Jump to content

Malware/Virus removed successfully, but no access to F8 Safe Mode in Windows 7


Recommended Posts

First, we are working with Windows 7.

About a month ago I was troubled with an infection which was resolved. One thing I did not check at the time was booting into Safe Mode via the F8 key. Today I checked. When I do there is no response from the F8 pushing/pressing, so I believe the little pain changed the registry, ini file, or something. I have no problem setting msconfig to boot Safe Mode, and does so successfully... I used to know how to repair this for the XP platform, but my memory fails me and can't remember how to fix it, nor if the fix I did have would apply to Windows 7.

Can anyone shed any light on this issue for me, maybe a kind solution... :)

With Thanks for reading this,


Link to post
Share on other sites

Hello and post-32477-1261866970.gif


P2P/Piracy Warning:



If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.




Download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.




Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Link to post
Share on other sites

Hi Kevinf80,
no P2P run on any of my workstations, thanks! ;)

Here are the output results (I apologize as I had to send this as an attached file as the system kept telling

me the sections were too long) as requested and noted as follows:

I see some errors, I do not know how to fix at the moment, but that's another issue I guess.

There, to me, is a very suspicious REG file titled "Windwos+7+Sp+1+Safeboot.reg" , I have put a copy of the

textual content at the end of the file.

I sincerely await your help/reply.

Thank you kindly,




Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.


Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.




The reg key you post, was that an export of the safeboot key from your system? I attach a replacement key for Winodws 7 SP1, is zipped..you can unzip to your Desktop.





  • Download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.





Delete your original reg key then run the new key from Desktop to merge, accept any alert.


Re-boot, does that make any difference?




Do not delete the prior safeboot regkey, just merge the new one straight over the top, run the file from the Desktop, agree the merge and any alerts....






Link to post
Share on other sites


your instructions, and info, were awesome and easy to follow, unfortunately, there is no change that I have seen. I still do not have F8 Safe Mode access. I do notice that a large amount of work went in to this, with much, much gratitude!!


Yes, the reg key I posted, was an export of the safeboot key from my system.


Below is the contents of the fixlog.txt file.


Please let me know what else I might be able to do...


Thanks for ALL your help Kevinf80!!






Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-11-2013
Ran by Terry at 2013-11-16 18:48:37 Run:1
Running from C:\Users\Terry\Downloads
Boot Mode: Normal

Content of fixlist:
URLSearchHook: HKLM-x32 - (No Name) - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - No File
URLSearchHook: HKCU - (No Name) - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - No File
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =
Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
S3 getPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll [x]
S2 ZaPrivacyService; "C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe" [x]
S3 Nbdrv; system32\DRIVERS\nbdrv.sys [x]
AlternateDataStreams: C:\ProgramData\TEMP:C4F92751
AlternateDataStreams: C:\Users\Terry\Documents\BAKA-B33210.pdf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}



HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Key deleted successfully.
HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully.
HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => Value deleted successfully.
HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => Value deleted successfully.
HKCR\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => Key not found.
getPlusHelper => Service deleted successfully.
ZaPrivacyService => Service deleted successfully.
Nbdrv => Service deleted successfully.
C:\ProgramData\SDPlatformMgr.dll => Moved successfully.
C:\ProgramData\SplashID%20Safe.exe => Moved successfully.
C:\ProgramData\sqlite3.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\cispremium_installer.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\fp_pl_pfs_installer.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\HPPSdr.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\htfad4.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jkcensoredfu.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-1.6.0_20-windows-i586-iftw.exe_90744722.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u18-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u20-windows-i586-jinstall_uac.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u25-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\kock.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\l0npynfi.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\NEWE2B0.tmp.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\NEWFD13.tmp.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\ploper.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\qk8hsf4d.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\rlxh8xby.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\rtfme.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\safe.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\si6-hz6x.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmp12BA.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmp224(1).exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmp6E54(1).exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmp83E5.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmpE21B(1).exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmpE650(1).exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmpF1F1.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tmpF3E2(1).exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\tohtp7cn.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\Uninstall.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\uwvkgex3.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\vcredist_x86.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\vsinit.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\VSUSetup.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\vsutil.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\warsddd_w.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\x_mawlcc.dll => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\zauninst.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\ZoneAlarm_Extreme_Security.exe => Moved successfully.
C:\Users\Terry\AppData\Local\Temp\_ir_sf7_temp_0RCATSetup4-x64.exe => Moved successfully.
C:\ProgramData\TEMP => ":C4F92751" ADS removed successfully.
C:\Users\Terry\Documents\BAKA-B33210.pdf => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

Post the produced log



If merging the new safemode key has not helped I`m not sure what to safely try next.... Try the information from the Windows Club at the following link:




I`ve not tried these guys instructions personally, if you take their advice run anther Reg back up with ERUNT, also create a fresh restore point....

