Join us on Slack!
Don't judge the unknown - Grindordie
Saturday, July 20, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 67
Guests Online: 65
Members Online: 2

Registered Members: 116455
Newest Member: dirtylol
Latest Articles
View Thread

HellBound Hackers | Computer General | General Computer Problems

Author

removing rootkit from tc encrypted preboot hd

phantomchaser
Member

Your avatar

Posts: 3
Location:
Joined: 22.02.15
Rank:
Newbie
Posted on 13-03-15 02:44
Hello, everyone.

First, thank you for taking the time to read this.

I have a windows 7 machine with a system drive that is encrypted using truecrypt.
I have the password. Before the system ehibited any symptoms, Avast antivirus alerted that there
was a misc. rootkit detected. I allowed avast to scan and remove the rootkit according to it's prompts.
Then agreed to a boot time scan. I restarted expecting to see the usual boot time scan.
After asuccessful post, I was prompted for the boot pasword to allow the harddisk to be accessed.
The windows logo appeared and the text "Starting Windows" shows up under the logo.
The machine stays at this screen unless powered off.

I tried to access the menu with safe mode. Pressing f8 takes me to a screen where I have
the choice of starting windows normally or launching startup repair. Starting normally hangs
at the logo. When I select the startup repair, A black screen shows with a progess bar
and the message "Windows is loading files for repair".
The progress bar fills a couple times then this hangs as well.

Thinking that the computer may be slow, I waited for 2 hours with each option.

As far as tools, I can not access anything on the harddisk at all. I have an external usb
enclosure that fits the drive and a laptop with a native install of Kali Linux.

I would really like to get it up and running again. I use that machine mostly to let my kids watch
their cartoons and to get news, weather, and a few games.
I'm not sure what to do to fix it so any help would be greatly appreciated.
Author

RE: removing rootkit from tc encrypted preboot hd

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 16-03-15 20:16
Check this out man, it's a similar issue to your own which also has the options for reparing a fucked up Win 7 boot, and links to better removal tools incase you're still infected.

https://www.winhe. . .-scan.html

Edited by Huitzilopochtli on 16-03-15 20:18
Author

RE: removing rootkit from tc encrypted preboot hd

phantomchaser
Member

Your avatar

Posts: 3
Location:
Joined: 22.02.15
Rank:
Newbie
Posted on 24-03-15 16:05
I think that a rescue disc might be worth a try but the issue is I can't boot in to windows to get to avast to create one. When my windows machine starts, I get the bios splash screen, then I get prompetd for the truecrypt password to mount the harddrive. Once the password is entered I get the options to start windows normally, which hangs at the starting windows screen with the logo, or I can choose to launch windows startup repair, which hangs at the progress bar saying windows is loading files. So either way I get stuck. I am able to boot to live cd's so I tried Kali. When I try to mount the drive using truecrypt I get an error message about pre-boot encryption. I will post the exact message later on when I get back to my computer.
I was thinking an avast boot cd might work but I need to find in image already or another windows pc I could use.
Author

RE: removing rootkit from tc encrypted preboot hd

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 24-03-15 19:27
I only know 3 people that used truecrypt, and due to various issues they all ended up formatting their drives, and dumping truecrypt totally.

Also, I thought it forced you to create a "TrueCrypt Rescue Disk" on dvd or cd, when you first encrypted the drive ?

Edited by Huitzilopochtli on 24-03-15 19:33
Author

RE: removing rootkit from tc encrypted preboot hd

phantomchaser
Member

Your avatar

Posts: 3
Location:
Joined: 22.02.15
Rank:
Newbie
Posted on 26-03-15 03:00
It does nag you about creating a rescue disc but in my infinite wisdom at the time I circumvented the process. The problem is that I can't seem to boot to anything besides the drive once I enter the pre-boot password, I can either boot to another device or enter the password. If I could mount the drive without booting it I'd be all set.
Author

RE: removing rootkit from tc encrypted preboot hd

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 26-03-15 13:15
This is one korg would be able to help you fix in no time at all, but unfortunately
he seems to be on some kinda self imposed exile.
Author

RE: removing rootkit from tc encrypted preboot hd

RootsBabilonia
Member



Posts: 37
Location: Brasil
Joined: 31.03.10
Rank:
God
Posted on 26-03-15 17:57
You can try using these applications
in this order:

www.majorgeeks.co. . .eaner.html
http://www.majorg. . .fix,1.html
http://www.majorg. . .swmbr.html

Or you can make an invocation to Cachullu Tee-Hee-Hee


GAT/GP/GCS/GSS/GE/GH/J d- s++:++ a C++++ ULS*+++ P+ L++ K---
w---(++++) M- PS+++ PE-(--) Y++ PGP t R !tv b++++ h-- r+++ z+++++

"In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist"
--Dwight D. Eisenhower

.. ... http://suporteninja.com
Author

RE: removing rootkit from tc encrypted preboot hd

RootsBabilonia
Member



Posts: 37
Location: Brasil
Joined: 31.03.10
Rank:
God
Posted on 28-03-15 18:34
phantomchaser

You removed the rootkit with some of the applications?
Could you send me the logs? pm me ...
Sorry... Smile
www.recaption.com/uploads/77934f64a278baf6a.jpg
.. ... http://suporteninja.com
Author

RE: removing rootkit from tc encrypted preboot hd

Huitzilopochtli
Member



Posts: 1621
Location:
Joined: 19.02.13
Rank:
God
Posted on 29-03-15 04:10
He can't boot or mount his drive to scan it man, but those tools are usually pretty good for getting rid of most infections.
Author

RE: removing rootkit from tc encrypted preboot hd

RootsBabilonia
Member



Posts: 37
Location: Brasil
Joined: 31.03.10
Rank:
God
Posted on 29-03-15 11:31
When you encrypted with Truecrypt, did you encrypt the entire boot drive, or just encrypt the windows partition as system partition? It may make a difference.


You tried using the TrueCrypt Rescue CD?
Or
Try use Hirens-boot-cd:

Install syslinux:
sudo aptitude install syslinux

Copy files into place:
sudo cp /usr/lib/syslinux/memdisk /boot/
sudo cp TrueCrypt\ Rescue\ Disk.iso /boot/truecrypt-rescue-disk.iso

Determine the UUID of your boot partition:
sudo blkid /dev/sda2

Output should look something like this:
/dev/sda3: UUID="12345678-1234-1234-1234567890"

Configure GRUB2:
Add the following to /etc/grub.d/40_custom:
menuentry "TrueCrypt ISO boot" {
insmod part_msdos
insmod fat
insmod ext2
insmod search_fs_uuid
search --fs-uuid --no-floppy --set=boot [UUID without quotes]
linux16 ($boot)/memdisk iso raw
initrd16 ($boot)/truecrypt-rescue-disk.iso
}

Re-load GRUB2 configuration
sudo update-grub
--------------------------_

also try
truecrypt --mount /dev/sda1 /mnt/backup --filesystem=ntfs-3g -p=password
.. ... http://suporteninja.com