Causes adware to run at startup and redirects browser to specified sites.

 

Intelligent Updater Definitions* September 22, 2003 LiveUpdate™ Definitions ** September 24, 2003 * Intelligent Updater definitions are released daily, but require manual download and installation. Click here to download manually. ** LiveUpdate definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate.

This threat can be detected only by Symantec products that support expanded threats. For more information on expanded threats, please go here.

Behavior
Adware.Keenval is an adware program that redirects the browser to portal sites, which may download more adware.

Transmission
Can be picked up from an affected site, but must be manually installed.

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Uninstalling the Adware

1. Do one of the following:
   • On the Windows 98 taskbar:
     1. Click Start > Settings > Control Panel.
     2. In the Control Panel window, double-click Add/Remove Programs.
        
         
   • On the Windows Me taskbar:
     1. Click Start > Settings > Control Panel.
     2. In the Control Panel window, double-click Add/Remove Programs.
        If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
        
         
   • On the Windows 2000 taskbar:
     By default, Windows 2000 is set up the same as Windows 98. In that case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
     
      
   • On the Windows XP taskbar:
     1. Click Start > Control Panel.
     2. In the Control Panel window, double-click Add or Remove Programs.
        
         
2. Click KeenValue.
   
    

   ---

   Note: You may need to use the scroll bar to view the whole list.

   ---

   
    

3. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

3. Scanning for and deleting the infected files

1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more, read the document, "How to configure Norton AntiVirus to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with Adware.Keenval, click Delete.

4. Deleting the value from the registry
 

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Note: This is done to make sure all the keys are removed. They may not be there if the uninstaller removed them.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
    
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
    
4. In the right pane, delete the value:
   
   "KeenValue"="C:\Program Files\Common Files\KeenValue\KeenValue.exe"
   
    
5. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\Software
   
    
6. In the left pane, remove the subkeys:
    
   • KeenValue
   • eUniverse
     
      
7. Exit the Registry Editor.
   
    

5. Deleting other files used by this Adware:

a. Delete the Directory C:\Program Files\Common Files\KeenValue and all of its contents.

What is Spyware? A technology that assists in gathering information about a person or organization without their knowledge. On the Internet, "spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties." Even in some cases after these programs have been removed from your system. As such, spyware is cause for public concern about privacy on the Internet. Also in many cases causes unknown browser problems.

How did this happen?

When your Security settings are "soft" these sites take advantage of this and actually install software on your system without your knowledge or consent. In other cases downloaded software comes bundled with other "components" (spyware\adware) that you don't realize exists until you start having problems or discover your browser has been hijacked.

Recommended Minimal Security Settings

Close all instances of Internet Explorer and Outlook Express
Control Panel | Internet Options | Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

• "Download signed ActiveX scripts" = Prompt
• "Download unsigned ActiveX scripts = Disable
• "Initialize and script ActiveX not marked as safe" = Disable
• "Installation of Desktop items" = Prompt
• "Launching programs and files in a IFRAME" = Prompt

Click on the "Content" tab, Click the "Publishers" button

• Highlight and click "Remove" any unknowns, click Ok
  Why is this so important? [read this]

Click on the "Advanced" tab

• Uncheck: "Install on demand (other)", click Apply\Ok
  To test your setup after making the above changes [click here]

How To: Prevent this from happening again?

The first thing you must remember is that adware\spyware tools are basically for removal after the fact. The trick is "layered protection" for maximum prevention!

1) Use a HOSTS file and keep it updated!
2) Make use of IE's Restricted Zone
3) Install a firewall (see -  Security Issues)
4) Install an Antivirus program (see -  Security Issues)
5) Add a Startup Monitor (freeware) to protect your system [more info]
6) Improving the security of your computer (Microsoft)

How To: Safely removing these Parasites from your system

Experienced Users SpyBot 1.2 [freeware] http://security.kolla.de/
Once installed make sure to update via online before scanning!
Fix the items labeled in red, items labeled in blue-green are optional.
Support Forum: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi
How To: http://www.tomcoyote.org/SPYBOT/

Novice Users Ad-Aware [freeware] http://www.lavasoftusa.com/
Once installed make sure to update via online before scanning!
Support Forum: http://www.lavasoftsupport.com/
Note: Lavasoft also has a HijackThis section at their Forum

To double-check your system - (after using one of the above)

Go to: http://www.tomcoyote.org/hjt/ Download "Hijack This!" [freeware] or download direct [here]

Editors Note: Since HijackThis does not (yet) come with a install routine, create a folder via Windows Explorer for HijackThis, then move the zip file to this folder. This way any backups created are saved in a legit folder. I've seen too many instances where the user runs HijackThis from a temp folder and any backups are lost if that temp folder is cleaned out. You should also make sure you are using the latest version each and every time you run HijackThis, as there are new detection added all the time.

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log") HijackThis Tutorial (recommended read)

Next, go to: http://www.spywareinfo.com/forums/

Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic", copy and paste hijackthis.log into your new message.

Visiting the SpywareInfo Forum or one of the other recommended Forums, to finish cleaning up your system is highly recommended. As neither Ad-Aware or SpyBot can no longer completely remove these pests. This is mainly due to new daily threats and the use of random generated filenames used by these parasites!

