Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleanup orphaned HKLM\SYSTEM\CurrentControl\SafeBoot subkeys


  • Please log in to reply
No replies to this topic

#1 redgiant

redgiant

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 11 March 2013 - 03:00 PM

In trying to figure out which exact Registry keys got changed or removed to prevent my F8 key working when I boot, I noticed some of the subkeys under both Minimal and Network safemode boot are deadends; either the CLSID is not defined, or it leads to a non-existent file. And some of those files are suspectly named to me anyway, but I have no definitive list to go by to check them.

 

I know one of the obvious things a virus kit will do (if permissions allow it) is modify the safe mode lists to load their junk to perpetuate the problem and inhibit your ability to think you can fix it. Or turn off F8 to get to safemode via keyboard, which is what I think something did a while ago  and is my reason for looking at this part of the Registry in the first place.

 

So, even if there is technically nothing bad happening since those items no longer lead to actual files to load, I would like to know which ones they are and have the option to remove them. It unnerves me to leave dangling entries in such an important list as the SafeMode and SafeMode with Networking sanctioned load lists. There is a very short-list of very specific items that should be in these failsafe lists, and most if not all are sfc-level known quantities right?

 

 

Do any of the usual tools help correct this orphaned safemode subkey issue? I have run mbam, mbar, combofix and other tools in the past, but any fixes they performed did not cleanup those keys (although I surmise they removed some of the files that those keys led to, if they were infection-related).


Edited by redgiant, 11 March 2013 - 03:01 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users