 Description
KeenValue is adware operated by eUniverse.com.
Variants
KeenValue/v1, original version, consisting of a
single process (keenvalue.exe) run at startup, which spawns
pop-ups.
KeenValue/Incredifind adds a second process, kwm.exe,
to monitor web sites viewed for ad targeting. It also includes
a hosts-file hijacker redirecting Netscape Search and Verisgn
Sitefinder to incredifind.com, an address-bar-search and error-page
hijacker pointed at incredifind.com (redirecting to sirsearch.com),
and an Internet Explorer toolbar providing a search field
pointed at sirsearch.com.
(The PowerSearch toolbar is a customised version of Visicom
Media's ‘Dynamic Toolbar’, other variants of which are not
known to be parasitic.)
KeenValue/wupdater and KeenValue/SearchUpgrader
consist of the Incredifind hijacker together with renamed
BHOs and updater processes.
Distribution
Included in software supplied by eUniverse sites, such as
thunderdownloads.com, myfreecursors.com, cursorzone.com and
mycoolscreen.com.
Also installed by the FavoriteMan and SuperSpider
parasites.
What it does
Advertising
Yes, opens pop-up ads periodically; in the Incredifind variant
these may be triggered by targeted terms in pages being viewed.
Privacy violation
The software's terms claim it may send all URLs viewed to
its controllers. This behaviour has not been observed to happen
in current versions of the software. In the Incredifind variant,
the error hijack feature does leak some trackable
information on pages viewed.
Security issues
Yes. Can download and execute arbitrary code as directed
by its controlling server, as an update feature.
Stability problems
There may be problems closing keenvalue.exe when shutting
the computer down.
Removal
The v1 variant may be removed from the Control Panel's Add/Remove
Programs feature. Choose 'KeenValue' and click 'Remove'.
The Incredifind variant can be partially removed using the
'KeenValue' and 'PowerSearch toolbar for IE' entries in Add/Remove
Programs, if an internet connection is present.
Manual Removal
For the Incredifind variant, open a DOS command prompt window
(from Start->Programs->Accessories) and enter the following
commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\BHO.dll"
regsvr32 /u "\Program Files\PowerSearch\Toolbar\pwrs0rbi.dll"
For the wupdater variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncFindBHO.dll"
For the SearchUpgrader variant, enter:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\Incredifind\BHO\IncFindBHO170.dll"
Next, for either variant, open the registry (click 'Start',
choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Remove the 'KeenValue' entry for the v1 and Incredifind variants,
'updater' for the wupdater variant or 'SearchUpgrader' for
the SearchUpgrader variant. You can also delete the following
keys to clean up, if you wish:
HKEY_CURRENT_USER\Software\Visicom
Media\PWRS0RBI
HKEY_LOCAL_MACHINE\SOFTWARE\eUniverse
HKEY_LOCAL_MACHINE\SOFTWARE\KeenValue
HKEY_LOCAL_MACHINE\SOFTWARE\updater
(Also the 'KeenValue' and 'PowerSearch' keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
can be deleted if you still have them.)
Next, restart your computer and you should be able to delete
the 'KeenValue' folder (or 'SearchUpgrader' for that variant)
inside the Program Files\Common Files folder. For the Incredifind
variant you can also delete the Program Files folders 'PowerSearch',
'Incredifind' and 'Dynamic Toolbar\PWRS0RBI'.
Finally, restore your search settings (Internet Options->Programs->Reset
Web Settings), and remove the Hosts file hijack: open the
System folder (which is inside the Windows folder, and called
'System32' on Windows NT, 2000 and XP), go to 'drivers'->'etc',
and load the file 'hosts' (with no file extension) into a
text editor. Delete the following line and save.
12.129.205.209 search.netscape.com
|
