Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Unable to start in Windows safe mode – Cleaning Malware

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Safe mode is one of the trouble shooting options available with Windows. In safe mode the PC starts only with those files that are necessary to run Windows. In situations when the malware auto start with Windows and block most of the legitimate programs from running, it becomes an invaluable tool in fighting malware. Most of the malware processes do not run in Windows safe mode giving you a chance to remove them.

I personally prefer to run the malware scanners first in safe mode and then again in normal mode when faced with malware that doesn’t allow running security programs in normal mode. But what would you do when you are unable to boot into ‘safe mode’ / ‘safe mode with networking’ or the malware has managed to run in both ‘safe mode’ / ‘safe mode with networking’ or when the malware messes up the registry keys needed for starting in safe mode?

First I would try to boot into ‘safe mode with command prompt’ which starts Windows with only core drivers and launches the command prompt. Then run a malware removal software from the command prompt. The following is a short how-to to run Malwarebytes’ Anti-Malware in safe mode with command prompt:

  • Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe) and the Malwarebytes’ Anti-Malware Malware definitions (mbam-rules.exe) to a removable drive like CDs, DVDs or USB flash drives.

  • Boot in to Windows Safe Mode with Command Prompt Using F8 key.

    Windows XP Safe mode

  • At the command prompt type ‘explorer.exe‘ and press the Enter key, wait for Windows Explorer to open. Now in ‘My Computer’ browse to your removable drive.

  • Install MalwareBytes’s Anti-Malware and Malwarebytes’ Anti-Malware Malware definitions from your removable drive. Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

  • Reboot into normal mode, Launch, Update and scan again with MalwareBytes’s Anti-Malware.

Cannot boot into even ‘safe mode with command prompt’?

  • I recommend using an anti-virus rescue disk. It is helpful when the malware infection is at such level that it is impossible to clean the computer by booting into normal or safe mode.

Malware is known to cripple the ability to restart a PC in safe mode by repeatedly deleting the contents of the registry key HKLMSystemCurrentControlSetControlSafeboot.

  1. Didier Stevens provides a program to re-create ‘the undeletable safeboot key’ to defeat the designs of such malware.

  3. sUBs provides SafeBootKeyRepair.exe to repair Safe Mode.

  5. ElPiedra provides SafeBootKeyRepair registry file to repair Safe Mode.

  7. SuperAntiSpyware Free edition has an option to restore the SafeBoot key that is deleted or corrupted by malware attack. Open SuperAntiSpyware, click on Preferences and then click Repairs tab. Scroll down and select “Repair broken SafeBoot key”, click Perform Repair and follow the prompts.


  • If your computer is a branded PC that comes with its own restore CD or any other recovery method, then try that if it offers a non-destructive repair/recovery option.

  • If you are an advanced user and have the installation media on hand, install the Recovery Console. Try using Bootcfg, chkdsk, fixboot, fixmbr commands to restore the boot file.

  • If everything fails and you desperately need to start in safe mode try a Repair Install Windows XP, Vista and Windows 7.

Still having trouble booting into safe mode? Ask for help in one of the recommended forums for malware help.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: