I can’t find anything on the net about it and avast can’t seem to get rid of it. When I come up into safe mode, I can’t delete it. Anyone know anything about this trojan?
-Jazhawk
Wow, Googling knphknp.dll found nothing :o
Strange isn’t it? Where the file is located? Did you submit it to VirusTotal?
Tech,
From the topic title it is in the system32 folder
It looks a randomly generated name and any file that gets no hits gets me suspicious.
Why couldn’t you delete it (not that that is a good first option), what error messages, etc. ?
I take it that this file isn’t detected by avast ?
This computer had Norton on it before I got there to do support on it. I uninstalled that crap and installed Avast. It was Avast that discovered it. I tried to delete it from the folder but I suspected that wasn’t going to work. Booted in safe mode, couldn’t delete it even then. Tried to rename it while in safe mode, that wasn’t happening either.
So I started a boot virus check with Avast and left it with him. Had him call me if there was a problem.
I tried to google it but nothing shows up for it. So I posted this here.
It’s almost like the thing is trying to say KidNap H Kidnap.dll But maybe that’s me looking at clouds again.
Any ideas?
-Jazhawk
If they have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php
Thx DavidR. That was what I meant when I said I started a boot check and left it with em. I’m hoping it can be cleared out doing it that way. The first time I’ve seen one like that.
-Jazhawk
It isn’t unusual, usually protected by windows because it is in use, which is why the reason it couldn’t be deleted, but the reason wasn’t give.
That is also why deletion isn’t the best first option as any investigation possibility is history. The file can’t be uploaded to virustotal, etc. to see if it points to other possible actions required.
What did avast call the detection, malware name ?
Avast called it malware. A trojan. I’ll let you know more specifics when I get back to that system later today. Provided Avast hasn’t taken care of it. Which I doubt at this point.
-VG
Any ideas from anybody?
-Jazhawk
Any ideas about what, I though we were waiting for you to rebort back on:
a) if the boot-time scan dealt with the knphknp.dll file.
b) what avast called the malware.
If avast can’t remove it even on a boot-time scan, what errors or warning were displayed ?
Sounds like virtumondo a randomly named dll in system32
A quick run with SAS should get it
Download and then run SuperAntispyware
[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply
Hi,
Those won’t solve the problem…
Just download HiJackThis and give us a log. http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
This is probably Vundo or Security Toolbar… We’ll check.
If you don’t know what the issue is I can’t see how you can make a statement like "Those won’t solve the problem… "
If it is vundo/virtumondo, SAS is one of the better applications to deal with it, besides that SAS will probably remove any additional cr*p not to mention the log file, which essexboy asked for will also go some way down an analysis route.
Don’t be too hard on em DavidR. I think I get his point. And the boot scan didn’t get it either. This one is a horse. I’m headed back over their tomorrow with some additional tools. I’ll report back with what I get. I will remember to take hijack there too.
-Jazhawk