Malware?

I'm running Vista Home Premium. Checking through my registry, I came across the entry HKEY_LOCAL_MACHINE\SOFTWARE\KNIGHT. I researched and found this was for a virus called Disk Knight. It didn't appear in my programs, or anywhere else, as far as I could tell. I removed the registry key, then scanned with avast! Antivirus Free Edition. Nothing turned up.

I then found, in HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS, a ton of websites (hundreds?) - all dangerous-looking - which I've never visited. More research seemed to indicate that these were possibly placed there by an anti-spyware program (maybe Spybot-S&D). I checked my internet trusted zones (no entries) and restricted zones (a lot of entries, none of which I placed there, and all of which seem to be some of the entries in the registry key in question.)

I then found in my DNS cache about forty websites - none of which I've ever visited. I checked a few against the registry entries and they matched.

I have real-time protection from avast! Antivirus Free and ThreatFire. I have SpywareBlaster installed. I run regular scans by avast!, ThreatFire, AVG Anti-spyware, Spybot-S&D, CA Yahoo! Anti-Spy, and Malwarebytes' Anti-Malware. None of these scans have found any problems.

Last week, due to a CA scan finding AceSpy on my system, I did the complete READ & RUN ME procedure. Chaslang evaluated the logs, said that the AceSpy detection was most likely a false positive, and said that my system was clean.

So, some possibly naive questions:

1. Is it okay that those sites are listed in my registry?
2. Why do some of those sites appear in my DNS cache?
3. Shouldn't there be some sites that I've actually visited listed in my DNS cache?

Any help would be greatly appreciated!

 

Hi geek_love,
Welcome to the Malware Forum!

For a good explanation regarding the files you found look at this thread: http://forums.spybot.info/showthread.php?t=2367

There is a lot of conflicting information on the internet with regard to different files which may be classified as malware.. Disk Knight is a security program which watches over programs started from usb sticks. It's an open-to-debate kind of program. If a program is installed without your knowledge and if it doesn't have an uninstall entry in add/remove programs, it's considered suspect.

abri

 

Hi, Abri. Thanks for responding.

Yeah, it looks like all those registry entries are for Spybot. That's really good to know.

Could you reply about the DNS cache? I don't know a whole lot about computers, so I may be way off base here, but shouldn't the DNS cache hold only addresses that I've entered into my browser? As I mentioned in my first post, there are a three or four dozen entries in there. All are apparently questionable/unsafe sites. And none of them are sites I've ever visited. So:

1. Why are they in there?
2. Why aren't sites I've actually visited in there?

 

Oh, and since the Disk Knight was only in one registry key and not in my install/uninstall programs list, or anywhere else (I think), was that probably a false positive, or should I be looking elsewhere?

Thanks.

 

Hi geek_love,

In answer to your question about Disk Knight - for which there is not yet agreement as to whether to call it malware or not - the problem with this program is that it is installed without your knowledge and it is installed without being added to add/remove programs, thereby making it difficult to remove if you don't want it. What it does is to prevent .exe files from executing from your usb stick. It will give you a warning that something is trying to execute and you can allow or not allow it to run. It was made to protect people's computers from getting infected from their usb sticks.

If it is on your usb stick, you can look for it by enabling "Show hidden files and folders" under your Windows Explorer / Tools / Folder Options. Then open the usb stick using Windows Explorer and look for the files "Knight.exe" and "autorun.inf". If both of these are found, then delete them both.

It is more problematic to remove it from your main computer, because the procedure for removing it ends up blocking your ability to use .exe files altogether and then you have to go back and fix this as well. Are you having any symptoms? Or did you only get a message that it had been found? If you are not having problems or symptoms, I would check any usb stick you have to see if it's on them and remove it from them, however I would just let it sit on the main computer and tell your antivirus program to ignore it. If it's not causing a popup, then it's not running.

I see you got some help on your DNS question in the Software Forum. Only one comment to your thread there: Spyware Blaster does not usually slow down people's computers. We recommend it to be used together with Spybot. I'm not sure why it might be causing a different response with your computer, but it does overlap with a similar function of Windows, so you should do what's best for the working of your computer.

abri

 

Hi abri. Thanks for getting back to me. As for the Disk Knight, I only found it in the one registry key I mentioned in my opening post. And there's never been a USB stick anywhere near my computer, and I'm the only person with access to it. Further, I'm not getting any pop-ups of the kind you mentioned. Why do you think it was in that registry key?

I have, however, noticed small windows appearing and disappearing in the blink of an eye, usually in the upper left of my screen. It's only started happening in the last 2-3 weeks. I haven't found a pattern in their appearances. Sometimes when I download a program update, but not always. Other times, too, though I can't think of any specifics. Any ideas?

 

Okay. Here are the logs. Thanks!

 

And one more.

 

Thank you for checking out my logs. Good to know I'm malware free. And yes, the registry patch worked successfully.

I'm wondering about a few things:

1. What's that little window that blinks in and out of existence (usually when I download something)? I'm fairly comfortable in saying that it's never been there before a week or two ago. I thought it was an indication of malware.

2. Malwarebytes detected something it called StartMenu.Hijack. Is that something for Hijack This, or was it malware? (I had Malwarebytes remove it, by the way.)

3. I didn't use MSConfig back when I had Symantec (which, after months, I'm still finding traces I can't get rid of). I've used it recently when paring down the number of things that start at startup. Why shouldn't it be used?

Again, thank you very much for the help!