lizmunro
asked on
Downloader.Keenval.P
A friend of mine runs AVG anti-virus software and Zone Zlarm. She has recieved a report saying she has the "trojanhorse downloader.Keenval.P" in C/:Program files/commonfiles/searchup grader/sea rchupgrade r.exe. Extensive Google searches have given little if any information on the trojan although AdAware will sell you a tool to remove it. I am begining to wonder if it is exists at all. Has anyone got any more information on what the trojan does and how to get rid of it?
Have you tried booting up in SAFE mode and scanning with AVG?
Download The Following Link it is designed to remove your virues
http://securityresponse.symantec.com/avcenter/FxKeenVl.exe
http://securityresponse.symantec.com/avcenter/FxKeenVl.exe
Description
KeenValue is adware operated by eUniverse.com.
Variants
KeenValue/v1, original version, consisting of a single process (keenvalue.exe) run at startup, which spawns pop-ups.
KeenValue/Incredifind adds a second process, kwm.exe, to monitor web sites viewed for ad targeting. It also includes a hosts-file hijacker redirecting Netscape Search and Verisgn Sitefinder to incredifind.com, an address-bar-search and error-page hijacker pointed at incredifind.com (redirecting to sirsearch.com), and an Internet Explorer toolbar providing a search field pointed at sirsearch.com.
(The PowerSearch toolbar is a customised version of Visicom Media's ‘Dynamic Toolbar’, other variants of which are not known to be parasitic.)
KeenValue/wupdater and KeenValue/SearchUpgrader consist of the Incredifind hijacker together with renamed BHOs and updater processes.
Distribution
Included in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com.
Also installed by the FavoriteMan and SuperSpider parasites.
What it does
Advertising
Yes, opens pop-up ads periodically; in the Incredifind variant these may be triggered by targeted terms in pages being viewed.
Privacy violation
The software's terms claim it may send all URLs viewed to its controllers. This behaviour has not been observed to happen in current versions of the software. In the Incredifind variant, the error hijack feature does leak some trackable information on pages viewed.
Security issues
Yes. Can download and execute arbitrary code as directed by its controlling server, as an update feature.
Stability problems
There may be problems closing keenvalue.exe when shutting the computer down.
Removal
The v1 variant may be removed from the Control Panel's Add/Remove Programs feature. Choose 'KeenValue' and click 'Remove'.
The Incredifind variant can be partially removed using the 'KeenValue' and 'PowerSearch toolbar for IE' entries in Add/Remove Programs, if an internet connection is present.
Manual Removal
For the Incredifind variant, open a DOS command prompt window (from Start->Programs->Accessori es) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\BHO. dll"
regsvr32 /u "\Program Files\PowerSearch\Toolbar\ pwrs0rbi.d ll"
For the wupdater variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncF indBHO.dll "
For the SearchUpgrader variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncF indBHO170. dll"
Next, for either variant, open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Run. Remove the 'KeenValue' entry for the v1 and Incredifind variants, 'updater' for the wupdater variant or 'SearchUpgrader' for the SearchUpgrader variant. You can also delete the following keys to clean up, if you wish:
HKEY_CURRENT_USER\Software \Visicom Media\PWRS0RBI
HKEY_LOCAL_MACHINE\SOFTWAR E\eUnivers e
HKEY_LOCAL_MACHINE\SOFTWAR E\KeenValu e
HKEY_LOCAL_MACHINE\SOFTWAR E\updater
(Also the 'KeenValue' and 'PowerSearch' keys from HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Unins tall can be deleted if you still have them.)
Next, restart your computer and you should be able to delete the 'KeenValue' folder (or 'SearchUpgrader' for that variant) inside the Program Files\Common Files folder. For the Incredifind variant you can also delete the Program Files folders 'PowerSearch', 'Incredifind' and 'Dynamic Toolbar\PWRS0RBI'.
Finally, restore your search settings (Internet Options->Programs->Reset Web Settings), and remove the Hosts file hijack: open the System folder (which is inside the Windows folder, and called 'System32' on Windows NT, 2000 and XP), go to 'drivers'->'etc', and load the file 'hosts' (with no file extension) into a text editor. Delete the following line and save.
12.129.205.209 search.netscape.com
...;-)
KeenValue is adware operated by eUniverse.com.
Variants
KeenValue/v1, original version, consisting of a single process (keenvalue.exe) run at startup, which spawns pop-ups.
KeenValue/Incredifind adds a second process, kwm.exe, to monitor web sites viewed for ad targeting. It also includes a hosts-file hijacker redirecting Netscape Search and Verisgn Sitefinder to incredifind.com, an address-bar-search and error-page hijacker pointed at incredifind.com (redirecting to sirsearch.com), and an Internet Explorer toolbar providing a search field pointed at sirsearch.com.
(The PowerSearch toolbar is a customised version of Visicom Media's ‘Dynamic Toolbar’, other variants of which are not known to be parasitic.)
KeenValue/wupdater and KeenValue/SearchUpgrader consist of the Incredifind hijacker together with renamed BHOs and updater processes.
Distribution
Included in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com.
Also installed by the FavoriteMan and SuperSpider parasites.
What it does
Advertising
Yes, opens pop-up ads periodically; in the Incredifind variant these may be triggered by targeted terms in pages being viewed.
Privacy violation
The software's terms claim it may send all URLs viewed to its controllers. This behaviour has not been observed to happen in current versions of the software. In the Incredifind variant, the error hijack feature does leak some trackable information on pages viewed.
Security issues
Yes. Can download and execute arbitrary code as directed by its controlling server, as an update feature.
Stability problems
There may be problems closing keenvalue.exe when shutting the computer down.
Removal
The v1 variant may be removed from the Control Panel's Add/Remove Programs feature. Choose 'KeenValue' and click 'Remove'.
The Incredifind variant can be partially removed using the 'KeenValue' and 'PowerSearch toolbar for IE' entries in Add/Remove Programs, if an internet connection is present.
Manual Removal
For the Incredifind variant, open a DOS command prompt window (from Start->Programs->Accessori
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\BHO.
regsvr32 /u "\Program Files\PowerSearch\Toolbar\
For the wupdater variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncF
For the SearchUpgrader variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncF
Next, for either variant, open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Softwar
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
(Also the 'KeenValue' and 'PowerSearch' keys from HKEY_LOCAL_MACHINE\SOFTWAR
Next, restart your computer and you should be able to delete the 'KeenValue' folder (or 'SearchUpgrader' for that variant) inside the Program Files\Common Files folder. For the Incredifind variant you can also delete the Program Files folders 'PowerSearch', 'Incredifind' and 'Dynamic Toolbar\PWRS0RBI'.
Finally, restore your search settings (Internet Options->Programs->Reset Web Settings), and remove the Hosts file hijack: open the System folder (which is inside the Windows folder, and called 'System32' on Windows NT, 2000 and XP), go to 'drivers'->'etc', and load the file 'hosts' (with no file extension) into a text editor. Delete the following line and save.
12.129.205.209 search.netscape.com
...;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> C/:Program files/commonfiles/searchup
This C/:Program files/commonfiles/searchup
Delete this whole folder from C/:Program files/commonfiles/ in safemode,,,, and then run adaware and AVG in safemode to make sure they are not reporting it !!
restart and check again for the problem ??