Do not recommend Flash Disinfector any longer but an alternative?

[polonus]

Hello you malware fighters,

As some folks here have ruined their autorun registry settings, while using and advising to others the Flash Disinfector tool (not working alike on all pen drives apparently), one should  not longer recommend it.

But the following tool that I have found up will disable/enable everything properly again. It is also very handy in the struggle against some of the known  Conficker worm spreading routines. You can find it here:
http://www.uwe-sieber.de/drivetools_e.html#autorun


polonus

[Lisandro]

Second this... It messed my AutoRun configurations in the Registry (Current User), removing the hability to restore it back without manually deleting the entry. We have other antispyware and tools to deal with USB infections.

[DavidR]

Sorry friend but there are no supporting 'facts' to support this FUD that considering that flash disinfector doesn't modify registry settings (unless that is trying to correct any previous registry amendment by the malware under the heading 'Fix back damage to your system.)

When I see said supporting facts, then that will be a different matter.

[Lisandro]

Sorry friend but there are no supporting 'facts' to support this FUD that considering that flash disinfector doesn't modify registry settings

http://forum.avast.com/index.php?topic=42912.msg359242#msg359242

[polonus]

Hi DavidR and Tech & Peanuts,

We should establish if we should run this tool after the use of Flash Disinfector, certainly as we get more complaints like Peanuts's and Tech's. At least we are definitely on to something here, and the final verdict will materialize soon, I think Peanut and Tech are satisfied with the e-tool getting their pop-ups back again,

polonus

[polonus]

Hi malware fighters,

All recent information about this rather dangerous autorun software, can be found here: http://en.wikipedia.org/wiki/Autorun
Conficker is such  "successful" worm, because it spreads via various methods,, so it is very difficult to combat.
That one has to run MS08-067  http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
every admin knows, but just while KB953252 http://support.microsoft.com/kb/953252
has not been spread as an automatic update and one is given the general wrong information that adapting NoDriveTypeAutoRun is enough even WITHOUT mentioning  KB953252 makes that users do not really know what to do, and this may lead to a lot of unnecessary additional victim PCs,

polonus

[essexboy]

The disinfector does not do anything with the registry - it does not remove the mountpoints or anything similar (mountpoints are recreated as necessary by windows anyway) or disable autoruns, it does place a secure autorun on each drive though to prevent further infection.  It does this by making it near impossible to write another autorun file, this may be where the problem lies.  If you are happy for your flash drive to autorun then delete the current autorun - but you will then be unprotected from malware.  Would you rather access the USB drive manually or trust to luck that it is not infected and save yourself 10 seconds ? 

[polonus]

Hi essexboy,

So the exclamation mark turned into a question mark, now. But this is how we get our facts right,
and better to get everybody convinced with one way information.
Thanks for your contribution to the discussion. So we have two solutions and you can second this:
Make a secure autorun in the way you prescribed.

Then there is yet another solution open to users to prevent autorun worms etc.
Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).

ScreenShot below, click to enlarge...

polonus

[Lisandro]

The disinfector does not do anything with the registry - it does not remove the mountpoints or anything similar (mountpoints are recreated as necessary by windows anyway) or disable autoruns, it does place a secure autorun on each drive though to prevent further infection.

Thanks for the info essexboy. Seems that I was wrong.
Anyway, something messed my autorun registry entries that I completely lost this feature. Maybe it was myself, messing the registry

[polonus]

Hi Tech,

Well look at it like this, we have given these 10% of malware infections via the autorun feature some extra attention, we have discussed the facts thoroughly and we reached some important conclusions and tactics to follow, so we can speak with some form of authority now - Flash Disinfector is a good protection scheme and there is even the more drastic way of disabling the feature altogether through the registry. I thank everybody for contributing here. Still puzzled why Microsoft did not tackle this problem through a general patch long ago (we have this since 95/2000) and left the feature by default in all their "flaws" of Windows,

polonus

[Lisandro]

Polonus, many thanks for your contribution also and for discovering that tool that, indeed, could change the registry key correctly.

[DavidR]

The disinfector does not do anything with the registry - it does not remove the mountpoints or anything similar (mountpoints are recreated as necessary by windows anyway) or disable autoruns, it does place a secure autorun on each drive though to prevent further infection.  It does this by making it near impossible to write another autorun file, this may be where the problem lies.  If you are happy for your flash drive to autorun then delete the current autorun - but you will then be unprotected from malware.  Would you rather access the USB drive manually or trust to luck that it is not infected and save yourself 10 seconds ? 

Thanks for that confirmation, I felt reasonably sure it didn't change any registry settings.

I have three USB flash keys all that I ran flash disinfector with them connected and zero problems for them or my HDD's three partitions and no registry issues at all.

The problem that there has been so many sudo registry hacks doing the rounds (none of which I applied) and two MS KBs that I'm aware of (which I installed) all of which or a combination of which could have screwed the registry, but zero problems on my system.

[hines232]

OK, fine on all this information !! I used flashdisinfector on my system Windows ME !.Got no response what so ever from the application. Is there a way for me to run "something" to see if my files have been jeopardized ?? :'(

[polonus]

Hi hines232,
Open and look what you find in Autorun.inf
If that starts something up in a shell for instance or a worm it is malware....

If Autorun is disabled in the registry,
you can check with the following saved as Autorun.inf:

Code: [Select]

[autorun]
; open=notepad.exe
shell\open\Command=notepad.exe
shell\explore\Command=notepad.exe
shellexecute=notepad.exe
useautoplay=1
together with notepad.exe for a shared networkdrive and/or pendrive/ USB-stick what is working or not working (here is meant double-clicking in "my computer" on a drive-letter).
Any CD/DVD with a game on it should normally still start automatically,

But as someone has implemented the so-called "Nick Brown registry setting" meaning you took the following registry tweak:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

and save the above as  .reg file and imported this to the registry, then one implemented two fixes in one. That is as safe as the Bank of England but autorun from a CD/DVD will not function any longer, whatever the value for NoDriveTypeAutoRun.

If you want to do with the tool mentioned in the beginning of this thread disable autorun for everything except for CD/DVD,

polonus


picture of malware

[hines232]

Thank you Sir.