boot normal/ safe mode/ rootkit

[supertech365]

Strange problem with xp system. Viruses were suspected on a pc. Ran a few process viewing programs, malware checks, etc. in safe mode. restart pc and desktop is classic xp version. services are stopped, can't start them up manually. It gives error: 'can't start in safe mode'. dial-a-fix renoved disabled policies but still no cigar. also there is even an account named 'administrator' in the user logon like its in safe mode. is this a rootkit. i cant even edit boot.ini. Is there a fix?

 

[WareDat]

Search the registry for SafeBoot and delete the Option key. Restart and all will be normal.

 

[supertech365]

Thanks WAREDAT! You were correct. That is the strangest. Much appreciated.

 

[Methical]

Can we ellaborate on this a bit more?

Like how and why?
And what this registry key/value is?

 

[WareDat]

This key gets set in safe mode, it should not be there when windows is running normally. A Dword value of 00000001 will be set in Safe Mode Minimal, Dword 00000002 will be set in Safe Mode Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

Not sure why it sometimes hangs around when windows is started normally but i've seen it on virus free computers as well.

A little note you can add the key

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

to enable security tab in xp home, just remove it before restarting.

 

[sys-eng]

Thanks for the info. I have not come across that before but not really surprised about the problem.

PC stands for Peculiar Computer

 

[supertech365]

WOW! It has started again in safe mode. No services have loaded and desktop theme looks like xp classic. I will search for the registry keys manually that were mentioned by waredat and let you know if i have luck.

 

[supertech365]

T

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

I deleted the above values and now it does boot normally. I will post update if anything changes.

 

[Galdorf]

That maybe a variant of the rootkit i am seeing now i usually use unhackme it's a bootime rootkit/worm/trojan detector does a really good job.
most rootkit software just finds rootkit this one finds and removes it never had it fail yet.