Link to post
Share on other sites

Hi Kevinf80,

I ran Malwarebytes Anti-Malware as recommended, below is the resulting log.


I will go over to the Windows Club as you suggested as well.


Please let me know if there is anything else that comes to mind that you think I should try...


Thanks for ALL your help Kevinf80!!






Malwarebytes Anti-Malware (PRO)

Database version: v2013.11.17.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16428
Terry :: QOSMIO [administrator]

Protection: Disabled

11/17/13 02:35:37
mbam-log-2013-11-17 (02-35-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252049
Time elapsed: 22 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)


Link to post
Share on other sites

Thanks for MB log, nothing showing as expected.. OK, run the following:


Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts.At the command prompt type or copy and paste sfc /scannow > then tap enter. When finished type exit Tap enter, re-boot your PC.

***Note the space between sfc and /scannow.

To get report, at command promt type or copy and paste:
findstr /c:"[sR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt


If that makes no difference continue:


Download Services Repair tool, available here - http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.


Again if we see no improvement i`d probably go for a repair install, let me know if any of the above helped..



Link to post
Share on other sites

Hi Kevinf80,

Here are the output results (I once again apologize as I had to send this as an attached file as the system told

me the sections were too long) as requested:




I did notice that the machine was a little slower to boot up, even after a few cold reboots. Was hoping the pre-cache may of helped...



I guess, by your previous comments, we go with the "repair install". I was hoping to avoid that :( as Toshiba did not provide any Windows disks (just a license, and then I upgraded to pro). But in it's place, at very initial startup I did create restore DVD disks (4) in case I needed to re install, as instructed when you first start up the machine. Although skeptical, I wonder if one of them will provide for a "repair install" without making any other changes?


I sincerely await your thoughts/help/reply.

Thank you kindly,




Link to post
Share on other sites

Download Portable Windows Repair (all in one) from one of the following:


Unzip the contents into a newly created folder on your desktop.

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"


From the main GUI do the following:

Select Tab 4 and Create System Restore Point


Select Repairs tab => Click the Start


The repairs window will open, Check the boxes as indicated, also the "Restart" options, the select Start...


DON'T use the computer while each scan is in progress.

Post the log, to access select "settings" tab > "open log folder" tab, log will be named _Windows_Repair_Log


If there is no improvement after this I guess our options are gone.......

Link to post
Share on other sites


OK, I think a have a problem here from the entry changes described at 03:36 AM  and results sent to ya at 01:39 PM, dealing in particular with the SVCREPAIR.


I have some nasty new symptoms. boot time to login screen is increased terribly. For first two cold boots I had no internet facilities. Duration from login to finished/ready desktop is considerable. Locating and obtaining internet facilities now takes much longer than usual.


Just a thought, is the SVCREPAIR repairs reversible?




Link to post
Share on other sites

Yes, either use system restore, use the most recent point prior to running services repair. Or use ERUNT,


Before anything is done can you run a clean boot, see how your system responds in that mode... Go here: http://support.microsoft.com/kb/929135 expand the option relative to your OS...


Does a clean boot make any difference to start time etc...

Link to post
Share on other sites

Yes, a clean boot causes start time to improve greatly, equal to or better than prior to SVCREPAIR process.


The closest system restore I have is a week before we started our dialog here, so I would not use it, I do not have confidence in it.



Thanks for your help!!


Link to post
Share on other sites

If the Clean Boot state has helped it would tend to indicate a non MS service issue/clash. It will be very worthwhile looking for an answer to that question.


Repeat the action to set up the "Clean Boot" state, ensure all MS services are hidden, enable half of the non MS services then re-boot. If the issue does not return do exactly the same again, this time only enable the bottom half of non MS services.

If the issue returns we know the issue is in the bottom half, so you now repeat again but only enable half of the bottom half. Keep doing that until you find a problem service or services.


Let me know how you get on, I know it is a laborious task but it may help to locate the issue.

Link to post
Share on other sites


OK, just finished the clean boot last night/this morning. Made some modifications confirmed elsewhere for items as safe to disable. it sped start up considerably. It is still not as fast as we had in our earlier change but certainly acceptable. Now for the next change. Working toward the goal of getting "F8 Safe Mode" back, with any benefits found along the way a bonus... :)


On to your suggestion from your post  17 November 2013 - 02:05 PM... but that's for late tonight or tomorrow...

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.