Re: Trojan (?) will not allow safe mode, but *will* allow normal boot

On Sat, 23 Jun 2007 12:29:55 -0700, Tyrenta <dougrentz@xxxxxxxxx>

i've managed to cause more throuble than I solved -- attempting to
repair a friends PC that was LOADED with virus/trojans, but it would
not let me boot into safe mode (it *would* boot normally however, but
when trying safe mode it blue screens and recycles). Trouble is I
thought I could get around it by setting /safemode in
msconfig -- bad idea as now I can't boot normally and safe mode has
the same issues, so I'm in an endless boot to safe/blue screen loop --
does anyone have any suggestions how to disable safe mode boot if it
was configured in msconfig?? Thanks

I'd be using Bart PE CDR boot in cases like this, using the RunScanner
plugin to access the stricken installation's registry (it shells
registry-aware tools like Regedit, AdAware, Nirsoft utilities,
HiJackThis etc. so they "see" the HD registry, not the Bart one).

Expect to find trouble in...

HKLM\System\CurrentControlSet\SafeBoot
HKLM\System\ControlSetXXX\SafeBoot

....with no CurrentControlSet seen from Bart (as none of the available
ControlSetXXX will be "current" at that time).

Specifically, expect to see "AlternateShell = Cmd.exe" being changed,
to hijack Safe Cmd Only in particular.

Look for malware integrations that persist in Safe Mode, such as:
- shell =
- useinit = (look in WindowsNT, Winlogon for those two)
- file associations
- screen saver
- changes to the Administrator account

Also, kill that damnfool "[X] Automatically Restart on Errors"
duuuuhfault setting in System, Advanced, so your system will STOP on a
BSoD that you can note and quote, instead of endlessly restarting
until AutoChk has "fixed" the file system to death.

Google( Bart PE )
See also...

http://cquirke.blogspot.com/2006/07/repairing-safe-mode-safeboot.html

HTH - I know Bart isn't easy, but at least it exists, no thanks to
"what, me worry?" MS, who seems to think Windows is So Secure that it
never needs formal malware cleanup because it never gets infected.

See also...

http://cquirke.mvps.org/reinst.htm

....if someone says "Just wipe and rebuild"



--------------- ---- --- -- - - - -
I'm baaaack!
--------------- ---- --- -- - - - -
.

Relevant Pages

  • Re: Msconfig problem...
    ... I'm unsure as to why they'd turn back on if you unselected them. ... boot into Safe Mode With Networking Support and try scanning your ... Most startup applications are stored in the registry under ...
    (microsoft.public.windowsxp.basics)
  • Re: Blue screen after system restore attempt
    ... Nobody had been manually editing the registry. ... The boot attempts to the last known good configuration have also failed - ... they yield the exact same result as a boot to safe mode. ... to your question on hardware or device drivers or 3rd party ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: XP extremely slow boot up
    ... regular mode and then in safe mode and checked the event log. ... The Event Viewer is accessible in safe mode. ... boot in normal mode. ... On how to disable the Add-ons follow this: ...
    (microsoft.public.windowsxp.general)
  • Re: Nothing on screen?
    ... hour trying to boot in safe mode. ... As a last resort I was going to try to do the repair installation of windows ... Go into the System BIOS - can you get around in the System BIOS? ... Exit System BIOS and boot the System in Safe Mode again. ...
    (microsoft.public.windowsxp.general)
  • Re: HP 1310n (AMD ATHON Processor and SP3 UPDATE
    ... Continual reboots or can only boot into Safe Mode after installing WinXP SP3? ... into normal (Windows) mode. ... Creating a backup copy of the registry for MicrosoftWindows XP: ...
    (microsoft.public.windowsupdate)