Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need Help.

  • Please log in to reply
2 replies to this topic

#1 Time_Devil


  • Members
  • 8 posts
  • Local time:07:49 AM

Posted 03 December 2006 - 12:32 PM

Hey everyone. Thanks for reading this.


I found in me processes, knlwrap.exe. This is a nasty keylogger.

I cannot findwhere thisis coming from, except to be one "knlwrap.exe" in C:/Windows/Prefetch and another that is an application in system32 with pentium on it. (I forget which it is like becasue i now am on my backup PC).

I see many things about knlwrap in other places on this site,with Hijackthis logs and other things i don't understand. Can someone please tell me in stupid terms what to do?

I have Ad-Aware Se Personal and ZA and AVG antivirus. And SpyBot S&D.

And i jsut realised this is posted in the wrong place. Sorry =(

Edited by Time_Devil, 03 December 2006 - 12:38 PM.

BC AdBot (Login to Remove)


#2 tg1911


    Lord Spam Magnet

  • Members
  • 19,274 posts
  • Gender:Male
  • Location:SW Louisiana
  • Local time:05:49 AM

Posted 03 December 2006 - 12:44 PM

Read Preparation Guide for use before posting a HijackThis Log.
Please read, and follow, all directions carefully!!!

If the steps, prior to the posting of a HijackThis log don't eliminate the problem:

Then, run a log, and post it in the HijackThis forum, >at this link<.
Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

Once you post your log, don't make any changes to your system, as that could change the results of the posted log, making it more difficult to properly clean your system.

Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.

Edited by tg1911, 03 December 2006 - 12:49 PM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 jgweed


  • Members
  • 28,473 posts
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:06:49 AM

Posted 03 December 2006 - 12:48 PM

The exact location is important in determining if knlwrap.exe is a keylogger or a legitimate part of Install shield.

The legitimate location is:C:\Program Files\CommonFiles\InstallShield\engine\6\Intel 32\knlwrap.exe

If you find instances in other places, and running your AV and AS applications with a full scan in Safe Mode, fail to quarantine them, then the solution is to post a HJT log in the proper forum, where one of our volunteer team of experts can use the log's entries to help you get rid of the problem.

Before posting, please carefully read and follow the instructions (some of which you may already by that time have done) posted here:


Please preface the log with a brief description of the problem, such as you made in this post.
Whereof one cannot speak, thereof one should be silent.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users