BleepingComputer.com: Questions & Concerns About Using Flash_Disinfector

Hello,

I have used Flash_Disinfector.exe in the past & was wondering if it cleans more that just a flash/thumb drive. I don't suppose it does any good to a CD, does it?

My other concern was what I just read here... http://www.threatexpert.com/files/Flash_Disinfector.exe.html

I realize that some AV/AS will consider Flash_Disinfector an infection but the above linked info doesn't seem to pertain to that. Any thoughts? Thanks!

Check out this topic;
USB Autorun Disabler?, As I was searching for something else, I read about this program
A lot of good information.

Thanks a bunch.

Great read although I can't say that it all makes 100% of sense to me. I got about 70%, I'd say

As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun.

Also, I have used flashdisinfector more that once on the same drive & I am not sure what the results of that would be. Any ideas?

It seems though that the computer is also affected by FD, not just the flash drive. This is where I get a little confused. So, there are bogues autorun.ini files installed on my machine whenever I have run FD? And those bogues files, to put it simply, are there to help, correct? I assume that if I uninstalled/reinstalled Windows that the autorun.ini files created by FD would be gone, yes? Just trying to understand how all of this works.

Now, I can't see any partitions on the flash drive, can I? Does FD actually remove infections from an infected flash drive?
And finally, if I insert a flash drive that ran FD into another computer, is that other computer affected at all by FD?

Sorry for all of the questions but I just want to understand a bit more. Thank you! I look forward to your reply.

Quote

Microsoft Security Advisory (967940): Update for Windows Autorun

However, disabling AutoRun is not enough. See Scott Dunn's One quick trick prevents AutoRun attacks. For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only folder on the drive and name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running malicious files as described in How to Maximize the Malware Protection of Your Removable Drives.

Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Quote

It would just run the same routine as it did previously.

Reread this particular reply by Papakid.

Thanks Quietman7,

I still have some questions though....

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this. Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

-If I did have Autorun disabled, why the need for:

Quote

-I have a machine that I ran FD on a few months ago. So, I don't need to run FD again on that machine as that would be redundant, correct? However, when I use a new Flash/Thumb drive, it will not have any of the partitions that are put there by FD. So, it would seem as though I would need to run FD again, no?

-Does either FD or Panda USB Vacine run on Linux &/or Mac?

-Finally, does FD actually remove infections from an infected flash drive?

So, you see, I am still a bit confused. I look forward to your reply!

This post has been edited by Bub12: 17 December 2009 - 01:12 AM

Quote

Correct.

Quote

Correct. Or if you installed Panda USB Vaccine, just use that.

Quote

These tools were designed for Windows platforms.

Quote

When the tool was first introduced it was able to deal with some types of infections. However, the developer choose not to spend a lot of time with trying to update FD as new variants appeared. Instead he devoted his time with development of ComboFix.

Thank you Quietman7!!

Just a couple more things... :-)

So, there are no conflicting issues when installing both FD & Panda & which would you suggest? If I am not mistaken, Panda does not clean an infected drive, correct?

And last but not least, one of my original questions...

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this? Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

THANKS!

While I understand your frustration at getting a reply, staff members are all volunteers and we assist other members as well as you when time permits. No one is paid for their work or assistance to members of our community. We have jobs in the real world and families so we are not logged into the forums all day long.

I am out of town this week providing training to EMS providers and there is little time to access the Internet. There should be no conflicting issues when using both FD & Panda but there is no reason to do so. I already advised that FD is no longer being updated so I would use Panda. Although Panda does not clean any infections, FD is limited in what it can clean and you should not depend on it for disinfection purposes.

Tools like MalwareBytes are more effective.

Thanks Quietman7!

No pressure here...I just figured that you may no longer be subscribed considering my much delayed response. Thanks again for your help!

Also, can anyone answer this:

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this? Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

Update- What I actually did was to disable the CD drive only, I believe. I followed the following:
http://www.engadget.com/2004/06/29/how-to-...run-on-windows/

Now recently, on another machine, I believe I disabled all drives by changing the "no drive type autorun" to "0xff", as is explained here:
http://support.microsoft.com/kb/967715

But, after doing this, my cd & flash drive both started without any help from me. Is this normal? Perhaps this occurring would explain the difference between autorun & autoplay?

And finally, MS says that the default "no drive type autorun" for XP is "0x91", yet mine was set at "24". Would this have anything to do with Flash Disinfector?

I would very much appreciate any assistance. Thanks!

Thanks!

This post has been edited by Bub12: 19 December 2009 - 01:09 AM

Hi Bub12,

Please don't take offense, but by some of what you've posted I see a lack of exactness that may explain why you have difficulty understanding the answers you've been given. I would suggest you read over some of the material again and make an extra effort to determine exactly what is being said. I understand that the whole subject is confusing tho. Perhaps I can help clarify--and keep in mind there are elements that I am trying to clarify in my own mind as well.

Let me start out by saying that Flash Disinfector (FD) was designed primarily as a cleanup tool--preventive measures were a sort of afterthought because the author was concerned that the spread of malware via Flash/USB drives was getting to be rampant. The second major point, and this goes to your first question, is that it is designed to deal with Flash/USB drives, not optical (CD/DVD, etc.) drives. That is why it's called Flash Disinfector instead of something else. Flash because Flash memory is what is being used on the relatively new devices known by various names--memory sticks, thumb drives, pen drives, etc., etc. To me it is least confusing to refer to them as Flash Drives because that is the type of memory they use and it distinguishes them from other types of drives. Flash drives are the main culprit in the spread of these types of malware, however, FD is designed to deal with all writable drives, such as external USB hard drives and even internal hard drives. Why? See the article by Nick Brown that you have been linked to already:

Quote

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

At this point, let's clear up an apparent misconception that you have posted about.

Bub12, on Dec 17 2009, 12:06 AM, said:

FD does not add partitions to drives. It adds a dummy autorun.inf (not autorun.ini) file to each writable partition that exists on the machine. This works on a simple principle; two files/folders of the exact same name may not exist in the same folder--and the root of every partition is considered a folder. So when a malicious file tries to spread an infection by writing an autorun.inf file to each writable partition, it can't because FD has beat it to the punch by writing a file of that exact name to that folder first. The malicious payload file might still get written to the partition, but, as explained in the other thread, it is harmless without the autorun.inf file--the payload files are like bullets without a gun and should be cleaned up when you scan with the antivirus you have installed.

I'm not sure if you just used the wrong terminology or if you aren't sure what partitions are--if the latter you should read up on partitions so you can understand everything better.

Optical drives can spread malware, but they don't very often, if at all, by the autorun.inf method because those drives are not writable. I believe re-writable is the correct term (but need to check it) but the point is that you have to burn a CD to write to it. Besides not wanting to bother with writing code to burn to CD, malware authors won't bother with optical media because they don't know if you even have a rewritable CD/DVD loaded and it is just so much simpler and efficient to use writable partitions.

Now we get to your latest set of questions.

Bub12, on Dec 17 2009, 12:06 AM, said:

There are several methods of disabling autorun, as you're beginning to see. This registry hack is what is known to be the most effective way to do that, altho it does it in a roundabout way. FD does disable autorun. I don't know if it uses this method but I have a feeling it does--will try to confirm. From Nick Brown's blog again:

Quote

That isn't directly disabling autorun, per se, but has the same effect. We'll refer to this as the Nick Brown hack as i will bring it up again later.

Bub12, on Dec 17 2009, 12:06 AM, said:

The author of this article disabled autorun for CD's so that DRM software couldn't run automatically. Defeating copywrite protection in any way is counter the the forum rules at BC (whether you agree with DRM or not, it is the law and it's in BC's own best interest to abide by it) but that is the main purpose the author had in mind, not protecting from infection using the autorun.inf method. Even tho it would defeat the spread of autorun malware, since you aren't going to get infected by it very often this way, there is really no need to disable autorun for optical drives.

Bub12, on Dec 17 2009, 12:06 AM, said:

First that method is direct disabling of autorun, but it is complex, confusing and, as mentioned in the nick Brown blog, the whole process is buggy.

Quote

This is why Brown uses his "roundabout" hack to solve the problem.

But no, it's not normal for your CD drive to start up if you're trying to disable autorun. I can't say exactly why that happened; I would guess because of one of the bugs or you did something incorrectly. It would have nothing to do with the difference between autorun and autoplay--still haven't researched this enough to explain to my own satisfaction, but as far as i can tell the difference between the two is more semantical than anything else.

