Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions & Concerns About Using Flash_Disinfector


  • Please log in to reply
21 replies to this topic

#1 Bub12

Bub12

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 06 December 2009 - 10:52 PM

Hello,

I have used Flash_Disinfector.exe in the past & was wondering if it cleans more that just a flash/thumb drive. I don't suppose it does any good to a CD, does it?

My other concern was what I just read here... http://www.threatexpert.com/files/Flash_Disinfector.exe.html

I realize that some AV/AS will consider Flash_Disinfector an infection but the above linked info doesn't seem to pertain to that. Any thoughts? Thanks!

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:32 AM

Posted 07 December 2009 - 12:02 AM

Check out this topic;
USB Autorun Disabler?, As I was searching for something else, I read about this program
A lot of good information.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 07 December 2009 - 01:50 PM

Thanks a bunch.

Great read although I can't say that it all makes 100% of sense to me. I got about 70%, I'd say :thumbsup:

As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun.

Also, I have used flashdisinfector more that once on the same drive & I am not sure what the results of that would be. Any ideas?

It seems though that the computer is also affected by FD, not just the flash drive. This is where I get a little confused. So, there are bogues autorun.ini files installed on my machine whenever I have run FD? And those bogues files, to put it simply, are there to help, correct? I assume that if I uninstalled/reinstalled Windows that the autorun.ini files created by FD would be gone, yes? Just trying to understand how all of this works.

Now, I can't see any partitions on the flash drive, can I? Does FD actually remove infections from an infected flash drive?
And finally, if I insert a flash drive that ran FD into another computer, is that other computer affected at all by FD?

Sorry for all of the questions but I just want to understand a bit more. Thank you! I look forward to your reply.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 07 December 2009 - 02:22 PM

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

However, disabling AutoRun is not enough. See Scott Dunn's One quick trick prevents AutoRun attacks. For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only folder on the drive and name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running malicious files as described in How to Maximize the Malware Protection of Your Removable Drives.

Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

Also, I have used flashdisinfector more that once on the same drive & I am not sure what the results of that would be. Any ideas?

It would just run the same routine as it did previously.

Reread this particular reply by Papakid.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 December 2009 - 01:06 AM

Thanks Quietman7,

I still have some questions though....

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this. Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

-If I did have Autorun disabled, why the need for:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


-I have a machine that I ran FD on a few months ago. So, I don't need to run FD again on that machine as that would be redundant, correct? However, when I use a new Flash/Thumb drive, it will not have any of the partitions that are put there by FD. So, it would seem as though I would need to run FD again, no?

-Does either FD or Panda USB Vacine run on Linux &/or Mac?

-Finally, does FD actually remove infections from an infected flash drive?

So, you see, I am still a bit confused. I look forward to your reply!

Edited by Bub12, 17 December 2009 - 01:12 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 17 December 2009 - 08:20 AM

I have a machine that I ran FD on a few months ago. So, I don't need to run FD again on that machine as that would be redundant, correct?

Correct.

However, when I use a new Flash/Thumb drive, it will not have any of the partitions that are put there by FD. So, it would seem as though I would need to run FD again,

Correct. Or if you installed Panda USB Vaccine, just use that.

Does either FD or Panda USB Vacine run on Linux &/or Mac?

These tools were designed for Windows platforms.

Finally, does FD actually remove infections from an infected flash drive?

When the tool was first introduced it was able to deal with some types of infections. However, the developer choose not to spend a lot of time with trying to update FD as new variants appeared. Instead he devoted his time with development of ComboFix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 December 2009 - 11:45 AM

Thank you Quietman7!!

Just a couple more things... :-)

So, there are no conflicting issues when installing both FD & Panda & which would you suggest? If I am not mistaken, Panda does not clean an infected drive, correct?

And last but not least, one of my original questions...

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this? Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

THANKS!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 18 December 2009 - 08:27 AM

While I understand your frustration at getting a reply, staff members are all volunteers and we assist other members as well as you when time permits. No one is paid for their work or assistance to members of our community. We have jobs in the real world and families so we are not logged into the forums all day long.

I am out of town this week providing training to EMS providers and there is little time to access the Internet. There should be no conflicting issues when using both FD & Panda but there is no reason to do so. I already advised that FD is no longer being updated so I would use Panda. Although Panda does not clean any infections, FD is limited in what it can clean and you should not depend on it for disinfection purposes.

