Hi malware fighters,
Windows offers Safe Mode as a simple way to solve system issues.
For starting up in Safe Mode the operational system uses minimal drivers and services.
As a rule of thumb it comes in handy to remove malware,
because the infected files are not active either.
But there is Malware around that is also active in Safe Model,
which is making malware removal a bit more difficult then.
"Safe Mode is a Misnomer", according to av-vendor McAfee.
Services and drivers that are being loaded under Safe Mode can be found up in the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
"When malware gets to control the OS,
it can add a value to the above mentioned keys to enable itself to be loaded in Safe Mode",
as explained in the MacAfee blog:
http://www.trustedsource.org/blog/196/Safe-Mode-A-MisnomerManual removal of malware is a lot more difficult,
and one is advised to use a special scanner or malware removal tool.
What we mention here proofs that this is not a new thing.
For years and years malware is around that behaves like a service and as such can be active in Safe Mode.
This How-to is for Windows XP, it shows how to recover the Safeboot key
(possibly deleted by a virus like a strain of Bagle, not how to remove the malware.
Casus 1
If Windows hasn’t been rebooted since the infection
and you haven’t made changes to your system configuration since the last boot,
follow this procedure:
1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
2. Select “Last Known Good Configuration (your most recent settings that worked)”.
3. You can now reboot a second time and select Safe Mode.
Casus 2
If Windows has been rebooted since the infection, follow this procedure:
1. Start System Restore:
(you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
2. Select a restore point that predates the infection
(i.e. the Safeboot key removal),
this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
3. Confirm the restore operation
4. Windows will perform a System Restore and reboot
5. Click OK
6. You can now reboot a second time and select Safe Mode
Casus 3
If you’ve made changes to your system configuration that you want to keep, follow this procedure:
1. Follow the steps of case 2
2. Start regedit once you’ve booted in Safe Mode
3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
4. Export the key (right-click export)
5. Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
6. Select “Undo my last restoration”
7. Confirm the restore operation
8. Windows will perform a System Restore and reboot
9. Click OK
10. Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
11. Confirm the merge
12. You can now reboot again and select Safe Mode.
You can always scan in safe mode of course, while some malware (file-infector)
may not be active in safe mode, but allmost all recent malware can run in Safe Mode as well,
so for recent malware there shouldn't be any advantage in running a scan in safe mode
since the malware is active in safe mode as well.
The use of Safe mode in malware cleansing on XP:
When malware is running, and is registered as a system process,
XP will keep you from deleting it in many cases.
IF it is not running, you can stop it from activating by deleting in safe mode without networking in XP,
or just safe mode if that is your only choice while simultaneously being able to kill it easier
simply because it cannot run right in safe mode-- in safe mode,
what makes the thing a system process is many times not being loaded at all,
that is both why you cannot get out to the web and why it is easier to kill certain forms of malware.
Since the malware then is not running due to how safe mode works,
and what Windows does not run while in in safe mode,
it is faster to remove rather than fight Windows' built-in system process protection,
and try to kill while it is running and possibly putting itself back
because the web link and networking are working.
By being in safe mode, you can do things that you cannot do in normal mode
as most malware uses the web to infect and reinfect while you fight to kill it in many cases it re-infects.
Killing is two-step process, to totally utterly kill and not damage machine.
First, you deactivate it by getting the registry keys it uses to activate
and get Windows to protect it DELETED, and then because it will no longer be protected as much when not running,
you can delete the files themselves easier.
But, in safe mode you cannot get on web to read the instructions again.
So, while online, print or write down the exact directions, you will need these data for two things:
* First step , to know what registry keys must go to and to get them deleted right--
to deactivate malware by so doing,
* Second step, to know where to find files and delete them after registry keys are deleted,
and the computer has been restarted just to make sure those keys are no longer actual and active,
Apply whenever advisable to do so,
polonus
