Never Force Safe Mode!

Post your HijackThis! Log here for spyware removal

Moderators: Admin Team, Moderators

Forum rules
ATTN:!! Only users pre-approved by TeMerc may offer help and assistance in malware removal. Any and all unauthorized posts will be removed without notice. Please read this thread for proper HijackThis! installation.
User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Never Force Safe Mode!

Postby TeMerc » Sun Apr 22, 2007 7:43 pm

The write contained below was done by Blender, noted malware specialist and MS MVP in security. It pertains to instructing users to get into safe mode by MSCONFIG when they cannot normally do so and the system crushing potential of doing it.

===============================================
What I mean is getting users to use MSCONFIG to check /safeboot on the Boot.ini tab to force safe mode in the event F8 does not work.

A few web sites instruct users to use MSCONFIG:

http://service1.symantec.com/SUPPORT/ts ... 2409420406

That page no longer shows the F8 method.
It only shows the MSCONFIG method.

This page shows both F8 and MSCONFIG.
http://www.bleepingcomputer.com/tutoria ... ial61.html


There are others I'm sure.

Several tools we use require Safe mode including but not limited to:
    -SmitFraudFix
    -SDFix
    -Other instances where we want HJT, reg fixes & file deletions done in safe to lessen the chance of malware running making removal easier.

If F8 is not working or attempts to get to safe mode are not working we need to find out why before we force it.
Forcing Safe mode on a properly working computer is not an issue but if the computer is working right... we are likely not working in it.

This is a dangerous practice because we can send the user in a near unrecoverable reboot loop should safe mode not be possible.

Under NO circumstances should we be forcing safe mode.

We don't know what the victim had before they got to us.
We don't know in most cases what they did before getting to us except they ran some scans and the malware scanners deleted some stuff.

We don't know what other underlying issues are present just looking at a HJT log.

In short... we don't have a clue what all is wrong.

Example:
Some malwares such as Sality delete the entire contents of this registry key:

Code: Select all

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

Leaving an empty key.
With this condition (that is not visible in Hijackthis or some other common analysis tools we use) Safe boot is not possible.

Have a look at yours. See all those drivers loading under safe? Without this info no safe boot is possible.

Some variants of Vundo is hindering Safe boot. This infection is not deleting Safe boot keys but rather just freezing system solid at safe boot and victim can't get there.

What MSCONFIG does is modify the Boot.ini file.

Example:

From this:

Code: Select all

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

To this:

Code: Select all

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:minimal
This leaves no escape. User only has ONE choice.

At least with the F8 method the victim can come back & report they cannot get to safe mode.
We figure out why, fix it, proceed with whatever we were doing that needed safe mode or use alternative methods to remove the malware causing issues then fix safe mode.

There is another tool out there that "assists" with Safeboot.

Called "Bootsafe" from SuperAntispyware.

http://www.superadblocker.com/bootsafe.html

This tool does basically the same thing.
Edits the Boot.ini file.

Again....
Without the user being able to boot the computer because they are locked in a reboot loop from damaged safe mode they cannot get to MSCONFIG to undo /safeboot or run Bootsafe to undo Safeboot.

Short of Booting to Recovery Console or Slaving the affected hard drive to another computer to repair the Boot.ini file the computer is basically toast.

===============================================

OK... we now know it is a bad idea to do this. How do we get around it?

Couple ways....

In the case of Vundo ...
Removing Vundo before other fixes that require safe mode *should* restore safe mode ability. (as long as you are not dealing with other infections that interfere)

Fix SafeBoot Reg key if you find it to be blank:

This would be Incorporated into your fix or alone.

Step : Download and run AVZ from here
  • Unzip it to a folder on your desktop
  • Double click on AVZ.exe
  • Click on the file tab and then click on System recovery
  • Put a checkmark next to Restore SafeBoot registry keys
  • Click on Execute selected operations

We can also use other methods of malware removal that does not need safe mode then fix safe mode.

There is another method that can be used that will give the user 2 OS choices.
1.) Normal boot
2.) Safe boot

Here's a link to the ElderGeek's description of how to do this:
http://www.theeldergeek.com/add_safe_mo ... t_menu.htm

This at least gives the victim an escape route if safe mode is broken.
Simply the next reboot attempt choose normal boot and they are back.

The boot.ini will look something like:

Code: Select all

[boot loader]timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Safe" /noexecute=optin /fastdetect /safeboot:minimal
With this the user has 30 seconds to use arrow keys to choose the "OS" of their choice.

Obviously you don't want to walk a total n00bie through this method but the option is there and is relatively safe. Keep in mind though that modifying the boot.ini file is not much less "delicate" than modifying the registry.

Back up the original so if the break it you can use Recovery Console to replace the borked boot.ini with the backup you created.

===============================================

OK... so you already broke it and need to fix it.

If the victim can boot but only to safe mode then obviously either use MSCONFIG to uncheck Safeboot or BootSafe (if this is what they used to get there) to check "Normal restart" & reboot.

++++++++++++

Caught in bootloop....

This is a bootable CD you can use to access the Recovery Console to repair the busted boot.ini file.

This article describes how to do it:

http://support.microsoft.com/kb/330184

bootcfg.exe is present only on XP Pro. Not on 2K or XP home.

===============================================

You can also slave the hard drive to another computer to edit the boot.ini file.
Boot.ini is system, read-only, & hidden.
Read only attribute will need to be removed to edit the file.
All you need to remove from boot.ini is this part:

/safeboot:minimal

Leave the rest intact. Re-check read only after saving changes.

Plug the drive back into the broken computer and you should be off to the races.

Obviously care must be taken here especially if the broken hdd is infected.

===============================================

Repair install Windows if they have an OS CD.

Non destructive Recovery if they have Recovery Partition or Recovery CDs.

Destructive Recovery if they have Recovery Partition or CDs.

Note:
All the above code is for illustrative purposes only and should not be copied or used in any way. Do not perform any of the instructions listed above unless you are an advanced user or under the specific instruction of an accomplished malware analyst.
Image

Return to “Countermeasures: HijackThis! Spyware Help”

Who is online

Users browsing this forum: No registered users and 2 guests