Never Force Safe Mode With Malware

The write contained below was done by Blender, noted malware specialist and MS MVP in security. It pertains to instructing users to get into safe mode by MSCONFIG when they cannot normally do so and the system crushing potential of doing it.

===============================================
What I mean is getting users to use MSCONFIG to check /safeboot on the Boot.ini tab to force safe mode in the event F8 does not work.

This page shows both F8 and MSCONFIG.
How to start Windows in Safe Mode


There are others I'm sure.

Several tools we use require Safe mode including but not limited to:

• -SmitFraudFix
  -SDFix
  -Other instances where we want HJT, reg fixes & file deletions done in safe to lessen the chance of malware running making removal easier.

If F8 is not working or attempts to get to safe mode are not working we need to find out why before we force it.
Forcing Safe mode on a properly working computer is not an issue but if the computer is working right... we are likely not working in it.

This is a dangerous practice because we can send the user in a near unrecoverable reboot loop should safe mode not be possible.

Under NO circumstances should we be forcing safe mode.

We don't know what the victim had before they got to us.
We don't know in most cases what they did before getting to us except they ran some scans and the malware scanners deleted some stuff.

We don't know what other underlying issues are present just looking at a HJT log.

In short... we don't have a clue what all is wrong.

Example:
Some malwares such as Sality delete the entire contents of this registry key:

Code:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

Leaving an empty key.
With this condition (that is not visible in Hijackthis or some other common analysis tools we use) Safe boot is not possible.

Have a look at yours. See all those drivers loading under safe? Without this info no safe boot is possible.

Some variants of Vundo is hindering Safe boot. This infection is not deleting Safe boot keys but rather just freezing system solid at safe boot and victim can't get there.

What MSCONFIG does is modify the Boot.ini file.

Example:

From this:

Code:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

To this:

Code:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:minimal

This leaves no escape. User only has ONE choice.

At least with the F8 method the victim can come back & report they cannot get to safe mode.
We figure out why, fix it, proceed with whatever we were doing that needed safe mode or use alternative methods to remove the malware causing issues then fix safe mode.

There is another tool out there that "assists" with Safeboot.

Called "Bootsafe" from SuperAntispyware.

SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

This tool does basically the same thing.
Edits the Boot.ini file.

Again....
Without the user being able to boot the computer because they are locked in a reboot loop from damaged safe mode they cannot get to MSCONFIG to undo /safeboot or run Bootsafe to undo Safeboot.

Short of Booting to Recovery Console or Slaving the affected hard drive to another computer to repair the Boot.ini file the computer is basically toast.

===============================================

OK... we now know it is a bad idea to do this. How do we get around it?

Couple ways....

In the case of Vundo ...
Removing Vundo before other fixes that require safe mode *should* restore safe mode ability. (as long as you are not dealing with other infections that interfere)

Fix SafeBoot Reg key if you find it to be blank:

This would be Incorporated into your fix or alone.

Step : Download and run AVZ from here

• Unzip it to a folder on your desktop
• Double click on AVZ.exe
• Click on the file tab and then click on System recovery
• Put a checkmark next to Restore SafeBoot registry keys
• Click on Execute selected operations

We can also use other methods of malware removal that does not need safe mode then fix safe mode.

There is another method that can be used that will give the user 2 OS choices.
1.) Normal boot
2.) Safe boot

Here's a link to the ElderGeek's description of how to do this:
Add Safe Mode Startup to the Boot Menu

This at least gives the victim an escape route if safe mode is broken.
Simply the next reboot attempt choose normal boot and they are back.

The boot.ini will look something like:

Code:

[boot loader]timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional Safe" /noexecute=optin /fastdetect /safeboot:minimal

With this the user has 30 seconds to use arrow keys to choose the "OS" of their choice.

Obviously you don't want to walk a total n00bie through this method but the option is there and is relatively safe. Keep in mind though that modifying the boot.ini file is not much less "delicate" than modifying the registry.

Back up the original so if the break it you can use Recovery Console to replace the borked boot.ini with the backup you created.

===============================================

OK... so you already broke it and need to fix it.

If the victim can boot but only to safe mode then obviously either use MSCONFIG to uncheck Safeboot or BootSafe (if this is what they used to get there) to check "Normal restart" & reboot.

++++++++++++

Caught in bootloop....

If the user has no OS CD to get into the recovery console they can download (obviously on another computer) and create the bootable RC.iso from here:

http://www.atribune.org/downloads/rc.iso

This is a bootable CD you can use to access the Recovery Console to repair the busted boot.ini file.

This article describes how to do it:

Startup Repair: frequently asked questions - Windows Help

bootcfg.exe is present only on XP Pro. Not on 2K or XP home.

===============================================

You can also slave the hard drive to another computer to edit the boot.ini file.
Boot.ini is system, read-only, & hidden.
Read only attribute will need to be removed to edit the file.
All you need to remove from boot.ini is this part:

/safeboot:minimal

Leave the rest intact. Re-check read only after saving changes.

Plug the drive back into the broken computer and you should be off to the races.

Obviously care must be taken here especially if the broken hdd is infected.

===============================================

Repair install Windows if they have an OS CD.

Non destructive Recovery if they have Recovery Partition or Recovery CDs.

Destructive Recovery if they have Recovery Partition or CDs.

Note: