Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
803 Views 5 Replies Latest reply: Mar 29, 2012 11:09 AM by rbdudani RSS
blondemoment Newcomer 7 posts since
Mar 2, 2011
Currently Being Moderated

Mar 29, 2012 8:54 AM

'System Fix' Malware infection appears to have broken safeboot

Hi Again All,

 

I was given a laptop with a 'System Fix' Malware infection  (http://www.bleepingcomputer.com/virus-removal/remove-system-fix), I have fixed this on other encrypted machines without bother so went about the process of removal.

Before I did any kind of fixing I rebooted the laptop to get into safemode, this is when the problem started.

After reboot the safeboot came back with corrupted.

I obtained the sbd from the server ont a usb and booted up with the safetech disk

Authenticated with both and attempted an emergency boot but to no avail. (92h)

Tried restoring the EEPC MBR, then rebooted, not joy

Tried restoring the MBR, then rebooted, not joy

I ran the remove EEPC program which ran very quickly, but still the 92h appeared on reboot.

Then I think I have done something stupid.

It wouldn't detect the algorithm used on the next safetech boot so I set it manually and authenticated from the exported sdb.

Used algorithm 11 and not 12  and then ran a force decrypt of all sectors from 62 and it took 4 days and said completed

But I am still getting the 92h error code

 

Should I force encrypt the same sectors back again with the algorithm I used before I try anything else.

 

 

 

 

 

 

Typically if the user had mentioned there was critical data on the laptop (depite that policiy is that it is stored on a server share) I would have taken it off before rebooting .....

 

 

 

 

 

 

Using V5.2.2.4

  • rbdudani Champion 317 posts since
    Dec 10, 2009

    I know this will not make any difference to currenct situation by telling that you should have tried this on cloned image. but for future reference please note that if you are perfroming force decrpytion then take clone image of hdd and perform force decryption on clonned image.

     

    as nothing can undone Follow the below steps (never done this but it should work)

     

    1. boot system with Safetech
    2. select algoritham (11)
    3. authenticate
    4. click on Workspace menu
    5. Open Workspace
    6. Again click on Workspace Menu > load from sectors
    7. Start Sector = 63
    8. Click ok
    9. Agian go in Workspace menu and click on Encrypt WorkSpace (the sector 63 should roll back to its previous status)

     

    now without closing workspace , change the algoritham to 12

     

    and decrpyt sector 63

    1. click on Workspace menu

    2. Open Workspace

    3. Again click on Workspace Menu > load from sectors

    4. Start Sector = 63

    5. Click ok

    6. Agian go in Workspace menu and click on Decrypt WorkSpace(the sector 63 should roll back to its previous status)

     

     

    Note: above steps will not change anything on your currect status as everything will be done in workspace and we are not saving those changes on HDD.

     

     

     

    after following above STEPS if you can read "NTLDR IS MISSING" right side bottom of workspace then make a clone image of HDD and, force fully encrypt HDD with algoritham 11 and then decrpyt it with correct algoritham 12

     

     

    Message was edited by: rbdudani on 3/29/12 9:24:20 AM CDT

     

    Message was edited by: rbdudani on 3/29/12 9:25:36 AM CDT
  • rbdudani Champion 317 posts since
    Dec 10, 2009

    ever used Wintech ?

     

    you can directly copy data from an encrypted hdd also decrpytion process is faster

  • rbdudani Champion 317 posts since
    Dec 10, 2009

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points