Yes! malware can even run in safe mode and safe mode with networking. A common devious method is to inject a malware process into legitimate Windows processes like userinit.exe, explorer.exe etc., These processes are loaded as part of the core drivers and services that Windows loads during a safe mode boot.
According to a McAfee blog, The services and drivers that load in Safe Mode are listed under the following registry key(s):
If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot.
One recent example would be the CleanThis Scareware. This malware tampers with the WinlogonShell key in the Windows registry to annoy users even in safe mode. The tampered key looks like this:
- HKEY_CURRENT_USERsoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = C:Documents and Settingsmalwarehelp.orgApplication Datagog.exe
In this case restoring the default shell value should disable this malware process on restart. But this malicious process also blocks execution of registry editor among other programs to protect itself. A workaround would be to use a .inf file to change the registry.
- Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
- Right click the downloaded file shell_restore.inf and choose the option for install. This will restore the default Windows Shell which prevents the scareware from running at boot.
- Restart to unload the malware executable from memory.
Note: It can be dangerous to run .inf files downloaded from an untrusted source.
Another trick to defeat this tactic is to boot in safe mode with command prompt. This will start Windows with only core drivers and launches the command prompt. Here is a short how-to, to run Malwarebytes’ Anti-Malware in safe mode with command prompt:
- Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe) and the Malwarebytes’ Anti-Malware Malware definitions (mbam-rules.exe) to a removable drive like CDs, DVDs or USB flash drives.
- Boot in to Windows Safe Mode with Command Prompt Using F8 key.
- At the command prompt type ‘explorer.exe‘ and press the Enter key, wait for Windows Explorer to open. Now in ‘My Computer’ browse to your removable drive.
- Install MalwareBytes’s Anti-Malware and Malwarebytes’ Anti-Malware Malware definitions from your removable drive. Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Reboot into normal mode, Launch, Update and scan again with MalwareBytes’s Anti-Malware.
The tips above should help you to get started, when trying to clean malware that starts in safe mode. Have you used any other method to clean such malware? Please share it in the comments below.