Disk Knight

23 October 2007 Rogue 42 Comments

Disk Knight is promoted as legitimate program that will block malicious programs to be run from USB and external memory devices. However, Disk Knight’s capability to propagate itself and be installed without user’s interaction put itself in the lists of rogue software or potentially unwanted application. The program will exploit certain security vulnerabilities to penetrate a system.

To avoid this virus, it is important to update all programs and install necessary patch for Windows operating system. Upgrading installed antivirus program is essential to obtain the latest database and avoid Disk Knight Infection.

Screen Shot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Technical Details and Additional Information:

What Disk Knight can do?
- Copy itself to removable drives found on the compromised system.
- Modify registry to run itself during Windows start-up.

Malicious Files Added by Disk Knight
%Windìr%\Knight.exe
%Windìr%\recover.reg
%DriveLetter%\Knight.exe
%DriveLetter%\autorun.inf

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”Disk Knight” = “%Windìr%\Knight.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open \command\”(default)” = “Knight.exe %1 %*”

Disk Knight – Removal

Removing Disk Knight Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]

2. Update the virus definitions.

3. Reboot Windows in SafeMode
- Press F8 on keyboard right after turning on the comptuer.
- Select Safe Mode from the menu.

4. Run a full system scan and clean/delete all infected file as stated above.

5. Delete/Modify any values added to the registry.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

6. Exit registry editor and restart Windows.

Disk Knight Removal Tools

Manual removal provided on this page may or may not successfully remove Disk Knight. To completely get rid of the virus and other malicious software that may have been installed, we suggest running these tools.

In order to completely remove Disk Knight from a system, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean PC and rename the executable file before executing on the infected machine.

Using Portable SuperAntiSpyware:
To thoroughly remove a virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

What to do next...

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to Disk Knight payment refund or lost serial key, kindly check the FAQ for rogue program first.

