cancel
Showing results for 
Search instead for 
Did you mean: 
mfang3
Level 7

EpePC has been corrupted (error 92h) (before and after decryption)

This is what happened on my lenovo win7 system:

  • i was browsing the internet and all of sudden the IE was not responding
  • i tried to open the windows task manager and wanted to kill the IE process (which normally will work, but this time windows task manager didn't even come up)
  • then i restarted the system and entered my passphase for EEPC
  • afterward, i see the following error message:

eepc1.jpg

i contacted my IT and followed the steps below:

Disk Recovery (EETECH)

  1. Burn the WinPE_EETech.iso to a bootable USB or CD-ROM.
  2. Boot the system from the USB and wait for reboot complete (the command line window should automatically close)
  3. Click on the red square at the bottom left and select “McAfee Tools” -> “McAfee EETech for EEPC6”
  4. Run the EETechCode utility and identify the code of the day (4 digits)
  5. Click on “Authorize” under “Authorization” and provide the code of the day from the previous step.
  6. Click on “Token” under “Authentication”, type the user’s username and then the user’s passphrase.
  7. EETECH should now show under “Authorization” – “Status: Authorized” and under “Authentication” – “Status: Authenticated with Token”. All buttons should be enabled.

To access user’s data

  1. Click on the red square at the bottom left and select “System Tools” -> “A43 File Management Utility”
  2. The system’s primary disk will be visible decrypted  as drive D:\  (usually, but not always)
  3. Data can be extracted from the primary disk by connecting a USB storage device and copying data.

i was able to access my data...

To decrypt the disk

  1. Click on the red square at the bottom left and select “System Tools” -> “Command Prompt“
  2. Type the below red lines as commands in the command prompt window.
    1. Diskpart
    2. Wait for a “DISKPART” command prompt to appear, might take few seconds
    3. List disk
    4. You will be prompted with a list of all disks on the system. The primary disk is usually Disk 0, but you can verify this is the right disk according to the disk’s size
    5. Select Disk <Numer> (e.g. Select Disk 0) - Type here the disk number from the previous step
    6. A prompt will confirm that “Disk 0 is now the selected disk”
    7. Offline Disk
    8. A prompt will confirm that “DiskPart successfully offlined the selected disk”
  3. Close the Command Prompt Window.
  4. Back at the McAfee EETech window, select “Remove EE” under “Actions” and click on the “Remove” button.
  5. Decryption of the disk will begin and might take some time. When decryption ends, reboot the system.

after performing the steps above, my hard-drive is not decrypted. but i see the following message when i tried to boot up:

eepc2.jpg

it seems like my MBR is corrupted so i contacted my IT again and they gave me a .xml file and asked me to perform the following:

  • Please use the attached .xml file and put it on your USB stick. When authenticating choose "File" instead of "Token" and point to the correct path to the attached file.

That should enable the rest of the buttons as well. Then click on Restore MBR button

i've followed the instruction but still seeing the issue.

then my IT team came back to me and asked me to perform the following:

  1. Plug in a formatted USB key which you can boot from (same as you've used before).
  2. Open command line and run "bootdisk.exe EETech.RTB E:" where E: is the drive of the USB.
    Careful when you do this, make sure you type the correct drive letter of the USB key and approve the confirmation.
  3. Copy the XML file you've used before to the same USB stick
  4. When done, reboot the system and boot from the USB stick
  5. You should see a similar screen to the one you've seen in previous attempts.
  6. Put in the code of the day and click on "Enable USB" button.
  7. Then, Authenticate using the XML file like you've done in the past.
  8. Now, you should see the "Emergency Boot" button available – give it a try

after doing this, i'm still seeing the same error. while my IT team is doing their job to help me with it, just wanted to post this here to see if anyone has seen something similar? thanks!

Message was edited by: mfang3 on 9/17/12 5:35:44 PM CDT
0 Kudos
5 Replies
SafeBoot
Level 21

Re: EpePC has been corrupted (error 92h) (before and after decryption)

Odd - a remove ALWAYS clears the MBR. The only thing I can suggest is that you were browsing something and caught a TDSS rootkit. It's going to be tricky to kill, as it will protect itself quite well.

The best thing to do is copy your data off, and completely wipe the drive and start again.

You can confirm it's TDSS by booting off the ISO image, starting EETech, and loading Sector 0 into the workspace - you can compare it with online samples of TDSS's MBR.

0 Kudos
mfang3
Level 7

Re: EpePC has been corrupted (error 92h) (before and after decryption)

thanks!

I just found out that I have the following file in my computer:

RMgOYWJNIRmTJbK.exe

Under C:\ProgramData folder, it was created around the time my computer stopped working.

I looked it up on google and verified it’s a virus.

is there anyway i can remove the file? can i just simply delete the file?

thanks!

0 Kudos
SafeBoot
Level 21

Re: EpePC has been corrupted (error 92h) (before and after decryption)

Which one of the 170,000,000 viruses is it ;-)

You can look it up on the McAfee site, and it will tell you how to get rid of it -  http://home.mcafee.com/virusinfo/ and you can download the free Stinger tool and that should take care of it - http://home.mcafee.com/virusinfo/VirusRemovalTools.aspx

just deleting it is unlikely to help anything though. 

0 Kudos
mfang3
Level 7

Re: EpePC has been corrupted (error 92h) (before and after decryption)

thanks!

i looked it up on google and it says:

File Behavior

RMGOYWJNIRMTJBK.EXE has been seen to perform the following behavior:

  • Uses rootkit techniques to conceal its presence, interrogation or removal

RMGOYWJNIRMTJBK.EXE has been the subject of the following behavior:

  • Added as a Registry auto start to load Program on Boot up

so, since that hard drive is not booting up, then do i just use the infected hard drive as a slave on a working PC to scan for it? will that help to fix the registry to load that program though? or can i simply use the EETech tool on the infected computer to modify the registry myself to stop loading it?

thanks!

0 Kudos
SafeBoot
Level 21

Re: EpePC has been corrupted (error 92h) (before and after decryption)

I would follow the advice of your IT department - they may not want you to try to repair your pc, they might want to just image it.

As it's a root kit, it has infected the boot sector of your drive, so it's not as simple as just deleting some files.

0 Kudos