Can't use safe mode unless Messenger is disabled

[AtomicMysteryMonster]

Back when I was trying to figure out my earlier userinit.exe question by myself, my search for information led me to Symantec's website. While checking my computer against the registry files noted in the "Removal" section of the Symantec profile, I'd occasionally notice something in my registry that would make me curious enough to look it up. Most of it was normal, but there were a few times where I'd find an entry or two that matched up what I saw on the site. But, as I didn't have any of the other entries associated with the malware and since I found a case where they recommended deleting things that Microsoft says are legit entries, I decided that it was probably nothing to worry about.

A few days later, I thought "Why not try checking for files and running some scans in safe mode? If I can't find anything there, then I should be fine." However, although I was able to start the process to get into safe mode, my keyboard and mouse froze when I got to the login screen. I even had to unplug the computer in order to get it to shut down. It seemed that something didn't want me accessing that mode.

After puzzling over the situation, something jogged my memory about one of the malware profiles I had read on Symantec, something that created registry entries that let it run every time Windows started up (and possibly helped hide it from virus scans): W32.Bancorkut@mm. Here is one of the registry entries associated with it:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\"MSMSGS" = "%Program Files%\Messenger\msmsgs.exe /background"

Now, here's what Windows Defender's "Software Explorers" tool revealed the following about Messenger:

Startup Value: "C:\Program Files\Messenger\MSMSGS.EXE" /background
File Path: C:\Program Files\Messenger\MSMSGS.EXE

This was enough to convince me to disable Messenger. I tried logging into safe mode again and was able to do so without any problems. However, running Microsoft's Malicious Software Removal Tool and Windows Defender found nothing. Trying to run Norton 360 led to my being informed that the program doesn't run in safe mode and that I should download their free Security Scanner. I haven't done that yet, as the writeup at the URL they provided seems to involve reinstalling other Norton products. Do they mean that the Security Scanner would be able to get rid of anything that would block an installation of a Norton product or does it mean that running it will force me to do a reinstall?

Also, I unable to find any of the files or registry entries (both in safe and normal modes) associated with W32.Bancorkut@mm. Although it's a relief, I could have sworn I had seen one before. Does disabling a program make certain registry entries disappear? I kinda doubt it, but I figured I might as well ask. Odds are that I'm mixing up memories of seeing something with a similarly laid-out file name and that the presence of the "\msmsgs.exe /background" stuff in Messenger could be normal things that Bancorkut copied in an attempt to avoid detection. But the fact that I couldn't get into safe mode until I disabled Messenger really bothers me.

I've also noticed that I have everything listed in step 4 of the removal directions for Trojan.Qipian, except for the "Newly Created = "0"" and "ActiveService = Messenger" stuff (which may be due to my lack of a "Control" subfolder for the registry mentioned) and the altered registry values.

I also have the "HideFileExt" = "1" "ShowSuperHidden" = "0" values mentioned in step ae of the Trojan.Hiween removal directions.

As I'm getting sleepy, I'm going to hold off on posting some other questions I had about the issue until later. I'll also see if I can find that case where Symantec said to delete a legit registry entry, too. If anyone can figure out what's going on with what information I've already posted, please let me know ASAP.

[Dancing David]

I recommend that you use www.malwarebytes.org or www.superantispyware.org rather than Norton.

The registry is sort of inviolate, unless you have run a repair or cleaner. Maybe find out how to do a clean of messenger?

[AtomicMysteryMonster]

Originally Posted by Dancing David

I recommend that you use www.malwarebytes.org or www.superantispyware.org rather than Norton.

Thanks for the advice. I downloaded Malwarebytes and didn't find anything when I ran it in both normal and safe (without networking) modes. If it wasn't for that incident with safe mode being blocked, I would've thought my system was a-okay due to those results. I'm thinking of getting superantispyware next.

Oh, and I should note that Regedit, msconfig, and task manager were not blocked during the time that I wasn't allowed to log into safe mode. I don't know if this will help anyone figure out what's going on, but I figure it couldn't hurt to throw that out there.

Quote:

The registry is sort of inviolate, unless you have run a repair or cleaner.

Well, I once manually deleted some registry stuff via Regedit ages ago (but that might have been back when I had Windows 98). That said, I'm not deleting anything until I'm 100% certain about any values or entries being "bad."

Quote:

Maybe find out how to do a clean of messenger?

Truth be told, I'm thinking of just getting rid of Messenger altogether. I never use it and I would hope that would also take care of anything "slipped into" it. Come to think of it, would uninstalling or deleting the program remove the registry stuff associated with said program?

I know that Windows Defender has a "Remove" option I could theoretically use on Messenger, although I don't know if it removes it from my computer or if it only removes it from Defender's list of options. I couldn't find it when I checked "Add/Remove Programs," although I did find a program called "Learn2 player" that I'm curious about. This is making me think it's okay, but I would like some outside opinions.

Okay, I just checked "Add/Remove Windows Components" and found Messenger listed there.

I also am also curious about the following:

C:\Documents and Settings\Local Service\Local Settings\Temporary Internet Files\Content.IE5\CDE1S9UP\743674[1].txt

C:\Documents and Settings\Local Service\Local Settings\Temporary Internet Files\Content.IE5\CDE1S9UP\heartbeat[1].xml

Administrator\Local Settings\Temp\TMP0000004787F4DB70429FK3A

I forgot to note this when I discussed registry entries in my last post, but I found a listing for something called "Ares.Aresplayer." A quick Google search doesn't exactly fill me with confidence about it. It might be related to a file-sharing program, which is highly odd since I don't use that sort of thing. Any thoughts?

[richardm]

Really I would never normally suggest something like this, but you seem to be so very over-worried about malware on Windows that I think it's interfering with your enjoyment of your computer. It's certainly interfering with mine, I feel sad when I read your posts. So: have you considered trying Linux instead?

Look, you are trawling through the registry and temporary files trying to find things to worry about, and not unsurprisingly you're finding matches for things that look iffy - because a lot of the malware reports you find on the 'net include a lot of things that are perfectly normal.

Windows does occasionally do funky things for no apparent reason; all operating systems do.

If you have run the things Dancing David has suggested and indeed Norton too and they have all turned up nothing, the odds are that you do not have a problem - at least, not one caused by a virus or malware.

Seriously.

Don't worry so much.

[Dancing David]

Hey if M-bam didn't find it, I would not worry too much.

If you really want a super answer go to the Major Geeks or the HijackThis forums (this one at Bleeping Computer), they will help you , and make sure you are fine.

But hey, if your system runs, you don't have browser redirects or strange stuff in the process file, I would not worry.

(Unless you are a secret agent or something)

[Dancing David]

Originally Posted by richardm

Windows does occasionally do funky things for no apparent reason; all operating systems do.

You are the Master , the Chosen One! Such wise words!

The Microsoft Fairy is often a Devil and sometimes an Angel.

[GreNME]

What version and service pack level of Windows are you running that Messenger isn't already disabled by default?

[AtomicMysteryMonster]

Sorry for the lateness everyone. I took a break from computer stuff in order to concentrate on Halloween setup (and later cleanup).

Originally Posted by richardm

Really I would never normally suggest something like this, but you seem to be so very over-worried about malware on Windows that I think it's interfering with your enjoyment of your computer.

Here's what's so funny: this whole mess started because I was trying to figure this out on my own so that I wouldn't have to bother anyone here with another question so soon after my last one. But as I've come to learn, my research skills stink when it comes to that sort of thing and I only ended up confusing myself.

When I originally tried to get into safe mode, I was fairly certain that I wouldn't find anything and that the whole experience would just be a little "feel good" moment, after which I would consider my computer to be a-okay. But it didn't happen that way and now here we are.

Quote:

So: have you considered trying Linux instead?

I had in the past, but my research led me to conclude that Linux wasn't quite as virus/malware/etc.-proof as I thought it was. Considering how confused I get over Windows stuff (despite having some knowledge on the matter), jumping into an operating system I'm completely unfamiliar with would only resulting in me having even more OS questions than before.

Quote:

Look, you are trawling through the registry and temporary files trying to find things to worry about, and not unsurprisingly you're finding matches for things that look iffy - because a lot of the malware reports you find on the 'net include a lot of things that are perfectly normal.

Norton shows me the temp stuff automatically at the end of every scan. As for the registry files, my problem is that I get curious about other stuff I see while using guides from Norton's website in an attempt to determine if I have signs of infection, but I do see where you're coming from. I do agree with you about your second point, though.

I've since downloaded HijackThis and plan on posting logs from that on a tech support forum in the future rather than trying to search through everything by myself. I figure that will make things much simpler on my part.

Quote:

If you have run the things Dancing David has suggested and indeed Norton too and they have all turned up nothing, the odds are that you do not have a problem - at least, not one caused by a virus or malware.

I should probably explain my concern. Last year, my computer got hit with a rather nasty type of malware known as a "krueger." Despite the signs of the infection being obvious to anyone looking at the PC, Norton couldn't detect it at all, nor could it detect the spyware that had been slipped into my startup without my knowing about it. In fact, it turned out my having those predated the kreueger infection! Eventually, I had to reformat my hard drive and reinstall everything.

Flash forward to this thread. My curiosity, combined with some work-related stress and sleep issues, has me very concerned. The fact I had recently discovered that the other scanning programs I was using weren't as good as I thought they were didn't help matters, either.

That said, I've heard very good things about the programs recommended to me in this thread, which makes their not finding anything much more reassuring to me. Well, that, and HijackThis not detecting anything (despite my being under the impression that it has some false positive issues). Am I correct in assuming that using superantispyware's default settings for scans (doesn't scan anything over 4 MB, only scans known file types) is the way to go?

Originally Posted by Dancing David

Hey if M-bam didn't find it, I would not worry too much.

If you really want a super answer go to the Major Geeks or the HijackThis forums (this one at Bleeping Computer), they will help you , and make sure you are fine.

But hey, if your system runs, you don't have browser redirects or strange stuff in the process file, I would not worry.

Thanks for the advice. I'm much more certain about my PC being fine, but I might pop into one of those forums, just to see what the deal was with safe mode.

Originally Posted by GreNME

What version and service pack level of Windows are you running that Messenger isn't already disabled by default?

Windows XP, Service Pack 3. It's highly likely that I accidentally enabled Messenger during the previously mentioned reinstall, as I do recall a screen where I could select/deselect items.

[Dancing David]

Yeah those virueses and trojans make you paranoid, like having a biological parasite infection, once you get one, you are wary of another.

[GreNME]

Originally Posted by AtomicMysteryMonster

Originally Posted by GreNME

What version and service pack level of Windows are you running that Messenger isn't already disabled by default?

Windows XP, Service Pack 3. It's highly likely that I accidentally enabled Messenger during the previously mentioned reinstall, as I do recall a screen where I could select/deselect items.

It's a certainty that you or someone/something else enabled it, because Messenger has been disabled by default since Service Pack 2.

Unless you are fully aware of what you're doing and are willing to document the changes you've made, never go enabling or disabling services yourself. I can't begin to tell you how many times I've come across people following QuackViper or some other "tweak" site's bogus service disabling list, and it's caused more programs to not work, more OS features to break, and more headaches than practically any other tweak I can think of beyond the equally-stupid shut-off-the-page-file tweak.

If you're interested in a list of default services settings, I can probably dredge one up or create one myself based on a vanilla VM I have.

[Dancing David]

Originally Posted by GreNME

It's a certainty that you or someone/something else enabled it, because Messenger has been disabled by default since Service Pack 2.

Unless you are fully aware of what you're doing and are willing to document the changes you've made, never go enabling or disabling services yourself. I can't begin to tell you how many times I've come across people following QuackViper or some other "tweak" site's bogus service disabling list, and it's caused more programs to not work, more OS features to break, and more headaches than practically any other tweak I can think of beyond the equally-stupid shut-off-the-page-file tweak.

