Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

removing rootkit from tc encrypted preboot hd


phantomchaser's Avatar
Member
0 0

Hello, everyone.

First, thank you for taking the time to read this.

I have a windows 7 machine with a system drive that is encrypted using truecrypt. I have the password. Before the system ehibited any symptoms, Avast antivirus alerted that there was a misc. rootkit detected. I allowed avast to scan and remove the rootkit according to it's prompts. Then agreed to a boot time scan. I restarted expecting to see the usual boot time scan. After asuccessful post, I was prompted for the boot pasword to allow the harddisk to be accessed. The windows logo appeared and the text "Starting Windows" shows up under the logo. The machine stays at this screen unless powered off.

I tried to access the menu with safe mode. Pressing f8 takes me to a screen where I have the choice of starting windows normally or launching startup repair. Starting normally hangs at the logo. When I select the startup repair, A black screen shows with a progess bar and the message "Windows is loading files for repair". The progress bar fills a couple times then this hangs as well.

Thinking that the computer may be slow, I waited for 2 hours with each option.

As far as tools, I can not access anything on the harddisk at all. I have an external usb enclosure that fits the drive and a laptop with a native install of Kali Linux.

I would really like to get it up and running again. I use that machine mostly to let my kids watch their cartoons and to get news, weather, and a few games. I'm not sure what to do to fix it so any help would be greatly appreciated.


phantomchaser's Avatar
Member
0 0

I think that a rescue disc might be worth a try but the issue is I can't boot in to windows to get to avast to create one. When my windows machine starts, I get the bios splash screen, then I get prompetd for the truecrypt password to mount the harddrive. Once the password is entered I get the options to start windows normally, which hangs at the starting windows screen with the logo, or I can choose to launch windows startup repair, which hangs at the progress bar saying windows is loading files. So either way I get stuck. I am able to boot to live cd's so I tried Kali. When I try to mount the drive using truecrypt I get an error message about pre-boot encryption. I will post the exact message later on when I get back to my computer. I was thinking an avast boot cd might work but I need to find in image already or another windows pc I could use.


Huitzilopochtli's Avatar
....
10 9

I only know 3 people that used truecrypt, and due to various issues they all ended up formatting their drives, and dumping truecrypt totally.

Also, I thought it forced you to create a "TrueCrypt Rescue Disk" on dvd or cd, when you first encrypted the drive ?


phantomchaser's Avatar
Member
0 0

It does nag you about creating a rescue disc but in my infinite wisdom at the time I circumvented the process. The problem is that I can't seem to boot to anything besides the drive once I enter the pre-boot password, I can either boot to another device or enter the password. If I could mount the drive without booting it I'd be all set.


Huitzilopochtli's Avatar
....
10 9

This is one korg would be able to help you fix in no time at all, but unfortunately he seems to be on some kinda self imposed exile.


RootsBabilonia's Avatar
Member
10 0

phantomchaser

You removed the rootkit with some of the applications? Could you send me the logs? pm me … Sorry… :)


Huitzilopochtli's Avatar
....
10 9

He can't boot or mount his drive to scan it man, but those tools are usually pretty good for getting rid of most infections.


RootsBabilonia's Avatar
Member
10 0

When you encrypted with Truecrypt, did you encrypt the entire boot drive, or just encrypt the windows partition as system partition? It may make a difference.

You tried using the TrueCrypt Rescue CD? Or Try use Hirens-boot-cd:

Install syslinux: sudo aptitude install syslinux

Copy files into place: sudo cp /usr/lib/syslinux/memdisk /boot/ sudo cp TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso

Determine the UUID of your boot partition: sudo blkid /dev/sda2

Output should look something like this: /dev/sda3: UUID="12345678-1234-1234-1234567890"

Configure GRUB2: Add the following to /etc/grub.d/40_custom: menuentry "TrueCrypt ISO boot" { insmod part_msdos insmod fat insmod ext2 insmod search_fs_uuid search –fs-uuid –no-floppy –set=boot [UUID without quotes] linux16 ($boot)/memdisk iso raw initrd16 ($boot)/truecrypt-rescue-disk.iso }

Re-load GRUB2 configuration sudo update-grub –––––––––––––_

also try truecrypt –mount /dev/sda1 /mnt/backup –filesystem=ntfs-3g -p=password