1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Never Force Safe Mode With Malware

Discussion in 'Malware and Virus Removal' started by TeMerc, 2007/04/24.

Thread Status:
Not open for further replies.
  1. 2007/04/24
    TeMerc

    TeMerc Inactive Alumni Thread Starter

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    3
    Trophy Points:
    608
    Location:
    PHX. AZ
    Computer Experience:
    Intermediate
    The write contained below was done by Blender, noted malware specialist and MS MVP in security. It pertains to instructing users to get into safe mode by MSCONFIG when they cannot normally do so and the system crushing potential of doing it.

    ===============================================
    What I mean is getting users to use MSCONFIG to check /safeboot on the Boot.ini tab to force safe mode in the event F8 does not work.

    This page shows both F8 and MSCONFIG.
    How to start Windows in Safe Mode


    There are others I'm sure.

    Several tools we use require Safe mode including but not limited to:
    • -SmitFraudFix
      -SDFix
      -Other instances where we want HJT, reg fixes & file deletions done in safe to lessen the chance of malware running making removal easier.
    If F8 is not working or attempts to get to safe mode are not working we need to find out why before we force it.
    Forcing Safe mode on a properly working computer is not an issue but if the computer is working right... we are likely not working in it.

    This is a dangerous practice because we can send the user in a near unrecoverable reboot loop should safe mode not be possible.

    Under NO circumstances should we be forcing safe mode.

    We don't know what the victim had before they got to us.
    We don't know in most cases what they did before getting to us except they ran some scans and the malware scanners deleted some stuff.

    We don't know what other underlying issues are present just looking at a HJT log.

    In short... we don't have a clue what all is wrong.

    Example:
    Some malwares such as Sality delete the entire contents of this registry key:
    Code:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
    Leaving an empty key.
    With this condition (that is not visible in Hijackthis or some other common analysis tools we use) Safe boot is not possible.

    Have a look at yours. See all those drivers loading under safe? Without this info no safe boot is possible.

    Some variants of Vundo is hindering Safe boot. This infection is not deleting Safe boot keys but rather just freezing system solid at safe boot and victim can't get there.

    What MSCONFIG does is modify the Boot.ini file.

    Example:

    From this:
    Code:
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    
    To this:
    Code:
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:minimal
    This leaves no escape. User only has ONE choice.

    At least with the F8 method the victim can come back & report they cannot get to safe mode.
    We figure out why, fix it, proceed with whatever we were doing that needed safe mode or use alternative methods to remove the malware causing issues then fix safe mode.

    There is another tool out there that "assists" with Safeboot.

    Called "Bootsafe" from SuperAntispyware.

    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    This tool does basically the same thing.
    Edits the Boot.ini file.

    Again....
    Without the user being able to boot the computer because they are locked in a reboot loop from damaged safe mode they cannot get to MSCONFIG to undo /safeboot or run Bootsafe to undo Safeboot.

    Short of Booting to Recovery Console or Slaving the affected hard drive to another computer to repair the Boot.ini file the computer is basically toast.

    ===============================================

    OK... we now know it is a bad idea to do this. How do we get around it?

    Couple ways....

    In the case of Vundo ...
    Removing Vundo before other fixes that require safe mode *should* restore safe mode ability. (as long as you are not dealing with other infections that interfere)

    Fix SafeBoot Reg key if you find it to be blank:

    This would be Incorporated into your fix or alone.

    Step : Download and run AVZ from here
    • Unzip it to a folder on your desktop
    • Double click on AVZ.exe
    • Click on the file tab and then click on System recovery
    • Put a checkmark next to Restore SafeBoot registry keys
    • Click on Execute selected operations
    We can also use other methods of malware removal that does not need safe mode then fix safe mode.

    There is another method that can be used that will give the user 2 OS choices.
    1.) Normal boot
    2.) Safe boot

    Here's a link to the ElderGeek's description of how to do this:
    Add Safe Mode Startup to the Boot Menu

    This at least gives the victim an escape route if safe mode is broken.
    Simply the next reboot attempt choose normal boot and they are back.

    The boot.ini will look something like:
    Code:
    [boot loader]timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional Safe" /noexecute=optin /fastdetect /safeboot:minimal
    With this the user has 30 seconds to use arrow keys to choose the "OS" of their choice.

    Obviously you don't want to walk a total n00bie through this method but the option is there and is relatively safe. Keep in mind though that modifying the boot.ini file is not much less "delicate" than modifying the registry.

    Back up the original so if the break it you can use Recovery Console to replace the borked boot.ini with the backup you created.

    ===============================================

    OK... so you already broke it and need to fix it.

    If the victim can boot but only to safe mode then obviously either use MSCONFIG to uncheck Safeboot or BootSafe (if this is what they used to get there) to check "Normal restart" & reboot.

    ++++++++++++

    Caught in bootloop....

    If the user has no OS CD to get into the recovery console they can download (obviously on another computer) and create the bootable RC.iso from here:

    http://www.atribune.org/downloads/rc.iso

    This is a bootable CD you can use to access the Recovery Console to repair the busted boot.ini file.

    This article describes how to do it:

    Startup Repair: frequently asked questions - Windows Help

    bootcfg.exe is present only on XP Pro. Not on 2K or XP home.

    ===============================================

    You can also slave the hard drive to another computer to edit the boot.ini file.
    Boot.ini is system, read-only, & hidden.
    Read only attribute will need to be removed to edit the file.
    All you need to remove from boot.ini is this part:

    /safeboot:minimal

    Leave the rest intact. Re-check read only after saving changes.

    Plug the drive back into the broken computer and you should be off to the races.

    Obviously care must be taken here especially if the broken hdd is infected.

    ===============================================

    Repair install Windows if they have an OS CD.

    Non destructive Recovery if they have Recovery Partition or Recovery CDs.

    Destructive Recovery if they have Recovery Partition or CDs.

    Note:
     
    Blue Star likes this.
Thread Status:
Not open for further replies.

Share This Page