rlvknlg.exe

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Most of your problems are coming in through these programs or add ons:

Uninstall thru Add/Remove in the control Panel:
Look2Me
NewDotNet Browser Plug-in
PowerReg Scheduler (Spyware)
WhenU.SaveNow (Adware)
WildTangent
Weatherbug
WhenUSearch


Please run CCleaner.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atgames.jp/atgames/html/game/mo_mmo/fanta_tennis/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.242.19.197:3127
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls(2).dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com

After clicking Fix, exit HJT.

Now attach new logs for:

* GetRunKey - please download the current version first!
* ShowNew
* HJT

Be sure to tell us how things are running.

 

If you have not already begun to fix this! DO NOT fix the O10 lines!!!!

[edit] Okay! That's good that you go that message! If you actually had fixed them, you would have lost your internet connection [edit]

Hold on a minute and I'll give you the fix you need.

 

Here is the way to fix the Relevant Knowledge DLL in the O10 line.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the rlls(2).dll file (in the “Keep” section) to select it.

Then, Select the >> button to move rlls(2).dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

 

I see something that should have been uninstall first before fixing the O10 line. Let's try uninstalling anyway. Uninstall this: RelevantKnowledge


What is the below that I see installed?
ddw200342.exe

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (1.5.0.9)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now attach new logs from ShowNew & HJT

 

That's your decision to make. The new one is more secure.

Also you need to delete the below files:

C:\WINDOWS\system32\rlls(2).dll
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\wininet(2).dll <--- only delete this file, DO NOT delet wininet.dll

 

Right click Start and Select Explore to bring up Windows Explorer. Navigate to the system32 folder. Locate the files and right click on them and select Delete.

You may have to reboot after running LSP fix inorder to delete that DLL.

 

I just noticed another file related to your Marketscore infection! Delete the below file too:

C:\WINDOWS\system32\LDPackage.dll


How is everything running now?

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!