Tools like MalwareBytes are more effective.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 18 December 2009 - 11:16 AM

Thanks Quietman7!

No pressure here...I just figured that you may no longer be subscribed considering my much delayed response. Thanks again for your help!

Also, can anyone answer this:

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this? Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

Update- What I actually did was to disable the CD drive only, I believe. I followed the following:
http://www.engadget.com/2004/06/29/how-to-...run-on-windows/

Now recently, on another machine, I believe I disabled all drives by changing the "no drive type autorun" to "0xff", as is explained here:
http://support.microsoft.com/kb/967715

But, after doing this, my cd & flash drive both started without any help from me. Is this normal? Perhaps this occurring would explain the difference between autorun & autoplay?

And finally, MS says that the default "no drive type autorun" for XP is "0x91", yet mine was set at "24". Would this have anything to do with Flash Disinfector?

I would very much appreciate any assistance. Thanks!

Thanks!

Edited by Bub12, 19 December 2009 - 01:09 AM.


#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 22 December 2009 - 12:08 PM

Hi Bub12,

Please don't take offense, but by some of what you've posted I see a lack of exactness that may explain why you have difficulty understanding the answers you've been given. I would suggest you read over some of the material again and make an extra effort to determine exactly what is being said. I understand that the whole subject is confusing tho. Perhaps I can help clarify--and keep in mind there are elements that I am trying to clarify in my own mind as well.

Let me start out by saying that Flash Disinfector (FD) was designed primarily as a cleanup tool--preventive measures were a sort of afterthought because the author was concerned that the spread of malware via Flash/USB drives was getting to be rampant. The second major point, and this goes to your first question, is that it is designed to deal with Flash/USB drives, not optical (CD/DVD, etc.) drives. That is why it's called Flash Disinfector instead of something else. Flash because Flash memory is what is being used on the relatively new devices known by various names--memory sticks, thumb drives, pen drives, etc., etc. To me it is least confusing to refer to them as Flash Drives because that is the type of memory they use and it distinguishes them from other types of drives. Flash drives are the main culprit in the spread of these types of malware, however, FD is designed to deal with all writable drives, such as external USB hard drives and even internal hard drives. Why? See the article by Nick Brown that you have been linked to already:

The [malware] executable will make a copy of itself and AUTORUN.INF on all the disk partitions and shared drive connections which it can see, and then open the root folder normally. (This takes a fraction of a second, but you won't notice it.) The executable will then sit around in memory and every time you insert a removable storage volume (such as another memory stick) or map a network drive, it will copy the worm "kit" to it.

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

At this point, let's clear up an apparent misconception that you have posted about.

However, when I use a new Flash/Thumb drive, it will not have any of the partitions that are put there by FD.

FD does not add partitions to drives. It adds a dummy autorun.inf (not autorun.ini) file to each writable partition that exists on the machine. This works on a simple principle; two files/folders of the exact same name may not exist in the same folder--and the root of every partition is considered a folder. So when a malicious file tries to spread an infection by writing an autorun.inf file to each writable partition, it can't because FD has beat it to the punch by writing a file of that exact name to that folder first. The malicious payload file might still get written to the partition, but, as explained in the other thread, it is harmless without the autorun.inf file--the payload files are like bullets without a gun and should be cleaned up when you scan with the antivirus you have installed.

I'm not sure if you just used the wrong terminology or if you aren't sure what partitions are--if the latter you should read up on partitions so you can understand everything better.

Optical drives can spread malware, but they don't very often, if at all, by the autorun.inf method because those drives are not writable. I believe re-writable is the correct term (but need to check it) but the point is that you have to burn a CD to write to it. Besides not wanting to bother with writing code to burn to CD, malware authors won't bother with optical media because they don't know if you even have a rewritable CD/DVD loaded and it is just so much simpler and efficient to use writable partitions.

Now we get to your latest set of questions.

-If I did have Autorun disabled, why the need for:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


There are several methods of disabling autorun, as you're beginning to see. This registry hack is what is known to be the most effective way to do that, altho it does it in a roundabout way. FD does disable autorun. I don't know if it uses this method but I have a feeling it does--will try to confirm. From Nick Brown's blog again:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

That isn't directly disabling autorun, per se, but has the same effect. We'll refer to this as the Nick Brown hack as i will bring it up again later.

