Wednesday, March 10, 2010

How to Restore Safe Mode When it Gets Disabled by a Virus

Safe mode is a special way of booting Windows when there is a system-critical problem or a virus that interferes with its normal operation. The purpose of Safe Mode is to allow you to troubleshoot Windows and try to determine what causes it to not function properly. In safe mode, Windows will have reduced functionality, thereby allowing you to easily troubleshoot your system and attempt removal of viruses (many of them won't start when Windows is running in safe mode). Unfortunately, many computer viruses today such as Bagle, Virut, and Sality disable Windows' safe mode by deleting the SafeBoot registry key and its subkeys. Some even go far by continuously monitoring the registry and will delete the registry keys again as soon as you restore them.

Making use of a LiveCD, or scanning your system hard drive for viruses from a virus-free computer is still the best way. However, in case you don't have access to a LiveCD or another computer, you can do the procedures below:

- Run a program that will restore the SafeBoot registry with permission entries that will deny Administrators and System accounts to delete the key. This way, the virus can’t delete the keys because it lacks the permission to do so.
Extract and double-click "UndeletableSafebootKey.exe" to run the program.

- Restore the subkeys by merging the appropriate .reg file with the Windows registry.
Extract and double-click the .reg file appropriate for your system and click "yes" to merge it into the registry.

1 comments so far:

ce's geekbook said...

Great tip on restoring safe mode ... I am always on the look out for getting rid of the nasty bugs picked up on the web.. also found a way to re-enable the taskmanager when it has been disabled if you want to take a look

http://cegeekbook.blogspot.com/2009/09/i-am-not-immune.html

Talk to Memnoch (A.I.)