42 Comments

precisesecurity
Oct 23, 2007 @ 10:01:08
1. Temporarily Disable USB Drive to autorun (Windows XP):
a. Open Windows Explorer or press the Windows + “e” key.
b. Right-click the drive of the USB Drive. Then select Properties. Drive Properties will appear.
c. Select the AutoPlay tab.
d. Choose Select an Action to Perform
e. At the bottom of the selection, click Take no Action, then click Apply.
f. Click OK to exit Drive Properties.
2. Show Hidden Files
a. Open Windows Explorer
b. Go to Tools > Options
c. On View tab, mark Checked the “Show Hidden Files and Folders and “Hide Protected OPerating System Files” Unchecked.
3. Delete the files manually
a. Go the USB Drive and delete autorun.inf
b. Go to C: Drive and delete autorun.inf
c. Go to C:\Windows and delete Disk Knight.exe
4. Modify Windows Registry
a. Go to Start > Run then type regedit
b. On Registry Editor, go to Edit > Find and type “knight”
c. Delete all entries it found.
5. Connect to Internet and update your AntiVirus
6. Reboot your computer in SafeMode
a. During BootUp process Press F8 continuously until selection appears
b. Use Arrow Up+Down to select SafeMode on the selections menu.
c. Hit Enter to proceed.
7. Scan your computer with an updated AntiVirus and delete all infections it founds.
Note: You may enable autorun of the USB Drive by reversing the process in Step 1.
Ruth
Nov 01, 2007 @ 04:58:50
I just want to confirm if you’re required to log in your computer as Administrator before you can execute the ‘disk knight’ removal procedure, and what if another autorun.inf is found within your C:/WINDOWS folder, should you delete that one too, aside from the one in C:/ only. I found one in mine.
precisesecurity
Nov 01, 2007 @ 08:42:19
There are some actions that require you to have an Admin privilege such as modifying the registry and deleting the autorun.inf file located on Windows folder.
gaston
Nov 09, 2007 @ 21:18:28
Thanks for the instructions! It removed Disk Knight all right, but when I double-click on any program icon I get the “open with” dialog, where I have to select the program, which with some programs doesn’t work; typing “regedit” in the command line brings up “open with” dialog, as well. Furtheremore, right-click on “My PC” – “Properties” yields the message “C:/WINDOWS/system32/rundll32.exe Cannot find the application” even though it’s there in windows explorer. I cannot open System Restore eithere. It seems as though my hands are tied.
gerald
Nov 15, 2007 @ 07:54:43
You write it well, not open instead it wll “open with” we have the same problem.
Sephiroth
Nov 16, 2007 @ 00:57:37
Once removed the default value in the “open” key for “exefile” in windows registry, as you say it is impossible to open any exe file.
To solve this just open windows explorer, locate and launch regedit.exe with Run As (shift + right click) and correct the default value for that key, that’s “%1″ %*
Edwin
Nov 16, 2007 @ 10:23:03
I would like to confirm that the procedure also works for v4 of Disk Knight. Choosing ‘help’ from the disk knight icon loads and information web page where the author say to uninstall from add/remove programs and he stresses that if you try and delete the knight.exe file you will have problems. ‘Uninstalling’ seems only to deactivate the automatic loading but does not actually uninstall the file, as knight.exe still exists on both my hard drive and flash disk.
I’m worried about trying to remove it myself because of the warning and the experience of gaston.
francosantapy
Nov 16, 2007 @ 12:16:34
Same thing happened to me, “rundll32.exe” crap. Does anybody know what to do?
niklausfmm
Nov 18, 2007 @ 18:55:39
On the site below I found a link to the program ‘btask-fix.reg’ that would repair the so called file on your computer.
http:// forum.avira.com/thread.php?threadid=28088
Since the page is entirely in German I placed the link down below, so you don’t have to read all that.
http:// member.file-upload.net/KarlKarl/btask-fix.reg
PS: I tried it on my computer since I had the very same problem and have to say: it works. so have fun
Jeremy
Nov 19, 2007 @ 15:00:56
Thanks I just removed it from my USB flash drive. I got infected after checking my cousin’s PC. At that time I didn’t know how to remove it. But I found something weird at my cousin’s PC. If you click “Tools” at the toolbar on any folder, you should see the option “Folder options”, but I can’t see it on my cousin’s PC. Therefore he will not be able to eliminate the DK. What’s happening?
Anti-DiskKnight
Nov 22, 2007 @ 14:23:05
This message is for Jeremy and all those experiencing the same as him..
Your cousin has more than just DiskKnight on his PC, he has the virus Brontok as well. The brontok virus removes the Folder Options from the Tools menu so that you cannot see hidden files and also prevents you from running regedit. bitdefender.com/VIRUS-157247-en–Win32.Brontok.A@mm.html