What I actually did was to disable the CD drive only, I believe. I followed the following:
http://www.engadget.com/2004/06/29/how-to-...run-on-windows/

The author of this article disabled autorun for CD's so that DRM software couldn't run automatically. Defeating copywrite protection in any way is counter the the forum rules at BC (whether you agree with DRM or not, it is the law and it's in BC's own best interest to abide by it) but that is the main purpose the author had in mind, not protecting from infection using the autorun.inf method. Even tho it would defeat the spread of autorun malware, since you aren't going to get infected by it very often this way, there is really no need to disable autorun for optical drives.

Now recently, on another machine, I believe I disabled all drives by changing the "no drive type autorun" to "0xff", as is explained here:
http://support.microsoft.com/kb/967715

But, after doing this, my cd & flash drive both started without any help from me. Is this normal? Perhaps this occurring would explain the difference between autorun & autoplay?


First that method is direct disabling of autorun, but it is complex, confusing and, as mentioned in the nick Brown blog, the whole process is buggy.

Now, in theory you can prevent certain drive types from executing the contents of their AUTORUN.INF files using a registry value (NoDriveTypeAutoRun). But this is hard to do in practice. First, it's a per-user key, which in a corporate environment is harder to manipulate reliably than a per-PC key. Secondly, there are several bugs known for it. And thirdly, a little-known registry key called MountPoints2 contains cached information about every memory stick or other removable device which your PC has ever seen, and that overrides the NoDriveTypeAutoRun value if you insert a volume which the PC already knows about.


This is why Brown uses his "roundabout" hack to solve the problem.

But no, it's not normal for your CD drive to start up if you're trying to disable autorun. I can't say exactly why that happened; I would guess because of one of the bugs or you did something incorrectly. It would have nothing to do with the difference between autorun and autoplay--still haven't researched this enough to explain to my own satisfaction, but as far as i can tell the difference between the two is more semantical than anything else.

And finally, MS says that the default "no drive type autorun" for XP is "0x91", yet mine was set at "24". Would this have anything to do with Flash Disinfector?

It's possible but i don't think so. FD will disable autorun, but that value data (24) is not in the list of values that will disable autorun. I have no idea what all you've been doing since you've begun exploring this issue and even over the life of your computer that would put that value there. But the bottom line here is that FD will disable autorun by whatever method it uses--it also deletes the mountpoints2 reg entries--so you don't have to go into the registry to do it yourself. The data to set that registry value can vary greatly--scroll down to the bottom of this page to see what i mean:
http://www.moonvalley.com/products/rwavdc/enable.htm
I've yet to figure it out so I don't expect the avaerage user to either--instead, it just makes more sense to me to use a program that can be trusted to disable autorun.

-As far as disabling autorun, I did that a long time ago but found it to be very impractical. I make regular CD backups & every time I would try to backup, I would be prompted that there was no disc in the drive & would then need to enable autorun. How do I get around this? Seems to be a catch22...if I enable autorun, I am risking an attack yet if I do not, I cannot backup my data to cd's. That cannot be right. There must be a work around.

So as I've mentioned already, there is no need to worry about autorun infections coming from CD's (unless you use CD's burned from an infected machine a lot).
First are you sure disabling autorun causes your CD drive to not work? In other words, your optical drives worked OK before using Flash Disinfector, then when you ran FD, which disables autorun, the drives didn't work? Were you able to confirm this by re-enabling autorun on your optical drives and after doing so the optical drives worked? In my research on this issue there have been some indications that disabling autorun on all drives will cause problems with optical drives so it is possible that running FD caused your issue, but I can't confirm that--it is something that I need to research more but haven't had the time. It may be that preventing autorun.inf file from being read prevents Windows from recognizing that a CD drive is present, which would mean the Nick Brown Hack and the NoDriveTypeAutorun hack would both break optical drives. Or it could be something else--in the following thread a similar problem was fixed by changing the CD speed--give that a try and let us know how it goes:
http://www.astahost.com/info.php/Cd-Burner...are_t12550.html

If that doesn't work and it is true that disabling autorun caused it, it would seem the ideal solution would seem to be to disable autorun for all drives except optical ones, which is what the hotfix that TheJoker links to does:
http://www.spywareinfoforum.com/index.php?showtopic=125953
http://support.microsoft.com/kb/971029

However, the catch there is that some writable drives present themselves as optical drives so if you have those type drives you are still vulnerable.

