Hi Again All,
I was given a laptop with a 'System Fix' Malware infection (http://www.bleepingcomputer.com/virus-removal/remove-system-fix), I have fixed this on other encrypted machines without bother so went about the process of removal.
Before I did any kind of fixing I rebooted the laptop to get into safemode, this is when the problem started.
After reboot the safeboot came back with corrupted.
I obtained the sbd from the server ont a usb and booted up with the safetech disk
Authenticated with both and attempted an emergency boot but to no avail. (92h)
Tried restoring the EEPC MBR, then rebooted, not joy
Tried restoring the MBR, then rebooted, not joy
I ran the remove EEPC program which ran very quickly, but still the 92h appeared on reboot.
Then I think I have done something stupid.
It wouldn't detect the algorithm used on the next safetech boot so I set it manually and authenticated from the exported sdb.
Used algorithm 11 and not 12 and then ran a force decrypt of all sectors from 62 and it took 4 days and said completed
But I am still getting the 92h error code
Should I force encrypt the same sectors back again with the algorithm I used before I try anything else.
Typically if the user had mentioned there was critical data on the laptop (depite that policiy is that it is stored on a server share) I would have taken it off before rebooting .....
I know this will not make any difference to currenct situation by telling that you should have tried this on cloned image. but for future reference please note that if you are perfroming force decrpytion then take clone image of hdd and perform force decryption on clonned image.
as nothing can undone Follow the below steps (never done this but it should work)
1. boot system with Safetech
2. select algoritham (11)
4. click on Workspace menu
5. Open Workspace
6. Again click on Workspace Menu > load from sectors
7. Start Sector = 63
8. Click ok
9. Agian go in Workspace menu and click on Encrypt WorkSpace (the sector 63 should roll back to its previous status)
now without closing workspace , change the algoritham to 12
and decrpyt sector 63
1. click on Workspace menu
2. Open Workspace
3. Again click on Workspace Menu > load from sectors
4. Start Sector = 63
5. Click ok
6. Agian go in Workspace menu and click on Decrypt WorkSpace(the sector 63 should roll back to its previous status)
Note: above steps will not change anything on your currect status as everything will be done in workspace and we are not saving those changes on HDD.
after following above STEPS if you can read "NTLDR IS MISSING" right side bottom of workspace then make a clone image of HDD and, force fully encrypt HDD with algoritham 11 and then decrpyt it with correct algoritham 12
Message was edited by: rbdudani on 3/29/12 9:24:20 AM CDTMessage was edited by: rbdudani on 3/29/12 9:25:36 AM CDT
Thanks, I would usually have cloned, but it was one of those days where the EU was leaping up and down next to my desk every 5 minutes .... time to reverse the process
Once I'm back to where I was a week ago, what's going to be the best way to get the data off?Message was edited by: blondemoment on 29/03/12 09:54:42 CDT