Re: Trojan (?) will not allow safe mode, but *will* allow normal boot

On Tue, 3 Jul 2007 10:57:18 -0700, "Alex Krawarik [MSFT]"

Your safest option is, of course, to wipe the box.

See http://cquirke.mvps.org/reinst.htm

Checklist:

1) Is hardware good?
- visual check for bad capacitors, clogged fans, loose metal
- MemTest86 RAM test, preferably 24 hours
- eject boot CDRduring test, spot spontaneous reboots
- HD physical test; HD Tune (www.hdtune.com) or vendor's diags

2) Do you have all the materials you need?
- ability to boot off reguired non-HD drives
- all installation disks must work, and be malware-clean
- OS installation disk and product key
- if HD > 137G, must be XP SP1 or later, else partition < 137G
- product key must match \i386 file set (e.g. Pro, OEM/DSP)
- if XP or later, OS license must not be in use elsewhere
- driver disks that match the hardware, esp. if needed to boot
- application disks, along with product keys etc.
- ISP and other login passwords that were "remembered" by PC
- any DRM licenseware fluff
- any data encryption keys that may be bound to old hardware
- if older than XP, need add-on firewall (esp. if Win2000)
- if older than XP SP2, "crucial" patches for RPC, LSASS ay least

3) Can you prepare an "undo" and do you have resources for this?
- strongly recommended, e.g. BING to a spare HD

4) Have you backed up your data, will it restore, is it clean?
- beware default MS practice of dropping downloads into data set
- beware infectable "data", e.g. MS Office macros, HTML, exploits
- beware malware hidden in mailboxes
- be aware of data vs. program version issues

5) Is the PC isolated from all malware?
- data hygiene as per (4)
- clean installation disks vs. recent code downloads or USB flash
- all neworking disconnected, including all wireless

6) Post-installation checks
- ensure firewall is working, enable other defenses
- go online and get av updates, then patches
- scan all "data" before restoring it
- ideally, import email into app that does not hide malware
- e.g. Eudora, which creates incoming attachments as files
- then you can scan all these revealed attachments
- after that, can import back into malware-hiding email app
- activate OS if required, only when all is OK

If you have (1) to (6) waxed, then sure you can "just" wipe and
rebuild, and chances of re-infection should be no worse than they were
the last time the PC was infected. User education may be needed.

If they have some data you'd like to save first, non-executable files
like pics or QIF files or something, burn a CD/DVD with that data
before you wipe.

Part of what needs "education" is the OS, i.e. defaults that need to
be changed. For example, what is a "non-executable file" when seen
through a shell that allows executable files to set non-executable
icons for themselves?

So you need to train the OS to show file name extensions and hidden
files, and the user to understand these.

"Tyrenta" <dougrentz@xxxxxxxxx> wrote in message

i've managed to cause more throuble than I solved -- attempting to
repair a friends PC that was LOADED with virus/trojans, but it would
not let me boot into safe mode

See:

http://cquirke.blogspot.com/2006/07/repairing-safe-mode-safeboot.html

Executive summary: Safe mode isn't.

Unlike booting Win9x to DOS mode that can't execute Win32PE code, or
Win9x Safe Mode that suppresses at least most integrations, XP's "safe
mode" is at best only relatively malware-safe:
- generic intra-file code infectors
- screen saver, drivers, file associations are still in effect
- Safe Mode depends on malware-editable settings (hence link)

Common advice in these newsgroups is to use Safe Mode Command Only to
clean resident malware. When I raised the flaws in this approach with
MS, the response was: "Safe Mode was not intended as a malware
management platform" - begging the question; what does MS provide that
IS intended as a malware management platform?

I'm using Bart CDR for such purposes, as well as data recovery and
other "from orbit" troubleshooting. As an end user, I'd not expect
familiarity with Bart, but for those who do fixing of Windows systems,
it's invaluable. I find it hard to take techs who "treat" infected
PCs seriously, if they aren't using Bart or something similar.

Google( Bart PE ); settle down for a lot of study.

(it *would* boot normally however, but when trying safe mode
it blue screens and recycles).

It's common malware practice to anticipate the use of Safe Mode, and
either "own" it, or disable it. See the link I waved last.

Trouble is I thought I could get around it by setting /safemode in
msconfig -- bad idea as now I can't boot normally and safe mode has
the same issues, so I'm in an endless boot to safe/blue screen loop --

Thank MS's default to "Automatically restart on system errors" for
that (and kill that setting; I .REG it from Bart boot).

Question to any MSFT readers out there: What is the point in
auto-rebooting a PC during the boot phase before any remote or local
interaction is possible? In this context at least, why not let it
stop on a BSoD screen? All you're doing is shredding the file system.

Safe Mode Command Only is safer than Safe Mode because it doesn't
invoke Explorer, and thus all the stuff that could be integrated into
it (as well as IE integrations). But the alternate shell it uses, is
not hardwired; it's an editable registry setting.

So malware routinely redefine Safe Boot, Alternate Shell to either run
themselves as shell, or to invalidate the shell (which will then look
like normal Safe Mode boot with Explorer as shell).

does anyone have any suggestions how to disable safe mode boot if it
was configured in msconfig??

You'd need to edit C:\Boot.ini from outside the OS. Trivial, if you
have Bart to hand. Challenging otherwise. Join the dots.



------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -
.

Relevant Pages

  • Re: Trojan horse wont let me use antivirus scan
    ... Sure; malware will do that. ... Then you'd have your write-protected USB stick with things like: ... Boot your stricken PC into CMOS setup, and set boot order to CD-ROM, ... Safe Mode, though if it's already installed (and hasn't been eaten by ...
    (microsoft.public.security.virus)
  • Re: Spyware/malware removal
    ... Booting into Safe Mode will most likely bypass most or all of that junk from ... or their installation disk and it allows you to add plug ins and is already ... If you have not seen it yet Trend Micro offers a free malware ... boot, but then all the malware/crud takes over. ...
    (microsoft.public.win2000.security)
  • Re: Trojan (?) will not allow safe mode, but *will* allow normal boot
    ... not let me boot into safe mode (it *would* boot normally however, ... when trying safe mode it blue screens and recycles). ... I'd be using Bart PE CDR boot in cases like this, ... HiJackThis etc. so they "see" the HD registry, ...
    (microsoft.public.security.virus)
  • Re: Svchost.exe Application error
    ... I always cancel and re-start my computer as I do not understand all this. ... Just as the first BIOS screen disappears start tapping the F8 key until you get a menu that has several options, one of them is safe mode. ... If the computer boots into safe mode w/o any problems then it means something is loading on a normal boot up that is causing the problem. ... The first thing to do is a thorough scan for malware. ...
    (microsoft.public.windowsxp.general)
  • Re: Opening folders from desktop
    ... it could be some malware. ... If you boot to safe mode, ... > Every time I try to open a folder from my desktop, ...
    (microsoft.public.windows.file_system)