How To Remove Polezei Virus on an Encrypted Drive

A

allanc

Well-Known Member
Reaction score
387
Location
Toronto, Ontario, Canada
A client brought his corporate computer home for the weekend and it is now infected with the Polezei Virus after browsing.
The notebook is encrypted with ProtectDrive.
If he boots into any form of SAFE mode, the computer restarts itself after he logs in.
In Windows 7 mode, he gets the Polezei virus screen and cannot start task manager.
If I boot off a CD or slave the drive, the drive is still encrypted and I cannot access the directory structure.
Is there anyway to stop the 'restarting computer' sequence so that I can remove the virus while the drive is decrypted?
Any other magic bullets?
Thank you in advance.
 
Wow....tough one.
I know you said "in any Safe mode"...but just to double check, you've tried safe mode with command prompt? A lot of times this works because explorer shell doesn't load...thus lots of malware that starts in normal safe mode doesn't start yet.

I'm not familiar with THAT HDD encryption brand...but if it's software based and you know the password, can you load the software on another computer...and then slave this drive, and open the vaulted drive using the password? Or is it hardware?

If it's hardware based, you should still be able to boot from a CD and access it, because the hardware lets you in first via BIOS. So guess it's software encryption.

Did he (or whoever setup the computer) setup a "rescue disk" when they encrypted it?
 
YeOldeStonecat said:
Wow....tough one.
I know you said "in any Safe mode"...but just to double check, you've tried safe mode with command prompt? A lot of times this works because explorer shell doesn't load...thus lots of malware that starts in normal safe mode doesn't start yet.

I'm not familiar with THAT HDD encryption brand...but if it's software based and you know the password, can you load the software on another computer...and then slave this drive, and open the vaulted drive using the password? Or is it hardware?

If it's hardware based, you should still be able to boot from a CD and access it, because the hardware lets you in first via BIOS. So guess it's software encryption.

Did he (or whoever setup the computer) setup a "rescue disk" when they encrypted it?
Click to expand...
The IT department from the company he works for set-up the encryption and maintains the computer on an on-going basis.
Yes, I tried 'all' the forms of safe mode.
This is the third time that he has contacted me with this type of virus and the first two times we could boot into SAFE mode with networking.
He picked up the computer this morning and will have to face the wrath of the IT staff and management :(
 
The only other thing I could think of was to boot from a live cd and try to create an admin account on the windows partition to try and bypass the account affected, but if the drive was encrypted I don't think you could have done that either.

What about booting from a windows disc, advanced recovery options and try to system restore back to say a week before and maybe you could get back in and attempt cleaning?
 
ohio_grad_06 said:
The only other thing I could think of was to boot from a live cd and try to create an admin account on the windows partition to try and bypass the account affected, but if the drive was encrypted I don't think you could have done that either.

What about booting from a windows disc, advanced recovery options and try to system restore back to say a week before and maybe you could get back in and attempt cleaning?
Click to expand...
Well, the client picked up his computer earlier this morning.
Since this computer is 'corporate', I don't think that I would want to take a chance on doing more damage than already done (by the virus).
I tried to image the drive before I started and Acronis complained that the file system was damaged or something similar.
 
Ahh gotcha...so he's afraid of getting yelled at because he probably goofs off. Really the IT guys concern...they're not maintaining their network enough. Honestly I'd stay out of that situation. Locked down workstation, it's a time waster for you.
 
YeOldeStonecat said:
Ahh gotcha...so he's afraid of getting yelled at because he probably goofs off. Really the IT guys concern...they're not maintaining their network enough. Honestly I'd stay out of that situation. Locked down workstation, it's a time waster for you.
Click to expand...
Personally, I associate the 'police' virus with the xxx sites.
I saved his bacon twice already as he always calls me on a Sunday night in a panic.
Like I said above, the first 2 times I connected remotely, fixed the problem and was paid.
This time, I was going to chalk the resolution (if I found one) up as a 'learning experience'.
 
I've seen those viruses come in from tons of sources other than porn. Matter of fact, these days most malware comes from legit websites that were compromised, and hit the client workstations through outdated Adobe Flash and PDF readers, and outdated Java.

Or...they come into businesses through socially engineered e-mails...such as "Xerox@yourcompany.com" or "scanner@yourcompany.com" or "info@..."...or through other common domain name e-mails...spoofed to look like they come from FedEx or a bank in your area or the better business bureaus as some complaint...(BBB@). We see tons of these....tons of 'em, they're slipping through many e-mail scanners. Double click the file..and whammo....reveton trojan sneaks on your system and hits you that day...or perhaps a few days or weeks later, or it may lay in stealth for a long time.

That being the case, perhaps IT should be informed about it, so they should tighten up their anti spam measures.
 
YeOldeStonecat said:
I've seen those viruses come in from tons of sources other than porn. Matter of fact, these days most malware comes from legit websites that were compromised, and hit the client workstations through outdated Adobe Flash and PDF readers, and outdated Java.