Dealing with Rapid Blaster (parasite)

• Special Information about dealing with RapidBlaster
• Download: RbKiller.exe [more info]

Dealing with Coolwebsearch and affiliates

• CWShredder  (Kills Coolwebsearch and affiliates) read this first!
  Download: "cwshredder.zip" Unzip and run the included "CWShredder.exe"
  
  Then follow up with either Ad-Aware or SpyBot, then HijackThis!
• More info on Coolwebsearch and the gang
  
  Editors Note: there are now nearly 10,000 Coolwebsearch affiliates!
  They do this as a "Pay-per-Click" scheme, basically getting a few cents for each user that gets hijacked to Coolwebsearch or one of it's major affiliates. Nice guys huh? Most of these affiliates are Adult related, so be careful where you surf and practice Safe Hex!

Additional Prevention

Both the HOSTS file and the Restricted Zone entries target most of the major parasites, hijackers and unwanted search engines. If you are also having trouble with unwanted pop-ups - [start here] There are however several severe security risks that still exist in Internet Explorer. Until Microsoft releases a (hot fix) patch, users can protect themselves by using Qwik-Fix and several other steps. [more info]

Various Registry Fixes

• RepairDefaultPrefix.reg [right-click and select: Save As]
  Repairs the corrupted or altered (spyware) HTTP prefixes
  Note: HijackThis can also repair the DefaultPrefix entry [more info]
  
   
• RepairTabs.reg [right-click and select: Save As]
  1) Restores the missing Tabs in IE (usually spyware related)
  2) Unlocks the grayed-out Home Page section
  3) Removes the Administrator message in Internet Options
  Note: HijackThis can also repair the "Missing Tabs" restriction [more info]
  
   
• UnlockNoBrowserOptions.reg [right-click and select: Save As]
  Removes the Administrator message in Internet Options
  SpyBot also has this option in the Immunize section [more info]
  
   
• EnableRegistryTools.reg [right-click and select: Save As]
  Unlocks the "Disable Regedit" entry, or use HijackThis [more info]
  
   
• UnlockHomePage.reg [right-click and select: Save As]
  Unlocks the grayed-out Home Page section on the General Tab
  Tip: Prevent your "HomePage" setting from being Hijacked

To use: download - right-click and select: Edit to view in Notepad.
Right-click and select: Merge - to enter the info into the Registry, and reboot.

Note: always backup the Registry before making any changes. Also be aware these reg files are intended for stand-alone or home users. Corporate users are urged to check with their network supervisor before removing restrictions.

Removing Unwanted IE Menu Items

• Scan your system with Ad-Aware or SpyBot (see above)
• Run HijackThis! and select the "08\09" items you want removed. [more info]

To manually remove from the Registry [Experienced Users]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]

• Click open "+MenuExt" (left pane) Locate the desired Menu Extension (highlight)
  Make a note of the corresponding (htm) file (right pane)
  Right-click the desired key (Menu Extension) select: Delete
  Note: always Export before editing the Registry.
• Close Regedit, Open Windows Explorer
  Locate and delete the "corresponding (htm) file" (if exists)

Repairing your Winsock Connection

If you have suddenly lost your Internet connection after removing spyware (such as NewDotNet, and Commonname) the following steps will help restore your connection.

• Repairs Winsock 2 settings: http://www.cexx.org/lspfix.htm
• WinsockFix.exe (by: Option^Explicit) [download]
• How to Reset Internet Protocol (TCP/IP) in Windows XP

Various Troubleshooting Articles

• Home Page Setting Changes or Cannot Change Your Home Page Setting
• A New Window Appears When You Visit Some Web Sites
• Error Message in Mfc42.dll Appears When Starting, and then Internet Explorer Quits [more info]
• Ftapp.dll Causes an Error Message [more info]
• Error Message: "Msbb.exe has encountered a problem and needs to close..." [more info]
• IE Stops Responding or the Home Page Takes a Long Time to Open
• IE Caused an Invalid Page Fault in Module Unknown (SaveNow or New.net)
• Wurld Media Version of the Bpboh.dll File Causes an Error Message in Windows
• List of all known Browser Helper Objects
• How to Disable Third-Party Tool Bands and Browser Helper Objects
  [more info] BHODemon 1.0 [freeware]
• Frequently Asked Questions About Internet Security (recommended read)
• Home Computer Security (recommended read)
• Multiple Windows Open Unexpectedly in Internet Explorer After You Install WeatherBug

Other Spyware and Parasite related Sites and Newsgroups

• news://alt.privacy.spyware | news://news.grc.com/grc.spyware
• Google Groups - Spyware (Web based link)
• CEXX.ORG Spyware Message Board
• Andrew Clover's Parasite List (detection and manual removal instructions)
• Security and Privacy Forum by Net-Integration (recommended)
• Hijackthis Logs And Problems (recommended)
   

Editors Note: you may find after removing some of these parasites especially the ones that install unwanted Toolbars (BHOs) that your existing Toolbar setup may be corrupt. [more info]