Tricks of the Trade – Safe Mode

February 15, 2011 at 7:53 pm

Virus infections can be subtle, or disruptive and nasty. Yesterday I helped clean up a virus infection remotely, and it wasn’t easy. It was impossible to use Internet Explorer, and the virus was detecting and closing new command windows immediately. Without the possibility of accessing the Internet to download and install tools to clean up the infection or to even use local tools like the command prompt or Registry Editor, removing the virus would have been impossible.

Fortunately there is a way to start Windows without all the bells and whistles. This bare-bones Windows mode is called “Safe Mode” and you’ve probably heard of it before. If you start Windows using the “Safe Mode with Networking” option, there’s a good chance you’ll be able to get online and download the tools you need. The reason is that viruses typically embed themselves into the startup environment in Windows. They are normally nothing more than really irritating and disruptive programs. They usually add themselves to the same list of programs that startup when Windows starts up, so while your instant messengers are popping up, the viruses are waking up and preparing to annoy you to death.

To access Safe Mode just repeatedly press the F8 key on your keyboard from the moment you turn your computer on until the Advanced Boot Options menu appears. If you see the Windows logo at any point before this menu appears then it is too late and you’ll have to shutdown and try again. When you’ve succeeded you’ll reach your login screen and you’ll notice that everything looks a bit bigger, and more plain than usual and this is completely normal. As I did yesterday, you may run into difficulties when it comes to installing new programs. The problem is Safe Mode only starts up the most necessary components of Windows and some activities require the optional components that are disabled. There may be a way around this, but I haven’t tried it since it hasn’t been necessary yet.

Once we made it into Safe Mode, I had the customer try to browse to a website to verify he was online. He immediately received a “Page could not be displayed” error suggesting he had no internet connection. Using the command “ipconfig /all” and “ping” we verified that he had received an IP address from his home router, and that he could both resolve and ping internet addresses. Next, we clicked “Tools -> Internet Options” in Internet Explorer to check his proxy settings. These are found under the Connections tab and “LAN settings”. In his, and most home environments, everything should be unchecked. The virus had tweaked these settings effectively preventing him from reaching the internet using Internet Explorer. After clearing these checkboxes, he was able to browse the web which meant it was time to use TeamViewer to allow me to access the system remotely and start cleaning up the infection.

Once in, I immediately found references to the virus in the Windows Registry which were causing the virus to startup as soon as the customer logged on to the system. I removed these, and ran the free virus scan utility from Trend Micro called Housecall in addition to their utility “RootKitBuster” to search for more insidious viruses. Once these tools did their job, we installed the free edition of Avast! antivirus for ongoing protection.

Entry filed under: Tech Tips. Tags: .

Is Google Apps For You?

Beaverton, OR

Josh Hendricks

  • Weekdays after 4pm
  • Weekends any time