I have not been able to do much research on this since my previous writeup, and probably won't get back to it until after new years, but from what little I have done I am leaning more and more toward the simplest and best solution is to use AutorunEater. It doesn't disable autorun and doesn't even scan optical drives for autorun.inf files. This way you don't have to run a program everytime you insert a drive for the first time and you also don't have to worry about whether your drives are NTSF or FAT/32.

In my previous thread I list the drawbacks to AE and will add another to it. Last week Antivir and Ad-Aware began detecting AE as malware. It is a false positive and I can confirm that it has been corrected by Antivir, but the thing is is that it wasn't readily apparent that AE is what was being detected. I can only assume that it was a self-protection mechanism but the behavior that was being flagged sure looked like malware. However, I still think AE is the simplest solution available.

BTW, it's common for such smallish security tools to be flagged as malware--or, if you read the detection carefully, a warning that the tool might be malware. You saw it with FD.

The thing about people

is they change

when they walk away.--Mipso


#11 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 23 December 2009 - 12:10 AM

Papakid,

WOW! THAT IS ONE TERRIFIC REPLY. THANK YOU! :thumbsup: Your time invested is not unnoticed & is very much appreciated.

First are you sure disabling autorun causes your CD drive to not work?


When I initially posted about my CD drive being disabled, I thought that this http://www.engadget.com/2004/06/29/how-to-...run-on-windows/ was the fix for disabling autorun. Now that I know that it is not, I understand why I could not access my CD drive.

As far as my other pc & changing the "no drive type autorun". I am fairly certain that I didn't screw it up :-)
The value was 24, not "0x91". And I have since changed it to "0xff" & when I install my Flash &/or CD, the computer recognizes that there is removable media inserted, but it does not open it. I must open them by clicking. Is that a bug or is that normal? In other words, what is suppose to happen when such media is installed on a machine with autorun disabled? Remember that I not only changed the said value, but have also used FD on that machine more than once.

Perhaps I should change the "no drive type autorun" to "0x91" as now when I try to "safely remove the flash drive", I never actually receive the window that says, "now you can safely remove the drive" or something to that effect. I hear the corresponding sound after taking the usual steps, but that's it.

So, just to clarify, I should only need to run FD once to achieve the desired "disable autorun" & not need to mess with any of the other methods. Do I have that right? However, I did somehow miss the following, which may be a good idea to perform...
http://support.microsoft.com/kb/971029 although, maybe unnecessary if I am getting all this. Ahhhhhh!

I realize that some of what I write may not make sense. This occurs because I do not fully comprehend what the heck is going on with all of this ;-) Hopefully as I learn I will make more sense. Believe me, I do not wish to be a pain in the but.

Merry Christmas!

Edited by Bub12, 23 December 2009 - 12:34 AM.


#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 24 December 2009 - 11:23 AM

First, I know you are not intentionally being a pain in the butt. You may be like me--I have to read slowly and some things I have to read over several times in order to comprehend--let it sink in as it were. But if not, give it a try--it is just that some of your questions were already answered by reading material you were provided. But believe me, I know what it is like to be overwhelmed by information overload.

Overall, my suggestion is to quit using FD and trying to disable autorun and use AE. There are loopholes and drawbacks to all the methods used to disable autorun--as far as I can tell--I still need to do some more tests to support that assertion.

But let's see if I can answer a few specific questions.

As far as my other pc & changing the "no drive type autorun". I am fairly certain that I didn't screw it up :-)
The value was 24, not "0x91". And I have since changed it to "0xff"...

As far as I understand it, "0x91" enables autorun on all drives and "0xff" disables it on all drives--if you have the patch for your operating system that removes the bug in this key value. I have no idea what 24 does or how it got there--I assume it has something to do with a specific drive on the computer in question.

...when I install my Flash &/or CD, the computer recognizes that there is removable media inserted, but it does not open it. I must open them by clicking. Is that a bug or is that normal? In other words, what is suppose to happen when such media is installed on a machine with autorun disabled? Remember that I not only changed the said value, but have also used FD on that machine more than once.

That is exactly what you want when autorun is disabled. Nothing happens when you insert any removable drive. You have to open the drive manually using Windows Explorer. If autorun is enabled, when you insert a drive or open it in explorer files or programs can run automatically, and some malicious payload files can execute if you open the drive in Windows Explorer, depending on how the autorun.inf file is configured..

