I spend some time this weekend researching how to recover your deleted Safeboot key (in case you don’t have a backup). This How-to is for Windows XP, it shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle, see my previous post), not how to remove the malware.
Case 1
If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:
- Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
- Select “Last Known Good Configuration (your most recent settings that worked)”.
- You can now reboot a second time and select Safe Mode.
Case 2
If Windows has been rebooted since the infection, follow this procedure:
- Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
- Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
- Confirm the restore operation
- Windows will perform a System Restore and reboot
- Click OK
- You can now reboot a second time and select Safe Mode
Case 3
If you’ve made changes to your system configuration that you want to keep, follow this procedure:
- Follow the steps of case 2
- Start regedit once you’ve booted in Safe Mode
- Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
- Export the key (right-click export)
- Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
- Select “Undo my last restoration”
- Confirm the restore operation
- Windows will perform a System Restore and reboot
- Click OK
- Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
- Confirm the merge
- You can now reboot again and select Safe Mode.
Good work. Your solution to case 3 is exactly what I was looking for. I’ve been keeping my eye on this blog since you commented on mine awhile back. Timely solution to a realworld problem, Is it alright if I throw up a link to this blog on mine?
Comment by Ryan — Thursday 6 July 2006 @ 17:35
It’s good to read that my research was useful. I’d appreciate a link to my blog, thanks!
Comment by Didier Stevens — Thursday 6 July 2006 @ 19:56
I hit this problem working on a heavily-infected PC from Bart PE, and decided to follow a “Case 4″ strategy when Google found your page. What I’ll try is…
From Bart PE CDR boot, copy each C:\SVI\..\RP*\snapshot to a (say) C:\REGBACK\RP*
Then the idea would be to bind one of these hives (is it SYSTEM? I haven’t looked yet) to HKLM, find the stuff I want, save it as a .REG, edit the .REG to go to CurentControlSet etc. and then merge it back in.
What I haven’t decided yet, is whether to do that via Bart PE CDR boot using RunScanner to treat the inactive HD registry as “live”, or do it from the only HD boot that works (normal Windows).
The latter’s easier, but the former is cleaner in the context of suspected malware as allows Safe Cmd Only boot before daring to do a full (and most likely malware’d) Windows boot.
What I like about Case 4 vs. Case 3 is that I avoid the possible collateral damage of System Restoring all the rest of the monitored files and thier integrations (especially the malware one is trying to kill off).
After all, why would Safeboot be destroyed? Either by malware, in which case you’d be restoring an infected state, or due to general chaos and corruption, in which case who know what damaged mess you’d be restoring…
Comment by Chris Quirke — Tuesday 11 July 2006 @ 2:28
This is all great – and most of the AV websites list the bagle as “low” risk… It has totaled this pc.
Yes it runs, but ONLY in normal mode (safe boot crashes) and it has also hosed system restore….
No matter which AV/scanner/rootkit scan we do, it always comes back clean, but then reboot, and the hldrrr.exe and m_hook are back.
We have been able to use alternating user accounts to get back in, deleteing the files in the other account, so at reboot, we have enough time to kill the hldrrr process before it totally hangs.
However it also prevents msconfig running – although I think this is more a deleted key, or file as it is not activly doing this.
SO any advice on what to do about system restore AND safeboot not working?
It seeems to be a catch 22 at this point.
I also wonder if it is possible to install windows on a new drive, clean the current drive, and then reboot with the old windows?
Thanks for any help
SEPP!
Comment by sepp — Tuesday 2 January 2007 @ 17:05
Acutally – I forgot to add, that not only has the system prevented safeboot, it has also prevented a clean install of xp from CD?
We tried to get to system restore by booting with the install CD, but it never gets past loading windows….
Regards,
SEPP
Comment by sepp — Tuesday 2 January 2007 @ 17:10
I’ve been playing with an idea, but have not yet had the time to test it: do a Windows XP install on the same hardware but with a new disk, then export the Safeboot key and import it in the cripled OS.
Have you tried booting from a life CD like UBCD4Win and use a command line scanner AV that doesn’t require installation?
Comment by Didier Stevens — Tuesday 2 January 2007 @ 18:08
That is a good idea!
I hope that the hard drive does not need to be the same as well?
I will also try booting with a bootable windows cd – I have used BartPE in the past, but I will also look at the UBCD4Win
Thanks – will let you know…
Comment by Sepp — Thursday 4 January 2007 @ 17:33
I don’t have a backup of my registy and I don’t understand this Bart PE stuff. Could somebody be kind enough to post the and exported .reg for the entires in safeboot? After all settings for safeboot won’t vary that much from one machine to another.
Comment by Mirco — Sunday 18 February 2007 @ 16:07
@Mirco
Read me new post: http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Comment by Didier Stevens — Monday 19 February 2007 @ 13:59
Recovering from Bagle, which blows out Safemode, among other things.
This really isn’t that hard to recover from. Here’s how I did it:
First, I discovered I had a problem because AVG wouldn’t work, wouldn’t uninstall and wouldn’t reinstall from a fresh install file. After a reboot (and a failed system restore and a safemode BSOD), I discovered my wireless stopped working and Wireless Zero config wouldn’t start because of unstarted dependecy services (it turned our to be NDIS I/O). A Google search told me that it was probably Bagle and led me to get Blacklight. Blacklight found all the nasties and I chose to rename them. Reboot and voila, Bagle disabled! However, I still had three problems – 1) System restore failed every time 2) Still no wireless and 3) Could not boot into safemode.
