Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
The write contained below was done by Blender, noted malware specialist and MS MVP in security. It pertains to instructing users to get into safe mode by MSCONFIG when they cannot normally do so and the system crushing potential of doing it.
===============================================
What I mean is getting users to use MSCONFIG to check /safeboot on the Boot.ini tab to force safe mode in the event F8 does not work.
Several tools we use require Safe mode including but not limited to:
-SmitFraudFix
-SDFix
-Other instances where we want HJT, reg fixes & file deletions done in safe to lessen the chance of malware running making removal easier.
If F8 is not working or attempts to get to safe mode are not working we need to find out why before we force it.
Forcing Safe mode on a properly working computer is not an issue but if the computer is working right... we are likely not working in it.
This is a dangerous practice because we can send the user in a near unrecoverable reboot loop should safe mode not be possible.
Under NO circumstances should we be forcing safe mode.
We don't know what the victim had before they got to us.
We don't know in most cases what they did before getting to us except they ran some scans and the malware scanners deleted some stuff.
We don't know what other underlying issues are present just looking at a HJT log.
In short... we don't have a clue what all is wrong.
Example:
Some malwares such as Sality delete the entire contents of this registry key:
Leaving an empty key.
With this condition (that is not visible in Hijackthis or some other common analysis tools we use) Safe boot is not possible.
Have a look at yours. See all those drivers loading under safe? Without this info no safe boot is possible.
Some variants of Vundo is hindering Safe boot. This infection is not deleting Safe boot keys but rather just freezing system solid at safe boot and victim can't get there.
What MSCONFIG does is modify the Boot.ini file.
Example:
From this:
Code:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
To this:
Code:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:minimal
This leaves no escape. User only has ONE choice.
At least with the F8 method the victim can come back & report they cannot get to safe mode.
We figure out why, fix it, proceed with whatever we were doing that needed safe mode or use alternative methods to remove the malware causing issues then fix safe mode.
There is another tool out there that "assists" with Safeboot.
This tool does basically the same thing.
Edits the Boot.ini file.
Again....
Without the user being able to boot the computer because they are locked in a reboot loop from damaged safe mode they cannot get to MSCONFIG to undo /safeboot or run Bootsafe to undo Safeboot.
Short of Booting to Recovery Console or Slaving the affected hard drive to another computer to repair the Boot.ini file the computer is basically toast.
===============================================
OK... we now know it is a bad idea to do this. How do we get around it?
Couple ways....
In the case of Vundo ...
Removing Vundo before other fixes that require safe mode *should* restore safe mode ability. (as long as you are not dealing with other infections that interfere)
Fix SafeBoot Reg key if you find it to be blank:
This would be Incorporated into your fix or alone.
This at least gives the victim an escape route if safe mode is broken.
Simply the next reboot attempt choose normal boot and they are back.
The boot.ini will look something like:
Code:
[boot loader]timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Safe" /noexecute=optin /fastdetect /safeboot:minimal
With this the user has 30 seconds to use arrow keys to choose the "OS" of their choice.
Obviously you don't want to walk a total n00bie through this method but the option is there and is relatively safe. Keep in mind though that modifying the boot.ini file is not much less "delicate" than modifying the registry.
Back up the original so if the break it you can use Recovery Console to replace the borked boot.ini with the backup you created.
===============================================
OK... so you already broke it and need to fix it.
If the victim can boot but only to safe mode then obviously either use MSCONFIG to uncheck Safeboot or BootSafe (if this is what they used to get there) to check "Normal restart" & reboot.
++++++++++++
Caught in bootloop....
If the user has no OS CD to get into the recovery console they can download (obviously on another computer) and create the bootable RC.iso from here:
bootcfg.exe is present only on XP Pro. Not on 2K or XP home.
===============================================
You can also slave the hard drive to another computer to edit the boot.ini file.
Boot.ini is system, read-only, & hidden.
Read only attribute will need to be removed to edit the file.
All you need to remove from boot.ini is this part:
/safeboot:minimal
Leave the rest intact. Re-check read only after saving changes.
Plug the drive back into the broken computer and you should be off to the races.
Obviously care must be taken here especially if the broken hdd is infected.
===============================================
Repair install Windows if they have an OS CD.
Non destructive Recovery if they have Recovery Partition or Recovery CDs.
Destructive Recovery if they have Recovery Partition or CDs.
Note:
Quote:
All the above code is for illustrative purposes only and should not be copied or used in any way. Do not perform any of the instructions listed above unless you are an advanced user or under the specific instruction of an accomplished malware analyst.