Perhaps I should change the "no drive type autorun" to "0x91" as now when I try to "safely remove the flash drive", I never actually receive the window that says, "now you can safely remove the drive" or something to that effect. I hear the corresponding sound after taking the usual steps, but that's it.

I don't believe that symptom is caused by disabling autorun. You can always try changing the value back to "0x91" (reboot after changing to be sure). If that doesn't fix it you'll know to look for another cause.

So, just to clarify, I should only need to run FD once to achieve the desired "disable autorun" & not need to mess with any of the other methods. Do I have that right? However, I did somehow miss the following, which may be a good idea to perform...
http://support.microsoft.com/kb/971029 although, maybe unnecessary if I am getting all this. Ahhhhhh!

Yes, running FD once should disable autorun--it uses one of the methods we've discussed. Running the 971029 hotfix as well won't hurt but may not be necessary either. As already stated there is the concern over a possible loophole in that some USB drives are recognized as optical drives. I have yet to test this using my own judgment to draw any sound conclusions from.

Since you've already run FD on these computers, you should have autorun disabled and dummy autorun.inf files on every partition--the latter of which are difficult to delete without a reformat and reinstall of windows--you should already be pretty well protected. But if I were starting fresh I would go with leaving autorun enabled and have AE run in the background. If any autorun comes up you can remove it--it makes backups--and come to a forum like this one to ask if the contents of the autorun.inf file is OK. If so you can restore it.

My experience with the Antivir flagging AE as malware--a sure false positive--has given me some insight into AE's behavior and I now think it protects itself pretty well. But as I've said before, no system or method is foolproof--security is a matter of risk reduction, not risk elimination.

The thing about people

is they change

when they walk away.--Mipso


#13 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 24 December 2009 - 10:25 PM

Hi Papakid,

You have to open the drive manually using Windows Explorer.


Let me just make sure we're on the same page here. I open my CD drive & Flash via "My Computer", not "Explorer". The exact path is different but the result should be the same. We okay on this?

QUOTE(Bub12 @ Dec 22 2009, 11:10 PM) *
Perhaps I should change the "no drive type autorun" to "0x91" as now when I try to "safely remove the flash drive", I never actually receive the window that says, "now you can safely remove the drive" or something to that effect. I hear the corresponding sound after taking the usual steps, but that's it.


I don't believe that symptom is caused by disabling autorun. You can always try changing the value back to "0x91" (reboot after changing to be sure). If that doesn't fix it you'll know to look for another cause.


Well...I temporarily reverted back to "0x91" & I still don't get the "safely remove hardware" window. looks like another thread then! :thumbsup:

Thank you so much for all of your help & your incredibly detailed & well thought out explanations. I am a detail oriented person so I very much appreciate such responses. When I do not receive clear & concise answers, I keep on asking questions :flowers:

Have a Merry Christmas & a Happy New Year!

Edited by Bub12, 24 December 2009 - 10:27 PM.


#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 26 December 2009 - 02:17 PM

You have to open the drive manually using Windows Explorer.


Let me just make sure we're on the same page here. I open my CD drive & Flash via "My Computer", not "Explorer". The exact path is different but the result should be the same. We okay on this?

Well, I think we have a small problem again with terminology. Not sure what you mean by "The exact path is different but the result should be the same", but My Computer is Windows Explorer. Don't confuse it with Internet Explorer. Altho the two are somewhat interconnected, IE is a web browser and WE is a file browser, also known as a file manager.

The quickest ways to get to WE is to press the Windows key on your keyboard along with E or right click on the My Computer icon and choose Explore. You'll see the same thing as if you'd just clikced My Computr except this way you don't have to click the Folders button the see the folder tree in the left hand column.

Or right click on any drive in the My Computer screen and choose Explore. My Computer is more analogous to the file cabinet you would put actual manila folders into. In any event, when you have autorun disabled, this is how you have to access your drives. Double click the icon for the drive and it should open so that you can see the files on the drive. Or right click and choose the appropriate context menu item. For example, even if you have autorun disabled for optical drives, you should still have a choice to "Play" in the context menu for audio and video disks.

If you like to play around with software, you might like to check out a third party file manager like FreeCommander.

