In trying to figure out which exact Registry keys got changed or removed to prevent my F8 key working when I boot, I noticed some of the subkeys under both Minimal and Network safemode boot are deadends; either the CLSID is not defined, or it leads to a non-existent file. And some of those files are suspectly named to me anyway, but I have no definitive list to go by to check them.
I know one of the obvious things a virus kit will do (if permissions allow it) is modify the safe mode lists to load their junk to perpetuate the problem and inhibit your ability to think you can fix it. Or turn off F8 to get to safemode via keyboard, which is what I think something did a while ago and is my reason for looking at this part of the Registry in the first place.
So, even if there is technically nothing bad happening since those items no longer lead to actual files to load, I would like to know which ones they are and have the option to remove them. It unnerves me to leave dangling entries in such an important list as the SafeMode and SafeMode with Networking sanctioned load lists. There is a very short-list of very specific items that should be in these failsafe lists, and most if not all are sfc-level known quantities right?
Do any of the usual tools help correct this orphaned safemode subkey issue? I have run mbam, mbar, combofix and other tools in the past, but any fixes they performed did not cleanup those keys (although I surmise they removed some of the files that those keys led to, if they were infection-related).
Edited by redgiant, 11 March 2013 - 03:01 PM.