Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Cleaning Malware and Safe Mode

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Safe mode is a Windows troubleshooting option that starts your PC with only the basic files and device drivers necessary to run Windows. Many malware processes are persistent, auto start with Windows and block other legitimate programs from executing. In such situations booting into Windows safe mode is likely to disable the offending processes and provide you with a chance to proceed with malware cleaning.

A number of malware removal software recommend that you run their scanners in safe mode for best results. When faced with tough-to-remove malware, I prefer to run the malware scanners first in safe mode and then in normal mode.

Using F8 key (Recommended)

The process of starting into safe mode is similar in recent versions of Windows.

XP Advanced Options

XP Advanced Options

Vista Advanced Options

Vista Advanced Options

Windows 7 Advanced Options

Windows 7 Advanced Options

  • Restart your computer
  • Press and hold the F8 key for a couple of seconds, before the Windows logo appears as your computer boots. You might need to press the F8 key multiple times to enter the Advanced Options menu. If this doesn’t work try the F5 key.
  • If your computer has multiple operating systems, highlight the operating system that you want to start in safe mode using arrow keys and then press F8.
  • On the Advanced Options screen, select the safe mode option you want and then press the Enter key. Safe mode or Safe mode with Networking is appropriate for most situations.
  • Log on to your PC with an account with administrative rights.
  • When you are working in safe mode, you can see the words Safe mode in the corners of the screen. You can exit safe mode anytime by restarting Windows normally.

Note: The two methods below are for information only and not recommended for use when trying to get rid of malware from your computer. They force Windows to boot into safe mode by altering the boot.ini (Boot Configuration Data – BCD in Windows Vista and Windows 7). This is a serious concern when malware tampers with the registry key associated with safe mode, thus rendering the system in-capable of booting into safe mode. This might result in the dreaded ‘restart loop’ and a BSOD.

Using System Configuration to Safe boot

If you are unable to boot into safe mode using the F8 key, you can try using System Configuration.

  • For Windows XP: Click Start and then click Run. Type “msconfig” in the Run dialogue box and then click OK.

    In the BOOT.INI tab, check mark /SAFEBOOT, click OK and then Restart to boot into safe mode. Make sure that only MINIMAL (default) or NETWORK is selected in the corresponding radio-boxes.

Windows XP System configuration

Windows XP System configuration

Windows 7 System configuration

Windows 7 System configuration

  • For Windows 7 and Vista: Click Start, All Programs, Accessories and then Run. Type “msconfig” in the Run dialogue box and then click OK.

  • In the Boot tab, Check mark Safe boot, click OK and then Restart to boot into safe mode. Make sure that only Minimal (default) or Network is selected in the corresponding radio-boxes.

Using BootSafe



A small program BootSafe from SuperAntiSpyware automates the rebooting in safe mode process in Windows. This software supports booting into safe mode, safe mode with networking and safe mode directory services restore. This program is also included with SuperAntiSpyware, so if you have SuperAntiSpyware installed there is no need to download BootSafe separately.

Unable to start in Safe mode?

What would you do when you are unable to boot into ’safe mode’ / ’safe mode with networking’ or the malware has managed to run in both ’safe mode’ / ’safe mode with networking’ or when the malware messes up the registry keys needed for starting in safe mode?

Please check the article Unable to start in Windows safe mode – Cleaning Malware for some ideas to overcome such a situation.

Can Malware load in Safe mode?

The short answer is YES, it can. One way is to inject a malware process into legitimate processes like userinit.exe, explorer.exe etc., that are allowed to start in safe mode. This is achieved by modifying the Winlogon registry key

The Privacy Center scareware uses this technique to load in safe mode. The malware process pc.exe is seen loading in safe mode using Winlogon process.

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell(C:\Documents and Settings\malwarehelp_org\Application Data\PC\pc.exe)

According to McAfee,

The services and drivers that load in Safe Mode are listed under the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot.

Further reading:

{ 2 comments… read them below or add one }

Rickye May 20, 2010 at 8:21 PM

This thing works. Thanks a million



glenn January 14, 2012 at 5:22 PM

Thanks, cleaned up my malware. 🙂


Leave a Comment

Previous post:

Next post: