BleepingComputer.com: Questions & Concerns About Using Flash_Disinfector

Well, then I'm still confused by the question. It doesn't matter how you accomplish it--right click, left click, double-click--when you get the My Computer screen to appear or any drive's root folder that shows you files and folders on that drive you are using Windows Explorer. You can call it Humphrey's Chicken Livers if you want, that's up to you. If you don't want to use icons and Windows Explorer, the only alternative is to use a command line and go back to the DOS days where there is no graphic representation of files and folders--even tho there is no true DOS in XP.

I've only been using computers--with the exception of a couple of very short episodes in the mid '80's--since 2003, but I've been helping people on boards like this since 2004 or so--precisely because I'm a newbie and I know where newbies, and those who aren't technically inclined, get confused. From your question I could only guess that you confused IE with WE--because I've seen it happen before. Also it took me quite a while to figure out what Windows Explorer was myself. I still don't see what it is that you don't understand that would cause you to ask your question, but the bottom line is that, when autorun is disabled, you have to open drives manually using Windows Explorer.

Quote

This should probably have been phrased as a question by me. When considering your situation, it was a possibility to my mind that you had done so. You have now answered that question that you haven't done it intentionally. However, it is still possible you did it unknowingly. For example, the regfile that you can download via the Conflicker removal guide, which I've referred to in an earlier post, is the Nick Brown hack. Without having looked over your shoulder the entire time you've been working on this, I have no way of knowing what all you have and haven't done that you haven't told us about. So anything is possible, mickey or no mickey. As you know, there is a very simple way to check.
------------------
When previewing this post I see you have added to yours--I ask that you kindly refrain from adding information to posts--if I had not previewed it would have seemed to you that I was ignoring your questions and concerns. It's better to get all your information and questions together and make one post, or make a new post if you have more to add.

I don't have time ATM to address all of that, but I can allay your fears about the service. When any startup appears to be something that is maybe legitimate, compare all the exact details of the webpage info with that on your own system or databases listing the details of known legitimate startups. Since this is a service, in this case you can callup the services console (services.msc in the Run box) and scroll down to the Removable Storage entry and double-click it. Look carefully and you'll see where the details don't match.

This is the command for the legit service:
%Windir%\system32\svchost.exe -k netsvcs

This is the command for the malware service listed in the BC Startup Database:
%Windir%\system32\svchost.exe -k ntmssvc

Also the legit service display name is:
Removable Storage

The malware service display name is:
ntmssvc

More later. I haven't yet found what was suggested to do with the Removable Storage Service, so don't know if it's a good idea or not.

Quote

Drug test?

Quote

I added to my original reply within minutes of posting so I figured you wouldn't miss it, but I certainly understand your point.

Quote

Great info!! I seem to be okay then, as I figure. My "display name" is Removable Storage but the service name is ntmssvc & the path is "C:\WINNT\system32\svchost.exe -k netsvcs". So, I would say that all is well

As for my original question, can I set this command to "auto" w/o affecting autorun? Hmmm...I would think that they are not related & that I could safely change from manual to auto, but if you discover more, please do let me know.

Quote

If you're a newbie then I guess I must be dumb as a stump!

You have been a terrific help & I have actually enjoyed working with you! Your efforts are most certainly appreciated Papakid.

Bub12, on Dec 27 2009, 04:16 PM, said:

Well, I don't believe that was the original question, but if you mean does setting that (or any other) service to automatic, you are correct, it does not have anything to do with autorun that we've been discussing here. You are changing the startup type of a service, not dealing with a drive or partition.

As far as setting the Removable Storage service to Automatic to solve your problem, I have doubts because mine is set to manual and I don't have any problems with it.

However, I am not sure of what is wrong on your system. Could you state it a little more clearly, please? Following are the steps I take removing a device. Let me know what does and doesn't happen on your system--where it doesn't match:

1. Left single click the Safely Remove Hardware icon in the SystemTray. A menu will slide up listing the drives attached via USB.
2. Left single click the drive you wish to remove.
3. You will then receive one of two messages:
A. That the device cannot be stopped right now and please try again later (paraphrasing). This usually happens if you have a Windows Explorer window open--close all windows and try again.
B. That it is safe to remove the hardware-which means you are now free to detach the device.

From what you've posted earlier, I think you said step 3 never happens, but I can't find where you said that now and I would rather not guess. If true, that would also mean that the ask Leo page I linked you to doesn't fit your situation--it is a fix for the Safely Remove Hardware icon not appearing in the SysTray. But I thought it might be a starting point for you to find a fix.

As you probably already know, you can safely remove devices when you shut down the computer or log off. Also it should be safe if the little light that indicates it's working isn't flashing. But you are right to look into this if it isn't working as it should be.

Bub12, on Dec 27 2009, 04:16 PM, said:

Only if you've been drinking stump water.

I am a newbie--check my title under my Avatar. I've had that title for a long time and don't plan on changing it. If you started out in the DOS days, then you have more experience than me. I started out learning on XP. I have more experience now, but still look at things with a newbie's eyes and there are still things about computers that I don't know and haven't experienced. I used to have a quote in my signature by Will Rogers that pretty much summed up my philosophy--I may need to go back to it:

"We are all ignorant, only on different subjects."

Quote

Basically, you are correct by saying that step 3 never happens.

1. I would right click on the usb icon in the tray & a very small window would pop up right next to the tray icon saying "safely remove hardware".
2. I would left click that window & another very small window would pop-up saying "it is safe to remove hardware" (paraphasing)

OR

1. I would left click on the usb icon in the tray & a very small window would pop up right next to the tray icon saying "safely remove usb mass storage device drive E:".
2. I would left click that window & another very small window would pop-up saying "it is safe to remove hardware" (paraphasing)

However, when I perform either task, all I hear is the "Windows XP balloon wave" but do not receive the "it is safe to remove hardware" window.

Also, here is what happens when I do the following:

1. Double click the usb icon in the tray
2. The larger "Safely Remove Hardware" window pops up with "USB Mass Storage Device" item listed. (this window offers the option of "properties" & "stop"
3. I then can either click stop & be shown another window with specific names of the usb storage devices listed, from which I must choose one to stop. Or, I can double click the "USB Mass Storage Device" item listed in the large window & then the (same) window pops up showing specific names of the usb storage devices listed, from which I must choose one to stop.

But again, even when trying to safely remove via this method, after I hit "stop", I only hear a sound, but do not receive the "it is safe to remove hardware" window.

I hope that's clear....I tried to be as detailed as possible :-)

This post has been edited by Bub12: 28 December 2009 - 05:01 PM

Papakid... you still there?

Yes, still here, just had other things occupying my time. Since there isn't a quick solution to this problem and I probably won't have time to reseqrch it for a few more days still, it would be better to start another thread in the XP forum where you might get quicker help--you can link to the last few posts here and then link me to your new thread and I'll try to keep up. As I mentioned, I posted what I did to give you a starting point and I thought you might come up with some ideas on your own. There was a link to another site that had an enormous amount of info that it was taking me all day to read that may yeild some nuggets to lead in the right direction, but the majority of it deals with icons missing from the system tray.

There is a slight possibility that FD caused this problem but I don't think so. Maybe the deletion of the MountPoints2 registry key but that isn't very likely because, as I understand it, that just prevents the system executing autorun.inf in another way. The reg key is recreated/reset on reboot.

Your description of the issue clears it up some for me, altho some of your terminology is still a bit off. Besides the fact that you don't get the "It is safe to remove hardware now" balloon message, there are a couple of other differences in our systems. On a right click or double-click of the Safely Remove... icon I get the same thing, the Safely Remove Hardware Window that lists devices under "Hardware devices:". You're saying if you right click you don't have devices showing but if you double-click you do?

In any event you don't get the balloon message verifying that a device is stopped when you want it to be. You getting the balloon tip sound doesn't help as you don't know if the message is that it is now safe to remove or that you should wait til later. When i get more time I'll try to look into this for you or look in on a thread in the XP forum.

Here you go Papakid....

http://www.bleepingcomputer.com/forums/topic284289.html