Bub12, on Dec 17 2009, 12:06 AM, said:

It's possible but i don't think so. FD will disable autorun, but that value data (24) is not in the list of values that will disable autorun. I have no idea what all you've been doing since you've begun exploring this issue and even over the life of your computer that would put that value there. But the bottom line here is that FD will disable autorun by whatever method it uses--it also deletes the mountpoints2 reg entries--so you don't have to go into the registry to do it yourself. The data to set that registry value can vary greatly--scroll down to the bottom of this page to see what i mean:
http://www.moonvalley.com/products/rwavdc/enable.htm
I've yet to figure it out so I don't expect the avaerage user to either--instead, it just makes more sense to me to use a program that can be trusted to disable autorun.

Bub12, on Dec 17 2009, 12:06 AM, said:

So as I've mentioned already, there is no need to worry about autorun infections coming from CD's (unless you use CD's burned from an infected machine a lot).
First are you sure disabling autorun causes your CD drive to not work? In other words, your optical drives worked OK before using Flash Disinfector, then when you ran FD, which disables autorun, the drives didn't work? Were you able to confirm this by re-enabling autorun on your optical drives and after doing so the optical drives worked? In my research on this issue there have been some indications that disabling autorun on all drives will cause problems with optical drives so it is possible that running FD caused your issue, but I can't confirm that--it is something that I need to research more but haven't had the time. It may be that preventing autorun.inf file from being read prevents Windows from recognizing that a CD drive is present, which would mean the Nick Brown Hack and the NoDriveTypeAutorun hack would both break optical drives. Or it could be something else--in the following thread a similar problem was fixed by changing the CD speed--give that a try and let us know how it goes:
http://www.astahost.com/info.php/Cd-Burner...are_t12550.html

If that doesn't work and it is true that disabling autorun caused it, it would seem the ideal solution would seem to be to disable autorun for all drives except optical ones, which is what the hotfix that TheJoker links to does:
http://www.spywareinfoforum.com/index.php?showtopic=125953
http://support.microsoft.com/kb/971029

However, the catch there is that some writable drives present themselves as optical drives so if you have those type drives you are still vulnerable.

I have not been able to do much research on this since my previous writeup, and probably won't get back to it until after new years, but from what little I have done I am leaning more and more toward the simplest and best solution is to use AutorunEater. It doesn't disable autorun and doesn't even scan optical drives for autorun.inf files. This way you don't have to run a program everytime you insert a drive for the first time and you also don't have to worry about whether your drives are NTSF or FAT/32.

In my previous thread I list the drawbacks to AE and will add another to it. Last week Antivir and Ad-Aware began detecting AE as malware. It is a false positive and I can confirm that it has been corrected by Antivir, but the thing is is that it wasn't readily apparent that AE is what was being detected. I can only assume that it was a self-protection mechanism but the behavior that was being flagged sure looked like malware. However, I still think AE is the simplest solution available.

BTW, it's common for such smallish security tools to be flagged as malware--or, if you read the detection carefully, a warning that the tool might be malware. You saw it with FD.

Papakid,

WOW! THAT IS ONE TERRIFIC REPLY. THANK YOU! Your time invested is not unnoticed & is very much appreciated.

Quote

When I initially posted about my CD drive being disabled, I thought that this http://www.engadget.com/2004/06/29/how-to-...run-on-windows/ was the fix for disabling autorun. Now that I know that it is not, I understand why I could not access my CD drive.

As far as my other pc & changing the "no drive type autorun". I am fairly certain that I didn't screw it up :-)
The value was 24, not "0x91". And I have since changed it to "0xff" & when I install my Flash &/or CD, the computer recognizes that there is removable media inserted, but it does not open it. I must open them by clicking. Is that a bug or is that normal? In other words, what is suppose to happen when such media is installed on a machine with autorun disabled? Remember that I not only changed the said value, but have also used FD on that machine more than once.

Perhaps I should change the "no drive type autorun" to "0x91" as now when I try to "safely remove the flash drive", I never actually receive the window that says, "now you can safely remove the drive" or something to that effect. I hear the corresponding sound after taking the usual steps, but that's it.

So, just to clarify, I should only need to run FD once to achieve the desired "disable autorun" & not need to mess with any of the other methods. Do I have that right? However, I did somehow miss the following, which may be a good idea to perform...
http://support.microsoft.com/kb/971029 although, maybe unnecessary if I am getting all this. Ahhhhhh!

I realize that some of what I write may not make sense. This occurs because I do not fully comprehend what the heck is going on with all of this ;-) Hopefully as I learn I will make more sense. Believe me, I do not wish to be a pain in the but.

Merry Christmas!

This post has been edited by Bub12: 23 December 2009 - 12:34 AM

First, I know you are not intentionally being a pain in the butt. You may be like me--I have to read slowly and some things I have to read over several times in order to comprehend--let it sink in as it were. But if not, give it a try--it is just that some of your questions were already answered by reading material you were provided. But believe me, I know what it is like to be overwhelmed by information overload.

Overall, my suggestion is to quit using FD and trying to disable autorun and use AE. There are loopholes and drawbacks to all the methods used to disable autorun--as far as I can tell--I still need to do some more tests to support that assertion.

But let's see if I can answer a few specific questions.

Bub12, on Dec 22 2009, 11:10 PM, said:

As far as I understand it, "0x91" enables autorun on all drives and "0xff" disables it on all drives--if you have the patch for your operating system that removes the bug in this key value. I have no idea what 24 does or how it got there--I assume it has something to do with a specific drive on the computer in question.

Bub12, on Dec 22 2009, 11:10 PM, said:

That is exactly what you want when autorun is disabled. Nothing happens when you insert any removable drive. You have to open the drive manually using Windows Explorer. If autorun is enabled, when you insert a drive or open it in explorer files or programs can run automatically, and some malicious payload files can execute if you open the drive in Windows Explorer, depending on how the autorun.inf file is configured..

Bub12, on Dec 22 2009, 11:10 PM, said:

I don't believe that symptom is caused by disabling autorun. You can always try changing the value back to "0x91" (reboot after changing to be sure). If that doesn't fix it you'll know to look for another cause.

Bub12, on Dec 22 2009, 11:10 PM, said:

Yes, running FD once should disable autorun--it uses one of the methods we've discussed. Running the 971029 hotfix as well won't hurt but may not be necessary either. As already stated there is the concern over a possible loophole in that some USB drives are recognized as optical drives. I have yet to test this using my own judgment to draw any sound conclusions from.

Since you've already run FD on these computers, you should have autorun disabled and dummy autorun.inf files on every partition--the latter of which are difficult to delete without a reformat and reinstall of windows--you should already be pretty well protected. But if I were starting fresh I would go with leaving autorun enabled and have AE run in the background. If any autorun comes up you can remove it--it makes backups--and come to a forum like this one to ask if the contents of the autorun.inf file is OK. If so you can restore it.

My experience with the Antivir flagging AE as malware--a sure false positive--has given me some insight into AE's behavior and I now think it protects itself pretty well. But as I've said before, no system or method is foolproof--security is a matter of risk reduction, not risk elimination.

Hi Papakid,

Quote

Let me just make sure we're on the same page here. I open my CD drive & Flash via "My Computer", not "Explorer". The exact path is different but the result should be the same. We okay on this?

Quote

Quote

Well...I temporarily reverted back to "0x91" & I still don't get the "safely remove hardware" window. looks like another thread then!

Thank you so much for all of your help & your incredibly detailed & well thought out explanations. I am a detail oriented person so I very much appreciate such responses. When I do not receive clear & concise answers, I keep on asking questions

Have a Merry Christmas & a Happy New Year!

This post has been edited by Bub12: 24 December 2009 - 10:27 PM

Bub12, on Dec 24 2009, 09:25 PM, said:

Well, I think we have a small problem again with terminology. Not sure what you mean by "The exact path is different but the result should be the same", but My Computer is Windows Explorer. Don't confuse it with Internet Explorer. Altho the two are somewhat interconnected, IE is a web browser and WE is a file browser, also known as a file manager.

The quickest ways to get to WE is to press the Windows key on your keyboard along with E or right click on the My Computer icon and choose Explore. You'll see the same thing as if you'd just clikced My Computr except this way you don't have to click the Folders button the see the folder tree in the left hand column.

Or right click on any drive in the My Computer screen and choose Explore. My Computer is more analogous to the file cabinet you would put actual manila folders into. In any event, when you have autorun disabled, this is how you have to access your drives. Double click the icon for the drive and it should open so that you can see the files on the drive. Or right click and choose the appropriate context menu item. For example, even if you have autorun disabled for optical drives, you should still have a choice to "Play" in the context menu for audio and video disks.

