Trojan (?) will not allow safe mode, but *will* allow normal boot

Discussion in 'Virus Information' started by Tyrenta, Jun 23, 2007.

  1. Tyrenta

    Tyrenta Guest

    Apologies for the dual post -- wrong group earlier:

    i've managed to cause more throuble than I solved -- attempting to
    repair a friends PC that was LOADED with virus/trojans, but it would
    not let me boot into safe mode (it *would* boot normally however, but
    when trying safe mode it blue screens and recycles). Trouble is I
    thought I could get around it by setting /safemode in
    msconfig -- bad idea as now I can't boot normally and safe mode has
    the same issues, so I'm in an endless boot to safe/blue screen loop --
    does anyone have any suggestions how to disable safe mode boot if it
    was configured in msconfig?? Thanks
     
    Tyrenta, Jun 23, 2007
    #1
    1. Advertisements

  2. Tyrenta

    Paul Zak Guest

    boot from a CD?
     
    Paul Zak, Jun 23, 2007
    #2
    1. Advertisements

  3. I'd be using Bart PE CDR boot in cases like this, using the RunScanner
    plugin to access the stricken installation's registry (it shells
    registry-aware tools like Regedit, AdAware, Nirsoft utilities,
    HiJackThis etc. so they "see" the HD registry, not the Bart one).

    Expect to find trouble in...

    HKLM\System\CurrentControlSet\SafeBoot
    HKLM\System\ControlSetXXX\SafeBoot

    ....with no CurrentControlSet seen from Bart (as none of the available
    ControlSetXXX will be "current" at that time).

    Specifically, expect to see "AlternateShell = Cmd.exe" being changed,
    to hijack Safe Cmd Only in particular.

    Look for malware integrations that persist in Safe Mode, such as:
    - shell =
    - useinit = (look in WindowsNT, Winlogon for those two)
    - file associations
    - screen saver
    - changes to the Administrator account

    Also, kill that damnfool "[X] Automatically Restart on Errors"
    duuuuhfault setting in System, Advanced, so your system will STOP on a
    BSoD that you can note and quote, instead of endlessly restarting
    until AutoChk has "fixed" the file system to death.

    Google( Bart PE )
    See also...

    http://cquirke.blogspot.com/2006/07/repairing-safe-mode-safeboot.html

    HTH - I know Bart isn't easy, but at least it exists, no thanks to
    "what, me worry?" MS, who seems to think Windows is So Secure that it
    never needs formal malware cleanup because it never gets infected.

    See also...

    http://cquirke.mvps.org/reinst.htm

    ....if someone says "Just wipe and rebuild"
     
    cquirke (MVP Windows shell/user), Jun 24, 2007
    #3
  4. message
    Also, kill that damnfool "[X] Automatically Restart on Errors"
    duuuuhfault setting in System, Advanced, so your system will STOP on a
    BSoD that you can note and quote, instead of endlessly restarting
    until AutoChk has "fixed" the file system to death.

    I consider that the "dumbfault" setting! It is one of the first things I
    change when setting up a new system.



    --


    Regards,

    Richard Urban
    Microsoft MVP Windows Shell/User
    (For email, remove the obvious from my address)
     
    Richard Urban, Jun 24, 2007
    #4
  5. I don't have this problem -- yet -- but I'm setting up a new system
    and would like to know HOW to uncheck "Automatically Restart on
    Errors." Never thought about it before -- but you guys have me
    convinced!

    Lady D
     
    Lady Dungeness, Jun 25, 2007
    #5
  6. On Sun, 24 Jun 2007 23:53:53 -0700, Lady Dungeness
    Start, Settings, Control Panel, System icon
    - Advanced tab, Startup and Recovery section
    - [_] Automatically restart, OK

    :)

    Error Messages Are Your Friends
     
    cquirke (MVP Windows shell/user), Jun 25, 2007
    #6
  7. Tyrenta

    vin Guest

    problem is, like friends, you have to know how to read em', lest you
    get mixed signals.
     
    vin, Jun 25, 2007
    #7
  8. Your safest option is, of course, to wipe the box. If they have some data
    you'd like to save first, non-executable files like pics or QIF files or
    something, burn a CD/DVD with that data before you wipe.
     
