Using LogMeIn in Safe Mode (with networking)

Today I had a client with a major malware issue - browser search hijackers, popups, 10+ new programs installed in one day with vague titles...your typical compromised system. I had previously installed LogMeIn so I could help with their IT issues remotely (especially since they are located about 45min away). After whittling down the crop of malware using Programs and Features, there will still 2 pesky programs left - YTDownloader and SpaceSoundPro. These programs would not uninstall nor could I delete the program directories as there were DLL files in memory. I was able to load MalwareBytes by changing the name of the mbam.exe before installation (the virus tried to kill the process otherwise!), however the scan mostly yielded registry entries. The next step was Safe Mode, but doing this remotely?

A Google search revealed that Logmein can run in Safe Mode with networking with a few tweaks. I entered the following command into command prompt (ran as Administrator):

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\LogMeIn" /VE /T REG_SZ /D "Service"

This sets LogMein as a trusted program to always run in Safe Mode. Next, I rebooted the machine into Safe Mode with Networking using these commands:

bcdedit /set {current} safeboot network
shutdown /r

I removed the malware instantly by simply deleting their program directories. Next I opened up another command prompt (as Administrator!) and rebooted back into normal mode:

bcdedit /deletevalue {current} safeboot
shutdown /r

This did the trick!

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.