Or...they come into businesses through socially engineered e-mails...such as "Xerox@yourcompany.com" or "scanner@yourcompany.com" or "info@..."...or through other common domain name e-mails...spoofed to look like they come from FedEx or a bank in your area or the better business bureaus as some complaint...(BBB@). We see tons of these....tons of 'em, they're slipping through many e-mail scanners. Double click the file..and whammo....reveton trojan sneaks on your system and hits you that day...or perhaps a few days or weeks later, or it may lay in stealth for a long time.

That being the case, perhaps IT should be informed about it, so they should tighten up their anti spam measures.
Click to expand...
Well, he has no choice but to advise his IT that something is going on and hopefully they will tighten the reins.
It is interesting to note though everytime that I have worked with this type of ransomware *and* have asked the client if they had an idea where it originated they said it was a porn site.
 
allanc said:
I wish.
No, there was no countdown and no way that I could determine to get to the command line.
Click to expand...

too fast for ctrl+alt+delete task manager run?

Edit: this is really reaching but maybe if you stall the computer the restart prompt asking you if you want to force applications closed or cancel will come up? perhaps attaching a bad hard drive, maybe inserting a messed up cd something like that.

He has the encryption key right? It is not possible to simply mount this drive onto another machine that has protectdrive on it and decrypt it as if it was a removable device?
 
Last edited:
allanc said:
I tried multiple times.
I thought that I remembered reading somewhere that there was a distinct key sequence that would stop the restart process.... something that did not require access to the CMD prompt.
I could not find any reference to it.
Click to expand...

not that i know of....win+f1 opens help which is a seperate process, i dont know if spamming that will stall a reboot though.
 
ComputerRepairTech said:
too fast for ctrl+alt+delete task manager run?

Edit: this is really reaching but maybe if you stall the computer the restart prompt asking you if you want to force applications closed or cancel will come up? perhaps attaching a bad hard drive, maybe inserting a messed up cd something like that.

He has the encryption key right? It is not possible to simply mount this drive onto another machine that has protectdrive on it and decrypt it as if it was a removable device?
Click to expand...
Because of my past successes at removing the ransomware, I gave him a flat rate :(.
I see that ProtectDrive 'starts' at about $70 so I would have to ask him for more money.
He was already not happy with the fact that I charged an 'emergency' surcharge since this saga started at about 10 pm on a Sunday night and had to be completed by 8 am Monday morning so that he could go to work looking innocent.
I have noted your second paragraph for future reference ;)
 
Last edited:
allanc said:
Because of my past successes at removing the ransomware, I gave him a flat rate :(.
I see that ProtectDrive 'starts' at about $70 so I would have to ask him for more money.
He was already not happy with the fact that I charged an 'emergency' surcharge since this saga started at about 10 pm on a Sunday night and had to be completed by 8 am Monday morning so that he could go to work looking innocent.
I have noted your second paragraph for future reference ;)
Click to expand...

Check with the company first, I dont have experience with the protectdrive software but as I understand it....its capable of decrypting and encrypting removeable drives.
 
This is going to sound completely crazy

If you turn on the clients computer let it go into 7 and let it sit there, then leave the power cable from the clients computer in but swap the sata cable from the clients computer and then slave the drive onto your computer (still leave their power cable in) and see if you do safe mode or live cd or flash drive removal.

Of course the above assumes that the hard drive will not go back into a 'locked' state.

Now I know I may get some people moaning or having a go because it dangerous or totally stupid and in one way it is and there are no guarantees. and I wont blame you for having a go at me.

I did this a few times before with IDE drives although with that we used the 'pause/break button at POST and had another working pc and was able to access locked drives this way, long shot and risky but you'll never know maybe just worth a try.
 
hmig89 said:
This is going to sound completely crazy

If you turn on the clients computer let it go into 7 and let it sit there, then leave the power cable from the clients computer in but swap the sata cable from the clients computer and then slave the drive onto your computer (still leave their power cable in) and see if you do safe mode or live cd or flash drive removal.

Of course the above assumes that the hard drive will not go back into a 'locked' state.

Now I know I may get some people moaning or having a go because it dangerous or totally stupid and in one way it is and there are no guarantees. and I wont blame you for having a go at me.

I did this a few times before with IDE drives although with that we used the 'pause/break button at POST and had another working pc and was able to access locked drives this way, long shot and risky but you'll never know maybe just worth a try.
Click to expand...

what what? is that perhaps something that works on hard drives with built in hardware encryption?
 
You must log in or register to reply here.

Similar threads

Velvis
Dell XPS CPU Fail Code & SSD Question
Replies
1
Views
266
Markverhyden
Markverhyden
YeOldeStonecat
Gaming rig...help with client computer with vid card issues.
2
Replies
25
Views
2K
Rosco
Rosco
thecomputerguy
What is the correct process to transplant an encrypted drive to an identical system?
Replies
17
Views
1K
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
776
trevm999
trevm999
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
70
callthatgirl
callthatgirl
Back
Top