If you like to play around with software, you might like to check out a third party file manager like FreeCommander.

Bub12, on Dec 24 2009, 09:25 PM, said:

Maybe no need for another thread--read over the following webpage and give it a try and let me know what happens:
http://ask-leo.com/safely_remove_hardware_...without_it.html
It may not be a permanent fix--if so you will be free to start another thread.

Something else I've been thinking about and that may be related to this--reading Nick Brown's blog again--keep in mind that the disabling of autorun via the NoDriveTypeAutorun registry value is a per user registry change only. What that means is that, if you have other user accounts with administrator privileges on your computer(s), then you will need to log in to each such account and edit that registry value. Contrary to what I posted earlier, I now think FD uses the NoDriveTypeAutorun hack, so it would be safer to just run it when logged onto other accounts.

The Nick Brown hack does not require logging in to each account because it changes a global (i.e., computer-wide) setting. Global settings are found under the HKEY_LOCAL_MACHINE root registry key (roots are also known as hives)--per user settings under HKEY_CURRENT_USER. That may be a bit oversimplified as there are other per user hives, but it should give you a basic idea of a difference between the two hacks.

How does this all relate to your question? It is possible that, during your exploration of this issue you have instituted the Nick Brown hack. If so it may have had an effect on the safely remove hardware function. So let me know what you have and haven't done if this issue persists.

Bub12, on Dec 24 2009, 09:25 PM, said:

First I hope you had a nice Christmas--mine was. Second you are very welcome to whatever help has been given. I try to answer all questions asked because that is what I would want if the situation was reversed. I've also often been disappointed in replies in forums like this one when my specific questions aren't answered or not enough effort has been put into the response. But you have to realize that many people who help are answering dozens of threads so glancing over questions and info and giving short responses is understandable and with some people unavoidable. Especially when a forum gets big and has a huge workload. I give more detail because I have a bit more time than others--plus I simply don't have the ability to handle more than three or four threads at a time--if that. It's not that I am supremely generous because I am actually also selfish--I learn a lot from working threads like yous. For example, I haven't been using my CD/DVD player much over the last several months--until I received some disks for Christmas. Now I'm having some problems with the drive not recognizing that a disk is inserted and, if it does, what the titles are. You having one of the same problems has given me insight into a possible cause--possibly related to having run FD in the past. But I need to do some troubleshooting and run some tests to be sure--in a few weeks as I have little time at the moment. Just stay tuned.

Quote

Well of course..I am not a stupit ya know!

Quote

Perhaps I am still not being clear enough...I keep a "My Computer" shortcut on my desktop. When I want to access a the contents of CD or Flash/Thumb, here's what I do:

1- I double-click the "My Computer" shortcut icon
2- I double-click on CD-RW drive(D:) icon or the (E:) drive icon, which holds my Flash device. Both of these drive icons ar located in the section called "Devices with Removable Storage".

And that's it. I simply open/read a CD & Flash drive via this method without actually accessing "Explore" which would be done by right-clicking on the same drive icons, then clicking "Explore". Obviously, I could open said drives by right-clicking the said icons & clicking "Open" as well.

"Listen, I realize my explanation is Windows 101, but I just want to be sure we're on the same page. I am no pc expert but I have been working with pc's since DOS, so I do okay.

Quote

Not unless someone slipped me a mickey

UPDATE- Well, I read that thread that you linked to about safely removing hardware & thanks! Buuuutttt, that has brought me to a possibly more serious issue. Here is what someone suggested in the forum & although I did not do it, as I wasn't sure if changing this service to auto would somehow affect external media opening automatically, I found the following:

http://www.bleepingcomputer.com/startups/ntmssvc-11811.html

However, from other reading, NtmsSvc does seem to be a normal Windows service. So, I am confused....sorry

Also, I have no problem getting to the "Safely Remove Hardware" window w/o running a command to get there. I just double-click on the "Safely Remove Hardware" icon in the tray & viola, as opposed to starting the process by right-clicking the same icon, then left clicking a small "safely remove" prompt & waiting for the "it's safe to remove" window, which never happens. And if you understood that, you're alright!

This post has been edited by Bub12: 27 December 2009 - 12:42 AM