So... how did the processes get into safe mode?
As far as I understand, it hooks into the winlogon.(exactly how, I don't know) And it protects itself by watching the registry, so if you use something like the killbox, or the delete on reboot option of HJT, it will look in the pendingfilerename key, and remove itself....destroys the recycle bin, resets the hosts file, etc.

nasty, nasty stuff.