Saturday, October 15, 2011

How to remove persistent Malware (RelevantKnowledge)

Intro:
Search on google "RelevantKnowledge" and you could find instruction on its removal within the top 10 results.
In my post i will introduce a more generic step by step approach so you can remove most of the common malwares on your own.

Anyway i am writing this post because i was infected with a malware called RelevantKnowledge.

Summary Remove RelevantKnowledge on win7 64bit FAST:
1) Stop RelevantKnowledge service.
a) run msconfig
b) click msconfig -> service tab
c) find RelevantKnowledge and uncheck it
d) click apply and close msconfig

2) Reboot PC

3) Delete all the files from c:\Program Files (x86)\RelevantKnowledge\

For a more detailed info on malware removal read the rest of the entries.

General ideal of what a malware is:
A malware is simply a software that you do not want to on your pc.
Some would leech on your network, steal your credentials while others allow the "hacker" to use your pc.
It is very likely you have gotten infected from some malicious website.

After installating itself on your pc it would require a method to start itself up everytime you turn on your pc.
The few common ways for it to do that includes:
Run key
Service
Startup folder
Wmi

Case Study:From what i can observe Relevantknowledge is merely a nuisance generating ads pop-up when surfing the net.
I am running on Win7 64bit with no AV scanner installed.
So how did i found this bugger!!!I became suspicious after constantly receiving this pop-up while surfing the net.

I proceeded to look for suspicous run-key and services on my system.
Type msconfig in run or cmd.exe:
Startup tab are software that starts using run-keys.
Services tab are software that starts running as a service.

So how do i tell what is suspicious??
Spelling errors/Unknown programs/Unknown or missing manufacturer info
Next google for those suspicious software to verify whether they are authentic or not.

And that is how i caught RelevantKnowledge which installed itself as a service call "RelevantKnowledge".

Next to find out where it is installed on my system
I prefer to use regedit, export hklm and search for the keys in my own text editor. You can also choose to search from regedit directly but i do not recommend that.
Highlight Hkey_Local_Machine => ctl+f => export => save it to desktop as hklm.reg


open hklm.reg using a text editor, i recommend ultraedit or notepad++ and search for relevantknowledge.


Based on the filtered results i know it is installed in "C:\Program Files (x86)\RelevantKnowledge\".
A total of 36 unwanted registry entries.
I repeated the above steps for HKey_Current_User (hkcu). Seems RelevantKnowledge did not have any entry in HKCU.

So what does HKCU or HKLM imply?
HKCU would imply that the software started by this registry key is having current user rights
HKLM would imply that the software started by this registry key is having system rights


Next step -> Remove Startup from Registry
This step will ensure that on the next reboot the malware will not run.
So there are 36 entries, you could choose to remove them all or remove just the services or runkeys if any.
\services\
\run\

Filtered results
"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RelevantKnowledge]"

Command to delete registry entry in cmd.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RelevantKnowledge"

Finally -> Delete physical files:
This is where the malware reside. But i cannot delete all the files yet because the malware is still running.
RelevantKnowledge runs both exe files and also hooks dlls to running process such as chrome.exe

To check if the malware is running i prefer to use the traditional cmd.exe (run as administrator).
use tasklist command to check for running exe. Search and see if any of the RelevantKnowledge exe are running.


use tasklist /m to check for any dll loaded by the malware.

So they are running what can i do ?

The easiest way is to reboot your pc and if you have deleted the registry keys successfully then it should not be loaded on the next startup.

The alternative method (not recommended) requires you to taskkill all malware related exe, meaning even legit exe chrome.exe that the malware dll was loaded to must be killed off.

After the malwares are unloaded, proceed to delete the physical files.

Now your malware should be deleted. Do note there are many variants of these buggers. Some includes watchdog process which installs the malware if it detects that it is not running or not started. In such case we do need to find where the watchdog process is hiding in the system and delete it together with the malware.

2 comments:

  1. Hi Zee,

    RelevantKnowledge is a malware.
    RelevantKnowledge installs itself without my approval. It disrupts my browsing experience with their pop-ups. It gathers information on me.

    From wiki: "Malware is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems."

    ReplyDelete