    Alex Krawarik [MSFT], Jul 3, 2007
    #8
  9. On Tue, 3 Jul 2007 10:57:18 -0700, "Alex Krawarik [MSFT]"
    See http://cquirke.mvps.org/reinst.htm

    Checklist:

    1) Is hardware good?
    - visual check for bad capacitors, clogged fans, loose metal
    - MemTest86 RAM test, preferably 24 hours
    - eject boot CDRduring test, spot spontaneous reboots
    - HD physical test; HD Tune (www.hdtune.com) or vendor's diags

    2) Do you have all the materials you need?
    - ability to boot off reguired non-HD drives
    - all installation disks must work, and be malware-clean
    - OS installation disk and product key
    - if HD > 137G, must be XP SP1 or later, else partition < 137G
    - product key must match \i386 file set (e.g. Pro, OEM/DSP)
    - if XP or later, OS license must not be in use elsewhere
    - driver disks that match the hardware, esp. if needed to boot
    - application disks, along with product keys etc.
    - ISP and other login passwords that were "remembered" by PC
    - any DRM licenseware fluff
    - any data encryption keys that may be bound to old hardware
    - if older than XP, need add-on firewall (esp. if Win2000)
    - if older than XP SP2, "crucial" patches for RPC, LSASS ay least

    3) Can you prepare an "undo" and do you have resources for this?
    - strongly recommended, e.g. BING to a spare HD

    4) Have you backed up your data, will it restore, is it clean?
    - beware default MS practice of dropping downloads into data set
    - beware infectable "data", e.g. MS Office macros, HTML, exploits
    - beware malware hidden in mailboxes
    - be aware of data vs. program version issues

    5) Is the PC isolated from all malware?
    - data hygiene as per (4)
    - clean installation disks vs. recent code downloads or USB flash
    - all neworking disconnected, including all wireless

    6) Post-installation checks
    - ensure firewall is working, enable other defenses
    - go online and get av updates, then patches
    - scan all "data" before restoring it
    - ideally, import email into app that does not hide malware
    - e.g. Eudora, which creates incoming attachments as files
    - then you can scan all these revealed attachments
    - after that, can import back into malware-hiding email app
    - activate OS if required, only when all is OK

    If you have (1) to (6) waxed, then sure you can "just" wipe and
    rebuild, and chances of re-infection should be no worse than they were
    the last time the PC was infected. User education may be needed.
    Part of what needs "education" is the OS, i.e. defaults that need to
    be changed. For example, what is a "non-executable file" when seen
    through a shell that allows executable files to set non-executable
    icons for themselves?

    So you need to train the OS to show file name extensions and hidden
    files, and the user to understand these.

    See:

    http://cquirke.blogspot.com/2006/07/repairing-safe-mode-safeboot.html

    Executive summary: Safe mode isn't.

    Unlike booting Win9x to DOS mode that can't execute Win32PE code, or
    Win9x Safe Mode that suppresses at least most integrations, XP's "safe
    mode" is at best only relatively malware-safe:
    - generic intra-file code infectors
    - screen saver, drivers, file associations are still in effect
    - Safe Mode depends on malware-editable settings (hence link)

    Common advice in these newsgroups is to use Safe Mode Command Only to
    clean resident malware. When I raised the flaws in this approach with
    MS, the response was: "Safe Mode was not intended as a malware
    management platform" - begging the question; what does MS provide that
    IS intended as a malware management platform?

    I'm using Bart CDR for such purposes, as well as data recovery and
    other "from orbit" troubleshooting. As an end user, I'd not expect
    familiarity with Bart, but for those who do fixing of Windows systems,
    it's invaluable. I find it hard to take techs who "treat" infected
    PCs seriously, if they aren't using Bart or something similar.

    Google( Bart PE ); settle down for a lot of study.

    It's common malware practice to anticipate the use of Safe Mode, and
    either "own" it, or disable it. See the link I waved last.

    Thank MS's default to "Automatically restart on system errors" for
    that (and kill that setting; I .REG it from Bart boot).

    Question to any MSFT readers out there: What is the point in
    auto-rebooting a PC during the boot phase before any remote or local
    interaction is possible? In this context at least, why not let it
    stop on a BSoD screen? All you're doing is shredding the file system.

    Safe Mode Command Only is safer than Safe Mode because it doesn't
    invoke Explorer, and thus all the stuff that could be integrated into
    it (as well as IE integrations). But the alternate shell it uses, is
    not hardwired; it's an editable registry setting.

    So malware routinely redefine Safe Boot, Alternate Shell to either run
    themselves as shell, or to invalidate the shell (which will then look
    like normal Safe Mode boot with Explorer as shell).

    You'd need to edit C:\Boot.ini from outside the OS. Trivial, if you
    have Bart to hand. Challenging otherwise. Join the dots.


    Drugs are usually safe. Inject? (Y/n)
     
    cquirke (MVP Windows shell/user), Jul 7, 2007
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.