Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Malware runs even in safe mode – Cleaning Malware

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Yes! malware can even run in safe mode and safe mode with networking. A common devious method is to inject a malware process into legitimate Windows processes like userinit.exe, explorer.exe etc., These processes are loaded as part of the core drivers and services that Windows loads during a safe mode boot.

According to a McAfee blog, The services and drivers that load in Safe Mode are listed under the following registry key(s):

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot.

One recent example would be the CleanThis Scareware. This malware tampers with the WinlogonShell key in the Windows registry to annoy users even in safe mode. The tampered key looks like this:

  • HKEY_CURRENT_USERsoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = C:Documents and Settingsmalwarehelp.orgApplication Datagog.exe

In this case restoring the default shell value should disable this malware process on restart. But this malicious process also blocks execution of registry editor among other programs to protect itself. A workaround would be to use a .inf file to change the registry.

  • Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
  • Right click the downloaded file shell_restore.inf and choose the option for install. This will restore the default Windows Shell which prevents the scareware from running at boot.
  • Restart to unload the malware executable from memory.

Note: It can be dangerous to run .inf files downloaded from an untrusted source.

Another trick to defeat this tactic is to boot in safe mode with command prompt. This will start Windows with only core drivers and launches the command prompt. Here is a short how-to, to run Malwarebytes’ Anti-Malware in safe mode with command prompt:

  • Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe) and the Malwarebytes’ Anti-Malware Malware definitions (mbam-rules.exe) to a removable drive like CDs, DVDs or USB flash drives.
  • Boot in to Windows Safe Mode with Command Prompt Using F8 key.

    Windows XP Pro SP3 2010 04 20 10 59 20 Unable to start in Windows safe mode   Cleaning Malware

  • At the command prompt type ‘explorer.exe‘ and press the Enter key, wait for Windows Explorer to open. Now in ‘My Computer’ browse to your removable drive.
    windows xp safe mode command prompt Unable to start in Windows safe mode   Cleaning Malware

  • Install MalwareBytes’s Anti-Malware and Malwarebytes’ Anti-Malware Malware definitions from your removable drive. Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Reboot into normal mode, Launch, Update and scan again with MalwareBytes’s Anti-Malware.

The tips above should help you to get started, when trying to clean malware that starts in safe mode. Have you used any other method to clean such malware? Please share it in the comments below.

{ 2 comments… read them below or add one }

al_B April 1, 2011 at 7:55 PM

It’s easier to use combofix direct from MS-DOS mode. Don’t use Combofix if it’s a boot loader virus!


glenn January 14, 2012 at 5:26 PM

Thanks, this method worked perfectly. I had to download the software on my apple mac onto cd and then load on my infected pc. I couldn’t install the mbam.rules at first but right clicking solved that problem and after a full scan which took an hour it removed 3 items and after restarting the malware fake security centre was gone. 🙂


Leave a Comment

Previous post:

Next post: