As malware is getting more widespread, it is also getting nastier and it is more difficult to return a computer to a 100% clean state. Even after you remove all the infected files and malicious modules, some things still don't work well.
One such feature is safe mode - an infected (or post-infected) Windows boots fine in normal mode, but it cannot boot into safe mode, at one point you see a blue screen of death.
Your first guess is to re-install Windows, or use sfc.exe to recover some corrupt system files. A re-install will take time and it is an "ugly" solution, while using sfc.exe won't help in this case. In order to understand how to restore the safe mode functionality, we need to understand how safe mode works.
Safe mode is a mode in which only a small sub-set of system drivers is loaded; there has to be a place where this list of drivers is defined; the place is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot.
There are two sub-keys there, Minimal and Network, they contain lists of drivers that are loaded in each of the types of safe mode (you've probably noticed that there are two related entries in the boot menu, one is "safe mode", the other is "safe mode with networking").
A malicious program simply deletes that key and its children, so that when you try to boot into safe mode, the system cannot proceed because it doesn't have a list of drivers to load.
The solution is to simply restore that registry key. Perhaps for each particular system the list of drivers is different, but if you don't have a backup of this key made on your system, copy it from another computer - it should work.
Here is a safe mod registry backup made on a Windows XP SP3 system, it should work with any version of Windows XP. The principle is the same in other versions of Windows, this backup will probably work there too.
No feedback yet
Form is loading...