This tool should be able to help you out
jeeves
Nov 23, 2007 @ 12:01:59
My PC got infected through a memory stick and I simply went into settings and removed it. Is that sufficient? Furtheremore, my memory stick is no longer working. When I go into my computer to click on it, an “open with” list pops up. It seems to think it is a document, image or something. All ideas are welcome. Is the stick destroyed? Norton Antivirus seems to be picking up nothing.
Anna
Nov 23, 2007 @ 19:24:40
How to remove the knight virus from my mobile phone? I tried the steps above but still to no avail. My mobile model is Sony Ericsson W580i. Is there any way for me to remove the virus?
Grandasbrute
Nov 27, 2007 @ 09:45:15
My anti-virus is not working anymore thanks to disk knight.
How can i fix this problem? I have tried re-installing the anti-virus but it was no use. An error message keeps showing out. HELP!
bea
Nov 28, 2007 @ 02:11:58
Help! I don’t know if my drive c: and d: are infected with disk knight the icon hard drive won’t come out. and every time I click drive c: what pops out is my drive d: I need help. I don’t know what’s happening with my PC.
Tim
Dec 04, 2007 @ 14:47:45
Thank you so much people! The link that niklausfmm gave really works! Use it.
Tim
Dec 04, 2007 @ 14:59:30
But I still cannot fix the virus on the flash drive? It cannot open, asks me to select the program form a list?
I can’t seem to find autorun.inf on C, C:\windows or the USB drive.
Sen
Dec 06, 2007 @ 01:24:16
Alleged security software, named Disk Knight, is developed by a Bangladeshi student and its idea is simple: if a USB key is protected by Disk Knight the program will prevent the launch of any other process on the computer and display a message prompting the user to block or allow the starting process.
Since USB malware is typically launched when the USB key is inserted, Disk Knight can prevent any virus from infecting the computer via that route. This sounds like a good idea.
However, the problem is in the implementation. Once the Disk Knight program is installed and starts protecting the computer, it will copy itself to every inserted “unprotected” USB key, making it “protected”. Furtheremore, if the newly protected USB key is subsequently inserted into another computer, Disk Knight will run and install itself onto the computer, all without the user’s consent. This behavior and the lack of control from the user side makes Disk Knight a computer virus.”
(-Buckeye042, Yahoo! Answers)
I have already been infected, again, by this alleged security software a few days ago… Fortunately, I have already known how to remove it including the installed components in my PC, like in the registry and windows folder.
First, make all files visible and unhide protected operating system files.
Second, go to Windows Folder, look for the Knight.exe file and delete it.
Third, open your disk (USB) and look for the Knight.exe and the autorun.inf files, delete them.
Fourth, Open the Ccleaner software, (you can download it from http://www.ccleaner.com for free). Run the Cleaner, then Scan and fixed Issues that will be detected.
Fifth, disconnect your USB then reinsert.
Sixth, after you have tried all these steps and Knight.exe is still in view, e-mail me @ friendly_bug_x2@Yahoo.com
I have also known some risk upon the removal of disk night.exe – other applications installed in your computer will no longer work. It seems like when you open an application, the “open with…” window will pop up. And I have no other idea to fix this problem than this…
Start menu>run> then type “recover.reg” then press Ok.
Have a great day!…
tom
Dec 10, 2007 @ 22:37:21
So happy!
niklausfmm’s link worked perfect!
thanks a lot!
Sayo
Dec 11, 2007 @ 02:23:25
The “Open with…” issue can be easily corrected.
The solution can be found on the Microsoft site: http://support.microsoft.com/kb/555067
joynikz10
Dec 15, 2007 @ 11:56:11
If you click “Tools” at the toolbar on any folder, I can’t see the “Folder options”. I can’t delete Disk Knight! Please help me.
precisesecurity
Dec 19, 2007 @ 03:45:14
Joynikz, please see this to show folder options.
http://www.precisesecurity.com/tools-resources/troubleshooting/how-to-enable-a-hidden-folder-options/
Jay
Dec 20, 2007 @ 22:49:39
Hi everyone!
My USB stick got infected with DiskKnight today, but somehow, when I inserted it (unknowingly at that time) into my mother’s PC its anti-virus program pop-up and deleted DiskKnight from that stick. However at that point it had already spread to my computer and my digital camera. Now I think what worked for the stick will work for the camera as well but that hardly helps with my own computer. I tried using the guide above (which isn’t easy since my PC is German and the words are all different), but I can’t find the autorin.inf file OR diskknight.exe, even though I did manage to make hidden files visible.
