Thursday, March 3, 2011

Windows Boot Failure / Fake Windows Safemode Ad-ware

Windows boots to a screen that looks like windows safemode.  There is a box that says Windows Boot Failure: Press "ok" to fix boot failures.

It gives you a Disk Diagnostics box asking you about scanning the disk and selecting options.  So far this looks legit.  It will scan the computer and come back with errors.  It will say Windows Detected a hard disk problem:

"A problem with the hard drive has been detected.  It is strongly recommended that you download and install the following certified software to fix detected hard drive errors.  Do you want to download recommended software?"

You can click ether yes or no.  If you click no, it takes you back to the Disk Diagnostics box.  Funny thing here is if you just keep hitting cancel it will still get to the ad-ware.  If you click yes, it opens a program called Windows Safemode.  It analyses your pc and then tells you that you have errors.  It will fix them if you buy the software.

This is impressive because you can't alt+F4 out of it.  You can't control+alt+delete to bring up task manager.

Your next step is to reboot and press F8 after the bios logo appears.  The option you want to select is Safe Mode.  The first time I booted in to this I was able to get into it and it worked fine.  I had to reboot and when I came back in to safemode I was unable to use safe mode because the same issues were happening like booting normally into windows.  You couldn't alt+F4 or control+alt+delete.  So reboot and press F8 again.  This time select Safe Mode with Command Prompt.  You will only be given a command prompt.  At the command prompt type explorer.exe.  This will start explorer and give you control of windows.  At this point you should be logged in as the user that has this installed on.  Click start run and type regedit.  Navigate to the following locations:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Now I found mine to be located in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ and DisableTaskMg was set to 1.

Reboot and boot into windows.  I was then able to hit control+alt+delete and kill the all the prompts that kept coming up.  At this point click start new process and type explorer.exe.  At this point you want to install all the tools you need to scan the PC.

Tools I used:

Malwarebytes Link
Microsoft Security Essentials Link
Spyware Doctor (Google Pack version) Link

Here is a pictures of the final one that actually what it was...

Fix selected and reboot.  Things booted fine, but I still had that weird background.  When trying to change the background the selection was greyed out.  Here is how to fix that. 

Click start-> Run -> type regedit -> Navigate to:


 There is a key called NoChangingWallPaper REG_DWORD Data 0x00000001 

Change the key from 1 to 0. 

Sources I used to help: