Replace MBR or Repair Install?

gang I am cleaning up a dell optiplex with windows xp pro sp3, which caught a Ransomware variant. The trojans and Java exploit are history and the system comes up clean on all the scans.

Windows itself, running in NORMAL boot mode, looks to be ok, however there is damage somewhere. It will not boot into any version of Safe Mode, always bailing with the common "Stop 0x0000007b" which is typical of malware damage. I thought that sfc /scannow would find and replace the damaged files but it ran, needed the disc which I gave it, completed, but the issue remains.

Would it be best at this point to replace the MBR? or do a repair install?... I guess if the latter is called for I may as well wipe, zero, reformat, reinstall.... ughh.

thx for your seasoned advice

 

If you know how to run the repair installation and have the disk, the only cost is about 30 minutes of down time and reinstalling Windows updates. It will leave programs intact. If you do this, you could Google the downloads for Windows SP2 and SP3 and place them in a remote location, so you can install them as soon as the repair is finished.

I have had success with the repair installation once, the only time I tried it on XP. Not much to go on, and I did still have to do some work. Wasn't a boot problem, but the issue was fixed by the repair. There was just a lingering Flash, Shockwave problem, so I had to reinstall those programs and a couple of others that run macros (missing references to active x components).

If you really want to take it to the edge and test your PC survival skills, the MBR repair would be worth a try...after a complete backup of course...

In my situation, I would try the repair installation and then see if I can tackle the MBR fix if it doesn't work. I have D&S and files backups but no restorable image. With over a hundred programs installed, I'd consider the 30 minutes spent on running the repair worth the effort...

 

The MBR isn't involved in the decision to boot normal or safe mode - that's handled by Windows own boot files, so replacing the MBR won't help.

I'm no malware expert but as your usual malware checks are clean I'd be suspecting a possible rootkit infection. Rootkits hide the presence of malware in a system.

Try googling 'how to detect rootkits' - there are free tools available from highly respected outfits such as Sophos, or hop over to the Malware forum here. Be sure to read the Read and Run Me sticky first.

 

right you are: did disk repair, then did fixboot and fixmbr.
xp runs like a champ, but no safe modes.

no, I've used the "brightest and best" of the rootkit antidotes and they all come up squeaky clean. I'm convinced that it is damage inflicted by the prior but I can't prove it.

question: is there a device issue that can cause that same stop, ONLY for safe mode? to me that does not make logical sense. I Have been working on PC's since about 1990 - lots of fixes & customizations but this is the first time I have run across this condition. i'm in a fogbank

z

 

zapp...

If you get down to your last resort, try this:

http://www.youtube.com/watch?v=wARi6HAq2A8

The link for getting the fix found in the description at the YouTube link actually does work. Since you can get into normal Windows, you would be able to take advantage of this idea.

Read the comments, but if it's this or format, I guess it would be worth a try. If you really want to, you could back up your registry with Erunt and then restore it if the fix doesn't work...

 

thanks for the link. may as well give it a shot. gotta nuke/reinstall anyway...

and Earthling, you were right. there seems to be yet some rootkit, or appendages of rootkit/s still in the system. TDSSKiller came up zero - found nothing. AVAST standard scans came up with nothing... Malwarebytes new anti-rootkit came up with nothing. however, the old Microsoft rootkit revealer came up with a laundry list of problems [have the log on the sick system so can post later]; and the new beta version Trend Micro RootkitBuster found about two dozen ZW entries that it could not repair/remedy.
Safe Mode is hosed, and windows Firewall is hosed.

I'm assuming something here but if one of you could comment: I uninstalled Java. If the original door-opener was the Java Exploit, it cannot reactivate, can it? that is, without a java engine to work with.... just wondering how paranoid to be when I plug the network cable back in :-D
the trojan droppers, ransomware, etc all seem to be effectively gone but the extent of damage is such that I know the only way to get comfy is to nuke it all, zero the drive, start from 0

 

I wouldn't mess about with it - just reinstall. Nothing will survive that will it?

 

correct!
its underway now.

makes me think: there is a simple decision-support utility missing in the sea of applications: we need the "one tool" that will simply poke at the system, run through a decision matrix, and render a verdict of "clean it" or "vaporize". it would save so much time and frustration...