If you're interested in a list of default services settings, I can probably dredge one up or create one myself based on a vanilla VM I have.

Yup, I did that the hard way.

[AtomicMysteryMonster]

Originally Posted by GreNME

Unless you are fully aware of what you're doing and are willing to document the changes you've made, never go enabling or disabling services yourself.

I was getting advice from a family friend during the process, but I forget if he specifically said to enable Messenger or if I did it on my own.

Quote:

I can't begin to tell you how many times I've come across people following QuackViper or some other "tweak" site's bogus service disabling list, and it's caused more programs to not work, more OS features to break, and more headaches than practically any other tweak I can think of beyond the equally-stupid shut-off-the-page-file tweak.

Very interesting. Perhaps that's the reason for that issue with safe mode (assuming my enabling Messenger wasn't recommended by the friend)?

Quote:

If you're interested in a list of default services settings, I can probably dredge one up or create one myself based on a vanilla VM I have.

Sure, I'd love to see that (if it isn't too much of a hassle).

[GreNME]

Originally Posted by AtomicMysteryMonster

I was getting advice from a family friend during the process, but I forget if he specifically said to enable Messenger or if I did it on my own.

Just something to note: if a service is disables, it's best to leave it that way. Changing the Windows configuration by either adding software that utilizes it or by using the "Add/Remove Windows Components" wizard will enable or disable necessary services.

Originally Posted by AtomicMysteryMonster

Very interesting. Perhaps that's the reason for that issue with safe mode (assuming my enabling Messenger wasn't recommended by the friend)?

The issue you had in safe more seems to be with Norton, not with Windows. That Norton somehow needs a service that's disabled on purpose for security reasons makes me distrust Norton.

Originally Posted by AtomicMysteryMonster

Sure, I'd love to see that (if it isn't too much of a hassle).

Give me a few days. There are a few things tying up my schedule, but I can run a quick compare and list it back here for you this weekend.

[AtomicMysteryMonster]

Originally Posted by GreNME

Just something to note: if a service is disables, it's best to leave it that way. Changing the Windows configuration by either adding software that utilizes it or by using the "Add/Remove Windows Components" wizard will enable or disable necessary services.

Thanks for the tip. Does that mean I should do that in addition to having disabled it with Windows Defender?

Quote:

The issue you had in safe more seems to be with Norton, not with Windows. That Norton somehow needs a service that's disabled on purpose for security reasons makes me distrust Norton.

Norton didn't need anything disabled; it's just that Norton 360 doesn't run in Safe Mode and they designed some sort of free tool to "take its place" in that mode. Norton didn't need Messenger at all. In fact, it was one of their security writeups that helped me figure out that I should disable Messenger.

Quote:

Give me a few days. There are a few things tying up my schedule, but I can run a quick compare and list it back here for you this weekend.

Sure, that sounds fine. Thanks again!

[GreNME]

Windows services list:

Service Name	Default Setting
Alerter	Disabled
Application Layer Gateway	Manual
Application Management	Manual
Automatic Updates	Automatic
Background Intelligent Transfer Service (BITS)	Manual
Clipbook Service	Disabled
COM+ Event System	Manual
COM+ System Application	Manual
Computer Browser	Automatic
Cryptographic Services	Automatic
DCOM Server Proc Launcher	Automatic
DHCP Client	Automatic
Distributed Link Tracking Client	Automatic
Distributed Transaction Coordinator	Manual
DNS Client	Automatic
Error Reporting	Automatic
Event Log	Automatic
Extensible Authentication Protocol Service	Manual
Fast User Switching Compatibility	Manual
Help and Support	Automatic
Human Interface Device Access	Disabled
HTTP SSL	Manual
IMAPI CD-Burning COM	Manual
Indexing Service	Manual
IPSEC Services	Automatic
Logical Disk Manager	Automatic
Logical Disk Manager Administrative Service	Manual
Machine Debugger	Manual
Messenger	Disabled
MS Software Shadow Copy Provider	Manual
Net Logon	Manual
NetMeeting Remote Desktop Sharing	Manual
Network Connections	Manual
Network DDE	Disabled
Network DDE DSDM	Disabled
Network Location Awareness (NLA)	Manual
Network Provisioning	Manual
NT LM Security Support Provider	Manual
Performance Logs and Alerts	Manual
Plug and Play	Automatic
Portable Media Serial Number	Manual
Print Spooler	Automatic
Protected Storage	Automatic
QoS RSVP	Manual
Remote Access Auto Connection Manager	Manual
Remote Access Connection Manager	Manual
Remote Desktop Help Session Manager	Manual
Remote Procedure Call (RPC)	Automatic
Remote Procedure Call (RPC) Locator	Manual
Remote Registry	Automatic
Removable Storage	Manual
Routing and Remote Access	Manual
Secondary Logon	Automatic
Security Accounts Manager	Automatic
Security Center	Automatic
Server	Automatic
Shell Hardware Detection	Automatic
Smart Card	Manual
SSDP Discovery	Manual
System Event Notification	Automatic
System Restore	Automatic
Task Scheduler	Automatic
TCP/IP NetBIOS Helper	Automatic
Telephony Service	Manual
Telnet	Disabled
Terminal Services	Manual
Themes	Automatic
Uninterruptible Power Supply	Manual
Universal Plug and Play Device Host	Manual
Volume Shadow Copy	Manual
WebClient	Automatic
Windows Audio	Automatic
Windows Firewall / Internet Connection Sharing (ICS)	Automatic
Windows Image Acquisition (WIA)	Manual
Windows Installer	Manual
Windows Management Instrumentation	Automatic
Windows Management Instrumentation Driver Extensions	Manual
Windows Time	Automatic
Wireless Zero Configuration	Automatic
WMI Performance Adapter	Manual
Workstation	Automatic

Those are pretty much the default Windows services for a Service Pack 3 install of Windows XP. I have other services on my VM, but those are related to the .Net Framework, the VM guest additions software, and extra (non-default) Windows services I have installed.

My recommendation is to not change these default settings unless you can explain in specific technical terms the benefit of doing so, can document what you're changing for later reference, and understand the risk that changing some certain default settings is going to alter the way Windows operates, how other software interacts with the OS, and possibly how Windows can communicate with hardware you have connected to the computer. The various tweak websites out there that have claimed to improve performance in any on a computer by altering services are demonstrably wrong-- I've had an open challenge to anyone, including them, since about 2003 to prove otherwise-- and as far as security goes there are less risky ways of achieving the goal of security. My only exception is that for desktops who are connected to the internet through ethernet cables into their modem/router, the Wireless Zero Configuration service can be reasonably set to 'Manual' (not Disabled) without risk.

[AtomicMysteryMonster]

Originally Posted by GreNME

Those are pretty much the default Windows services for a Service Pack 3 install of Windows XP. I have other services on my VM, but those are related to the .Net Framework, the VM guest additions software, and extra (non-default) Windows services I have installed.

My recommendation is to not change these default settings unless you can explain in specific technical terms the benefit of doing so, can document what you're changing for later reference, and understand the risk that changing some certain default settings is going to alter the way Windows operates, how other software interacts with the OS, and possibly how Windows can communicate with hardware you have connected to the computer.

Here's my belated thanks for that handy list. I definitely won't be monkeying around with any of my default settings. Come to think of it, I don't even know how to do that (except for reformatting/reinstalling, which I wouldn't want to do).

[Dancing David]

Originally Posted by AtomicMysteryMonster

Here's my belated thanks for that handy list. I definitely won't be monkeying around with any of my default settings. Come to think of it, I don't even know how to do that (except for reformatting/reinstalling, which I wouldn't want to do).

Um, you right click My Computer and select Monkey ooops I mean Manage. Then you click Services and Applications and then Services, it will tell you which ones are started how they start. You right click them if you want to change them, but there are many that will mess you up.