Malware on unbootable laptop with PGP desktop

[RockIT Man]

Right now I'm full of questions and no answers.

I've got an infected machine that is encrypted with PGP desktop. The computer is running windows 7 but will not boot. I wanted to try to tackle the problem with a bootable virus CD. However, the computer boots to the CD before it displays the prompt to unlock the HD. This makes it so that the live scanner can't see the contents of the drive. This means (correct me if I'm wrong) that it won't detect any infections.

My next thought is to pull the drive and scan it via another computer running PGP desktop. Am I on the right track here? If so, anyone have a particular scanner in mind that will do the job.

And no, the client doesn't want me to nuke and pave because he doesn't have the re-installation media for some of the applications. And yes, the client needs the computer back in T - 9 hours.

HELP!!!

 

[14049752]

Encryption is always a pain when dealing with things like infections or non-booting issues. Usually what I do is use the utility to remove encryption, then work with it, then re-encrypt it. That may not be feasible due to time limitations...but I simply tell my customers that I refuse to take the chance with it.

 

[RockIT Man]

Thanks for the quick reply! I read that with PGP desktop it decrypts at a whopping 9.7 GB an hour? So with a 500GB HD I'm looking at 2+ days. Does that sound about right?

Do you think there is any hope of removing the virus via a different machine?

 

[14049752]

Thanks for the quick reply! I read that with PGP desktop it decrypts at a whopping 9.7 GB an hour? So with a 500GB HD I'm looking at 2+ days. Does that sound about right?

Do you think there is any hope of removing the virus via a different machine?

Yeah, sounds about right. Awesome, huh?


Yeah, you may have some luck with a different machine. I have a little more experience using TrueCrypt like that, but I'd be surprised if PGP is much different. For me, it's just a matter of not having complete trust when working with an encrypted drive like that

 

[shamrin]

140etc. is right, I think the strategy is decrypt, devirus, recrypt. If you leave the drive encrypted you are going to end up with a lot of cases where you don't know if the encryption is causing a problem or the virus or the results of the virus. Slave the drive and get it decrypted before you start. It will be massively time consuming, such is the cost of security (and paranoia as well .

 

[ZenTree]

This is the main thing that puts me off encrypting the entire drive.

Firstly, I would take a sector by sector image if you have the space. Going to take some time but covers your ass if something goes wrong.

Secondly, when you say it won't boot: BSOD? if so which BSOD. will it boot in safe mode w/wo networking? If you're able to get system booting even with limited options then removed the whole encryption dilemma from the equation.

 

[RockIT Man]

This is the main thing that puts me off encrypting the entire drive.

Firstly, I would take a sector by sector image if you have the space. Going to take some time but covers your ass if something goes wrong.

Secondly, when you say it won't boot: BSOD? if so which BSOD. will it boot in safe mode w/wo networking? If you're able to get system booting even with limited options then removed the whole encryption dilemma from the equation.

No, the computer would not past where the PGP password screen normally is. However, instead of that screen showing up I got a black screen with white lettering giving me a boot guard error.

I was able to boot into the recovery partitions via the command at the bios screen. I didn't think it would work but figured I'd give it a try. Well, I was right. When trying to proceed with the recovery, the Samsung recovery software didn't recognize a drive with a windows installation. Of course it wouldn't, the drive is encrypted.

The solution coming next.

 

[RockIT Man]

So, I was able to fix the issue and I was able to do it in the short amount of time I had left. No, I didn't get much sleep that night.

Hopefully the following info will help someone down the line.

I followed the 3rd post in this thread to fix the boot guard error. This made the PGP password/login screen come back. Well, after logging into the encrypted disk, Windows was still unbootable. Actually, it messed with the PGP boot again. I had to go back and repeat the post in the thread above.

After doing that, I left the slave hard drive connected to another machine with PGP installed. I scanned the slave with Kaspersky which found a ton of nasty's including Rouge.FakeHDD. I was able to remove these.

I then loaded the slave registry into the working machine. I went through and cleaned up several malicious entries that were set to run automatically.

I moved the slave hard drive back to the Samsung laptop and was able to boot into safe mode. I ran a scan and slept for a couple of hours. When I woke up, I booted into normal mode and scanned once more with KIS which found a couple more things. I removed them.

Two days later, the customer is still happy and I'm still tired.

 

[shamrin]

Two days later, the customer is still happy and I'm still tired.

Nice work ........................

 

[RockIT Man]

Encountered this kind of problem once and what I did is do a complete re installation of the operating system and all other installation that goes with it including disk reformating. Try it maybe this will solve your problem...

I'm sure your solution would work. I ended up going a different route. See my solution in the above post.