Any ideas what might be the problem?
Kiko
Dec 25, 2007 @ 03:19:47
My Windows registry editor has been disabled, how can I enable it?
precisesecurity
Dec 27, 2007 @ 01:10:48
Kiko, visit this link:
http://www.precisesecurity.com/tools-resources/troubleshooting/how-to-enable-registry-editor/
Stamatis Iliofos
Feb 08, 2008 @ 13:20:13
To Jeeves…
If your memory stick doesn’t work you just have to right click and then click “open” which is furthere down on your right click list.
Kaisar Hasan
Feb 22, 2008 @ 06:48:59
Thanks to all the persons who made this web site. It helps me.
Thanks
Kaisar Hasan
Rangpur
Bangladesh.
Adriano
Feb 24, 2008 @ 13:44:07
I tried to remove the disk knight from my computer but when I go to the Tools I can’t open the option «Options» because It doesn’t exist.
I think the virus removed it from my computer so I can not see the hidden folders.
Can someone help me?
Adriano
Portugal
Rafael Garcia
Feb 29, 2008 @ 04:11:11
Hello!
I’ve read most of the replies and it seems that following them the virus has left my system here… Thank you so much!
Rafael Garcia from Brazil
foras
Mar 10, 2008 @ 11:10:36
How do I delete diskknight from my mobile phone?
Robin (GobRob)
Mar 22, 2008 @ 10:19:13
I have had the same problem with disk night until i installed Avast, and to my surprise it picked it up and deleted it.
subhash
May 10, 2008 @ 21:21:56
I did all those procedures wrote on this page but I could not removed knight virus in my USB drive and computer. What should I do? Can you give me any other instructions to remove knight virus?
coconut
May 12, 2008 @ 05:03:46
Does disk knight virus affected drive C:?
Tom
May 13, 2008 @ 14:24:40
There are several things you need to do to remove disk knight from your C:\ drive. Yes it does infect it. Often, diskknight has the adverse effect of stopping you from running executable file. This tutorial fixes all of the regkeys that can run into problems because of diskknight:
http:// windowsxp.mvps.org/exefile.htm –> THIS IS WHAT THEY MISSED in the original tutorial. Afterwards, look at your C:\ drive, go to folder options in tools and show hidden files and folders As Well as unticking the box hiding system files. The disknight.exe is located at C:\Windows\knight.exe . You have to delete this as well, but before you can, you must open task manager (ctrl + alt + delete), open the processes tab and end knight.exe. If anyone wants to know how to remove disknight from flash drive please post comment.
Rohit
May 21, 2008 @ 07:46:50
When infected, open Task Manager and kill Knight from the process.
Upgrade to AVG 8.0 v.
Plug your infected USB keeping shift pressed down.
Scan your PC, after AVG picks up disk night as a Worm VB.BVK, heal it.
Scan all removable pen drives, heal them with AVG.
Run regedit, find ‘Knight’ and delete all registry entries made by knight.
Run msconfig , check if knight is there in the start-up list.
Check USB drives in DOS for knight.exe.
Format the usb drives.
That’s it.
hawk
Jun 24, 2008 @ 05:46:24
When I go to folder options and check the “SHOW HIDDEN FILES” and uncheck the “HIDE PROTECTED OPERATING SYSTEM FILES”, they go back to “DO NOT SHOW HIDDEN FILES” so I won’t be able to locate the disk knight. How am I going to fix this problem and delete the disk knight for good?
hawk
Jun 24, 2008 @ 05:49:04
And how can I find the disk knight inside my mobile phone? The phone rejects any installation of any application I needed for my phone.
Bhuwan
Aug 21, 2008 @ 12:59:32
I have tried all these steps but when tried opening Windows registry, it says “Error opening file.” It seems Disk knight is not allowing me to open this.
xtin
Oct 09, 2008 @ 15:51:13
The disk knight made my usb drive undetectable!
Help! mendelian23 @ yahoo.com
Shimo
Oct 10, 2008 @ 07:47:20
Hello
When I try to delete disk kinight in my C drive I get the message ”access denied make sure the disc is not full or write protected and that the file is not currently in use”
What shall I do? Thanks for your advices?
Pyker
Mar 06, 2009 @ 19:57:19
Stephen, I think you might have got infected with the Blaster virus.
Check this link: http :// www. symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
BoikeZins574
Apr 14, 2012 @ 07:21:00
I have been browsing online greater than 3 hours nowadays, yet I never found any attention-grabbing article like yours. It is beautiful worth enough for me. Personally, if all website owners and blogger made excellent content as you did, the net will be a lot more useful than ever before.