Solution
Loaded System hive from C:\WINDOWS\system32\config. Exported HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot to a reg file. Opened regfile in notepad and did a replace for the name I chose when loading to “SYSTEM”. (for instance, when I loaded the hive, I called it “repair”. I then did a find and replace from “repair” to “SYSTEM” [note case sensitive!]). Imported regfile. Safemode fixed.
Uninstalled and reinstalled Wireless NIC. This reloaded the NDIS protocol (which I had tried to reinstall alone, but no dice). Reset TCP/IP settings (I don’t use DHCP), reestablished connection with WAP (I don’t broadcast, so I had to do this by hand). Wireless fixed.
Disabled System restore. This deleted all the restore points, many of which were hosed anyway. This bugger had been around for a few days before I noticed it. Re-enabled System restore and manually created a restore point immediately. System restore fixed.
Comment by dimaug — Monday 19 February 2007 @ 22:44
Hi there,
found this helpful page only after removing the fX#@$ing Bagle as per AV vendors instructions.
As for many of you it took me 2-3 days after infection to realize I have been infected;
happened like it did for Didier Stevens.
I agree that AV vendors are rating this virus erroneously: this is a burdensome one to removal!
Have to higlight that google searches did not hit right most of times; especially regarding the
disbaling of NDIS driver and the messing up of Safe Mode (originally searched for specific BSOD related info).
After some “big time” (strange as I ONLY use web services in English language for obvious reasons);
I used Gmer and HijackThis which made the situation pretty clear.
One point that prevents a successful restore of the SafeBoot key is that removal procedures DO NOT
mention about Safe Mode issues and they DO recommend to wipe out System Restore existent data.
This dismisses cases 2 and 3.
My thanks to Didier for providing a fresh&clean SP2 SafeBoot .reg file for that all the SYSTEM hives
I could load did not provide a fix (system blind reboots after 5 minutes of disk activity).
Bests to all,
/Mario
Comment by Mario Biassoni - MCT — Tuesday 27 February 2007 @ 17:42
ok just to fix the wireless you can use this registry values
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc]
“UuidSequenceNumber”=dword:0cdae01e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndisuio]
“Start”=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]
“Start”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
“Start”=dword:00000002
[HKEY_CURRENT_USER\SessionInformation]
“ProgramCount”=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio]
“Start”=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
“Start”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
“Start”=dword:00000002
Comment by Blue — Saturday 26 May 2007 @ 5:29
Please don’t confuse safemode booting with safeboot. safeboot is a third party encryption system, which runs before the OS boots- that’s why they talk of using Barts PE and setting it up for safeboot. norton’s will only bugger the drive, as it won’t even be able to read it if it’s encrypted.
BTW I’m stuck – I can’t find the Bart’s plugin on the Safeboot CDs. does anyone know where they are?
Comment by Aus_e — Friday 6 July 2007 @ 5:10
I know that Safeboot is a third party encryption system, but it is also the name of the registry key (Safeboot) that holds the Safe Mode data.
Safe Mode is the name of the special boot process.
Safeboot is the name of the registry key.
Comment by Didier Stevens — Friday 6 July 2007 @ 13:30
heck just go NOW and find a safeboot.reg key on the web, free download, and stash it in a new folder on the desktop.
Click it and then safeboot will be there when you reboot right after.
Comment by Jack — Sunday 30 March 2008 @ 21:29
I know, I put that free safeboot.reg file on the web:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Comment by Didier Stevens — Sunday 30 March 2008 @ 21:41
[...] "Show hidden files and folders" from Windows Explorer. To restore safeboot, please visit: Restoring Safeboot Didier Stevens Bonne [...]
Pingback by SPTD.sys - THE DAEMONS HOME — Saturday 16 August 2008 @ 0:23
At this point of infection, it may actually save time to just backup any local files to another PC via a SATA/IDE-to-USB cable (attach your infected hard drive to another PC’s USB port, with up-to-date safeguards of course), reinstall the PC with a factory CD/image (fine) or image that you’ve archived (better), then restore your data (after applying ALL updates of course). Doing this also gives you peace of mind that no remnants (loggers etc.) of the virus/malware exist.
Comment by Andrew — Thursday 9 July 2009 @ 4:29
Respected Dider,
about registry given by you,I add into registry so many time,but when i reboot pc the sub key MINIMAL and NETWORK dissappears. Thus on the moment when I add registry key to pc’s regitry,it starts in SAFEMODE but after once again reboot it not starts.kindly help and if possible My humble request you to mail me on my ID given here. Thanking you
Comment by kavi — Wednesday 22 July 2009 @ 8:36
@kavi This is clear evidence that your machine is still infected. I recommend you go to a forum where people can help you clean your machine, or you can try the F-Secure rescue CD or a similar solution.
Personally, I would just wipe the machine and reinstall.
Comment by Didier Stevens — Wednesday 22 July 2009 @ 17:48
Thanks for the help!
Comment by PChulpzutphen.nl — Tuesday 28 July 2009 @ 22:10