Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Knight.exe


  • Please log in to reply
7 replies to this topic

#1 Jules123

Jules123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 11 December 2007 - 09:01 PM

Hey everybody!

I'm a little desperate since I entered a friend's USB-Stick which contained something like "Disc Knight.exe" or "Knight.exe". Since then, I am not able to open neither my friend's USB nor my own. The only thing I get is the following message (try to translate it from German into a more or less proper computer-English): "You don't have no access to this appliance. You probably don't have the authorization for access." What's more to say? Oh yes, I'm using Vista.

I'd be pretty thankful for any kind of advice, as I don't know where to start, what kind of problem I am facing and what could be harmed.

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,083 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:19 PM

Posted 11 December 2007 - 11:36 PM

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drives before we begin!

Reconfigure Windows Vista to show hidden files, folders.

Open My Computer, right-click on your primary drive (DO NOT double-click), select "Explore", and search for any autorun.inf at the root. Repeat the search on all your drives (including your flash drive). If autorun.inf is present continue as follows:

Reboot your computer in "Safe Mode" using the F8 method. To do this restart your computer and when you see the hardware listed press the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Press the Enter key and logon to your computer with a user account that has administrator rights.

Go to Start > Run and type: cmd
I don't use Vista but I believe you need to use Ctrl+Shift + Enter. You will be prompted with the User Account Control dialog but it will then open up a command prompt in Administrator mode.
  • press Ok.
  • At the command prompt, type in your primay drive location, usually C:
  • You may need to change the directory. If so type: cd \
  • Hit Enter.
  • Type: attrib -s -h -r -a autorun.inf
  • Hit Enter.
  • Type: dir
  • Hit Enter. This will allow you to see and confirm the Autorun files.
  • Type: del autorun.inf
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
Now search for and remove Knight.exe
  • At the command prompt, type in your primay drive location, usually C:
  • Hit Enter.
  • Type: attrib -s -h -r -a Knight.exe
  • Hit Enter.
  • Type: dir /s Knight.exe
  • Hit Enter.
  • If the file is present, type: del Knight.exe
  • Hit Enter.
  • Repeat the above commands for each drive on your computer.
  • Exit the command prompt and reboot normally.
When done remove the Startup RUN value by downloading and using Autoruns.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Jules123

Jules123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 12 December 2007 - 05:26 AM

Hey dude!

Thx a lot for you quick and foolproof solution. :thumbsup: The thing is, that there is no autorun.inf on none of my drives. I'm wondering now what could be done next and whether this Knight-thing is changing names (???) or my problem could be a completely different one.

Jules

#4 buddy215

buddy215

  • Moderator
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:19 PM

Posted 12 December 2007 - 07:30 AM

Jules123---Read info in link below.
http://www.pcadvisor.gr/index.php/2007/10/...knight-madness/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,083 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:19 PM

Posted 12 December 2007 - 09:18 AM

Were you able to search for and find Knight.exe? See Windows Vista - Using the Search Function for how to perform an advanced search.

Note: The PC Advisor article includes steps that involve making changes to the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Jules123

Jules123
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 12 December 2007 - 12:47 PM

Thanks for everything! But reading through this, I decided to ask somebody who is familiar with the registry to solve this, as I have no experience.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,083 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:19 PM

Posted 12 December 2007 - 12:53 PM

That's ok. I'm glad to hear you have someone who can assist you. As I said altering the registry can be dangerous if your not familiar with it or what your doing. Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 buddy215

buddy215

  • Moderator
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:19 PM

Posted 12 December 2007 - 01:21 PM

Many experts recommend Erunt for backing up the registry. It does a more thorough job of backup and is more
accessible if needed.
http://www.larshederer.homepage.t-online.de/erunt/

Here is a link to Trend Micro's removal instructions.
http://www.trendmicro.com/vinfo/virusencyc...AB&VSect=Sn

Edited by buddy215, 12 December 2007 - 01:24 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users