bar-search and error-page hijacker pointed at (redirecting to, and an Internet Explorer toolbar providing a search field pointed at

    (The PowerSearch toolbar is a customised version of Visicom Media's ‘Dynamic Toolbar’, other variants of which are not known to be parasitic.)

    KeenValue/wupdater and KeenValue/SearchUpgrader consist of the Incredifind hijacker together with renamed BHOs and updater processes.

    Included in software supplied by eUniverse sites, such as,, and

    Also installed by the FavoriteMan and SuperSpider parasites.

    What it does
    Yes, opens pop-up ads periodically; in the Incredifind variant these may be triggered by targeted terms in pages being viewed.

    Privacy violation
    The software's terms claim it may send all URLs viewed to its controllers. This behaviour has not been observed to happen in current versions of the software. In the Incredifind variant, the error hijack feature does leak some trackable information on pages viewed.

    Security issues
    Yes. Can download and execute arbitrary code as directed by its controlling server, as an update feature.

    Stability problems
    There may be problems closing keenvalue.exe when shutting the computer down.

    The v1 variant may be removed from the Control Panel's Add/Remove Programs feature. Choose 'KeenValue' and click 'Remove'.

    The Incredifind variant can be partially removed using the 'KeenValue' and 'PowerSearch toolbar for IE' entries in Add/Remove Programs, if an internet connection is present.

    Manual Removal
    For the Incredifind variant, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "\Program Files\Incredifind\BHO\BHO.dll"
    regsvr32 /u "\Program Files\PowerSearch\Toolbar\pwrs0rbi.dll"
    For the wupdater variant, enter:

    cd "%WinDir%\System"
    regsvr32 /u "\Program Files\Incredifind\BHO\IncFindBHO.dll"
    For the SearchUpgrader variant, enter:

    cd "%WinDir%\System"
    regsvr32 /u "\Program Files\Incredifind\BHO\IncFindBHO170.dll"
    Next, for either variant, open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Remove the 'KeenValue' entry for the v1 and Incredifind variants, 'updater' for the wupdater variant or 'SearchUpgrader' for the SearchUpgrader variant. You can also delete the following keys to clean up, if you wish:

    HKEY_CURRENT_USER\Software\Visicom Media\PWRS0RBI
    (Also the 'KeenValue' and 'PowerSearch' keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall can be deleted if you still have them.)

    Next, restart your computer and you should be able to delete the 'KeenValue' folder (or 'SearchUpgrader' for that variant) inside the Program Files\Common Files folder. For the Incredifind variant you can also delete the Program Files folders 'PowerSearch', 'Incredifind' and 'Dynamic Toolbar\PWRS0RBI'.

    Finally, restore your search settings (Internet Options->Programs->Reset Web Settings), and remove the Hosts file hijack: open the System folder (which is inside the Windows folder, and called 'System32' on Windows NT, 2000 and XP), go to 'drivers'->'etc', and load the file 'hosts' (with no file extension) into a text editor. Delete the following line and save.

    LVL 18

    Accepted Solution

    "although AdAware will sell you a tool to remove it."

    AdAware is a very good malware removal tool (the free version they have is just fine) and is one of the one best out there to use and should be used to scan your system for malware. Another good free tool is Spybot Search and Destroy. You should also be using these 2 tools in addition to AV and zone alarm to help keep your system clean.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now