Hi malware fighters,

Windows offers Safe Mode as a simple way to solve system issues.
For starting up in Safe Mode the operational system uses minimal drivers and services.
As a rule of thumb it comes in handy to remove malware,
because the infected files are not active either.
But there is Malware around that is also active in Safe Model,
which is making malware removal a bit more difficult then.
“Safe Mode is a Misnomer”, according to av-vendor McAfee.

Services and drivers that are being loaded under Safe Mode can be found up in the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

“When malware gets to control the OS,
it can add a value to the above mentioned keys to enable itself to be loaded in Safe Mode”,
as explained in the MacAfee blog: http://www.trustedsource.org/blog/196/Safe-Mode-A-Misnomer
Manual removal of malware is a lot more difficult,
and one is advised to use a special scanner or malware removal tool.

What we mention here proofs that this is not a new thing.
For years and years malware is around that behaves like a service and as such can be active in Safe Mode.

This How-to is for Windows XP, it shows how to recover the Safeboot key
(possibly deleted by a virus like a strain of Bagle, not how to remove the malware.

Casus 1

If Windows hasn’t been rebooted since the infection
and you haven’t made changes to your system configuration since the last boot,
follow this procedure:

1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
2. Select “Last Known Good Configuration (your most recent settings that worked)”.
3. You can now reboot a second time and select Safe Mode.

Casus 2

If Windows has been rebooted since the infection, follow this procedure:

1. Start System Restore:
   (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
2. Select a restore point that predates the infection
   (i.e. the Safeboot key removal),
   this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
3. Confirm the restore operation
4. Windows will perform a System Restore and reboot
5. Click OK
6. You can now reboot a second time and select Safe Mode

Casus 3

If you’ve made changes to your system configuration that you want to keep, follow this procedure:

1. Follow the steps of case 2
2. Start regedit once you’ve booted in Safe Mode
3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
4. Export the key (right-click export)
5. Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
6. Select “Undo my last restoration”
7. Confirm the restore operation
8. Windows will perform a System Restore and reboot
9. Click OK
10. Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
11. Confirm the merge
12. You can now reboot again and select Safe Mode.

You can always scan in safe mode of course, while some malware (file-infector)
may not be active in safe mode, but allmost all recent malware can run in Safe Mode as well,
so for recent malware there shouldn’t be any advantage in running a scan in safe mode
since the malware is active in safe mode as well.

The use of Safe mode in malware cleansing on XP:
When malware is running, and is registered as a system process,
XP will keep you from deleting it in many cases.
IF it is not running, you can stop it from activating by deleting in safe mode without networking in XP,
or just safe mode if that is your only choice while simultaneously being able to kill it easier
simply because it cannot run right in safe mode-- in safe mode,
what makes the thing a system process is many times not being loaded at all,
that is both why you cannot get out to the web and why it is easier to kill certain forms of malware.

Since the malware then is not running due to how safe mode works,
and what Windows does not run while in in safe mode,
it is faster to remove rather than fight Windows’ built-in system process protection,
and try to kill while it is running and possibly putting itself back
because the web link and networking are working.
By being in safe mode, you can do things that you cannot do in normal mode
as most malware uses the web to infect and reinfect while you fight to kill it in many cases it re-infects.

Killing is two-step process, to totally utterly kill and not damage machine.
First, you deactivate it by getting the registry keys it uses to activate
and get Windows to protect it DELETED, and then because it will no longer be protected as much when not running,
you can delete the files themselves easier.

But, in safe mode you cannot get on web to read the instructions again.
So, while online, print or write down the exact directions, you will need these data for two things:

• First step , to know what registry keys must go to and to get them deleted right–
  to deactivate malware by so doing,
• Second step, to know where to find files and delete them after registry keys are deleted,
  and the computer has been restarted just to make sure those keys are no longer actual and active,

Apply whenever advisable to do so,

polonus

Unfortunately this doesn’t apply to Vitro. Once explorer.exe or svchost.exe is infected, it’ll run in safe mode.

Hi RejZoR,

That is what is left of the so-called Safe Mode is only partially or to a minor extent living up to its name and what is was meant to do, and so with MS not having open standards we are running behind the facts always. Proverbially you start to throw hot oil from the walls while the enemy has long climbed over it and has a map of the fortress with them for destruction. The same story with vitro and sality now for Windows File Protection abuse…all this MS OS protection is broken. The only thing that still stands to some extent is using the OS with low user rights, but there also are viruses can elevate rights to full admin rights, - the only solution I see and the measurements that are still standing is complete script and request blocking and working within a virtual environment that you can throw out with all eventual malware it gets attracted,

polonus

Isn’t Microsoft releasing any patch against the Windows File Protection abuse?

out of curiosity, I looked up what WFP is.

I found this: http://support.microsoft.com/kb/222193

Now if this article is correct, wouldn’t Vista be resilient to viruses attacking critical system files since it would just replace them with originals that work?

Good question.
Polonus? Maxx?

Hi Tech and CCU,

Vista his a multi-layer file protection, but it is still in part security through obscurity, to disable it:
http://www.hardwaregeeks.com/board/showthread.php?t=3451
First layer as with WFP in XP, another layer on top, an finaly for specific system files are restored by specific mui’s.
When the Virut malcreant’s know to abuse this one as well, MS will have to add another layer, so an endless race between developer and malcreants, that may know the exploits better as those that developed the software.
This is what closed software really is, patching in the aftermath, and hope no-one finds a next major hole to abuse.
But now that MS leaves 1 year old unpatched holes exist in XP: http://isc.sans.org/diary.html?date=2009-03-13 the overal security satus of XP is questionable. Do they want to urge everybody to make the migration to Vista or Windows 7 in such a way,

polonus

Thanks Polonus… MS does operational system… every time they enter on security field trying to act like an antivirus, antispyware, firewall… etc. etc. like One Care, they do a worse job. Sometimes I think they worried about graphics only, change themes and effects, but not the real core of the operational system…

Hi Tech,

Right there, but can they do something else building on something that was not secure from the onset, well was actually, (MS-Dos was superb!)but went wrong later . And there maybe many, many more ghosts and skeletons hanging out there: the trust system, api security, bending open web standards, just to mention the minor things. There I can hear, someone say: “Well, if you do not like it, do not use it”, this has nothing to do with it, they woke up to these facts now, but too little and too late, and does it matter for the average user, oh no, as long as they can click on, they will not loose a minute sleep over these issues, only we, Tech, only we,

polonus