Well...I temporarily reverted back to "0x91" & I still don't get the "safely remove hardware" window. looks like another thread then! :thumbsup:

Maybe no need for another thread--read over the following webpage and give it a try and let me know what happens:
http://ask-leo.com/safely_remove_hardware_...without_it.html
It may not be a permanent fix--if so you will be free to start another thread. :flowers:

Something else I've been thinking about and that may be related to this--reading Nick Brown's blog again--keep in mind that the disabling of autorun via the NoDriveTypeAutorun registry value is a per user registry change only. What that means is that, if you have other user accounts with administrator privileges on your computer(s), then you will need to log in to each such account and edit that registry value. Contrary to what I posted earlier, I now think FD uses the NoDriveTypeAutorun hack, so it would be safer to just run it when logged onto other accounts.

The Nick Brown hack does not require logging in to each account because it changes a global (i.e., computer-wide) setting. Global settings are found under the HKEY_LOCAL_MACHINE root registry key (roots are also known as hives)--per user settings under HKEY_CURRENT_USER. That may be a bit oversimplified as there are other per user hives, but it should give you a basic idea of a difference between the two hacks.

How does this all relate to your question? It is possible that, during your exploration of this issue you have instituted the Nick Brown hack. If so it may have had an effect on the safely remove hardware function. So let me know what you have and haven't done if this issue persists.

Thank you so much for all of your help & your incredibly detailed & well thought out explanations. I am a detail oriented person so I very much appreciate such responses. When I do not receive clear & concise answers, I keep on asking questions :trumpet:

Have a Merry Christmas & a Happy New Year!

First I hope you had a nice Christmas--mine was. Second you are very welcome to whatever help has been given. I try to answer all questions asked because that is what I would want if the situation was reversed. I've also often been disappointed in replies in forums like this one when my specific questions aren't answered or not enough effort has been put into the response. But you have to realize that many people who help are answering dozens of threads so glancing over questions and info and giving short responses is understandable and with some people unavoidable. Especially when a forum gets big and has a huge workload. I give more detail because I have a bit more time than others--plus I simply don't have the ability to handle more than three or four threads at a time--if that. It's not that I am supremely generous because I am actually also selfish--I learn a lot from working threads like yous. For example, I haven't been using my CD/DVD player much over the last several months--until I received some disks for Christmas. Now I'm having some problems with the drive not recognizing that a disk is inserted and, if it does, what the titles are. You having one of the same problems has given me insight into a possible cause--possibly related to having run FD in the past. But I need to do some troubleshooting and run some tests to be sure--in a few weeks as I have little time at the moment. Just stay tuned.

The thing about people

is they change

when they walk away.--Mipso


#15 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 27 December 2009 - 12:03 AM

IE is a web browser and WE is a file browser, also known as a file manager.


Well of course..I am not a stupit ya know! :trumpet:

but My Computer is Windows Explorer


Perhaps I am still not being clear enough...I keep a "My Computer" shortcut on my desktop. When I want to access a the contents of CD or Flash/Thumb, here's what I do:

1- I double-click the "My Computer" shortcut icon
2- I double-click on CD-RW drive(D:) icon or the (E:) drive icon, which holds my Flash device. Both of these drive icons ar located in the section called "Devices with Removable Storage".

And that's it. I simply open/read a CD & Flash drive via this method without actually accessing "Explore" which would be done by right-clicking on the same drive icons, then clicking "Explore". Obviously, I could open said drives by right-clicking the said icons & clicking "Open" as well.

"Listen, I realize my explanation is Windows 101, but I just want to be sure we're on the same page. I am no pc expert but I have been working with pc's since DOS, so I do okay.

It is possible that, during your exploration of this issue you have instituted the Nick Brown hack.


Not unless someone slipped me a mickey :thumbsup:

UPDATE- Well, I read that thread that you linked to about safely removing hardware & thanks! Buuuutttt, that has brought me to a possibly more serious issue. Here is what someone suggested in the forum & although I did not do it, as I wasn't sure if changing this service to auto would somehow affect external media opening automatically, I found the following:

http://www.bleepingcomputer.com/startups/ntmssvc-11811.html

However, from other reading, NtmsSvc does seem to be a normal Windows service. So, I am confused....sorry :flowers:

Also, I have no problem getting to the "Safely Remove Hardware" window w/o running a command to get there. I just double-click on the "Safely Remove Hardware" icon in the tray & viola, as opposed to starting the process by right-clicking the same icon, then left clicking a small "safely remove" prompt & waiting for the "it's safe to remove" window, which never happens. And if you understood that, you're alright!

Edited by Bub12, 27 December 2009 - 12:42 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users