File Share Encryption

Hi

I got hit by a virus, which looks like it screwed up my mbr.

on booting it would get to the boot guard state and then error out with the error 80 disk error

I did a little google research and found out about the pgp recovery disks. I made a cd from the iso files and  tried to boot from it. the recovery cd could not find the pgp wde on it.

I then further read that it may be possible to use the windows xp disk to boot into the recovery console and fix the mbr. which I proceeded to do.

the pgp recovery cd still is not able to read the drive, and now when the computer boots up via the disk it says "error loading operating system"

I then re tried the pgp recovery disk to no avail.

I have also tried taking out this drive and attaching it to a computer that has pgp installed. pgp does not recognize it and windows says drive needs to be formatted

Really need to get my data off this drive before I can erase it.

I am/was using pdp 10.0.2

windows xp sp3 was the original os

computer is an ibm laptop

thanks

It seems that your problem is corruption of the MBR. If the recovery cd is not working I'd suggest plugging  the disc into another computer with pgp installed on it (via USB carry) and then do the pgpwde command via command line to verify the encryptioon status and if possible decrypting the disk and uninstrument bootguard. 

I've had to deal with this at work, where I unfortunately got stuck supporting PGP.  Turns out there is a command line switch that doesn't show up when you do help.  Below is the information I've posted for our field techs that normally fixes the problem.

Stage 2 Inacessible Disk

Usually caused by a virus overwriting PGP bootloader. Slave the hard drive to a machine with PGP. Whatever you do, DO NOT FORMAT the drive. When Windows sees an encrypted drive that isn't unlocked, it won't show the size in explorer. Opening/Double clicking on it will cause Windows to tell you it's unformatted and ask you if you want to, again DO NOT FORMAT.

Most likely you won't get a prompt to unlock the disk. If you do get an unlock prompt you're in luck, you can use a token or user passphrase, and then just copy the user's data off using explorer.

If you didn't get prompted to unlock then run the recovery commands below.  Normally the boot disk is drive 0 and the slaved drive is 1.  The --enum command will show you the disk drives PGP sees attached.  The --info command will show you details about the disk to help make sure the disk is the right one to work on. 

• Open a CMD prompt window.
• set path = %path%;%programfiles%\pgp corporation\pgp desktop
• pgpwde --enum 
• pgpwde --info -d 1
• pgpwde --recover -d 1 --passphrase "token/passphrase"
  (i.e: pgpwde --recover -d 1 " DCBWM-430U2-PJ4CL-QQ2B6-QXJ2X-E4E" )

Be patient it will take a few minutes to complete. You'll see it search for the PGP information, it will increment sectors searched and decrement sectors to go. Upon completion you'll see either a sucess or failure message depending on the result.  If it is successful then you can reboot and you should get a prompt to unlock disk when PGP starts, which means you can use a token and access the drive contents.  It may also work like normal if you put it back into the original system, but there is no guarantee.   If it's fails make sure you've got the right token.   If all this fails then your last option is to do the super slow recovery CD decryption, which goes about 9.6GB hour on an Opti 760.

Hi rburney,

I was very happy to see this. and I tried it out but I am geeting an error

when I executed the enum command, It says that the total number for drives detected is 2,
disk 0 has 1 online volume
disk 1 has 0 online volumes

when I executed the info command on d 1, I get an error whihc states that
 --disk option not specified or invalid & retrieves disk 0's info

when I execute the recover command, I get the same error above

any idea how to proceed

Is it possible you mistyped the command?

If you type the command exactly as rburney has it, it should work.

The error you're reporting is what you would see if you typed "pgpwde --info d 1" instead of "pgpwde --info -d 1"

We have seen this many times and it looks to be a rootkit.  Our current SOP is to use the recover command from a winPE disk (with PGP in it) similar to what RBURNEY mentioned.  This allows you to authenticate to the disk from PE or from Windows, as the machine should boot normally after its successful.  Again since this is a rootkit we rebuild all of the machine affected like this, but the process will allow you to recover any valuable data from the drive before doing so.  I would recommend you rebuild this one as it has probably been compromised.

Corection the drive was encrypted using pgp 9.6

I connected the drive to another computer that has 9.6 installed (made sure they were the same build as well)

and then retried the commands to no luck

I have attached the cmd screen  

I am re trying the pgp recovery disk for pgp desktop 9.6

looks like it found the drive and is decrypting, its  a 300g drive this will take a while...

I just want to state that this method worked perfectly!  Slave the disk with boot error 80 into another device running PGP and follow the instructions.  Just one minor update to the instructions:

• Open a CMD prompt window.
• set path = %path%;%programfiles%\pgp corporation\pgp desktop
• pgpwde --enum 
• pgpwde --info -d 1
• pgpwde --recover -d 1 --passphrase "token/passphrase"
  (i.e: pgpwde --recover -d 1 " DCBWM-430U2-PJ4CL-QQ2B6-QXJ2X-E4E" )

          Change to i.e:  pgpwde -recover -d 1 -passphrase " Your passphrase/token here"

Reboot with slave disk attached and it will prompt for passphrase if success message.

I used version 10.1 for a 9.8 corrupted disk.  Worked fine.

Thank you rburney!

...and I count on your advice...

1. Running Windows 7 64 bit & PGP Desktop (unsure which exact version as cannot access the system now, definitely 10.x.x)

2. Suddenly my McAfee raised the alarm today afternoon regarding the FakeAlert Trojan that was hidden in fake Java update... Within next 30 seconds all my icons on the desktop disappeared, Explorer stopped working (could not see all the folders and files)....Managed to download Malwarebytes, installed it, scanned the system with it and found additional files and registry entries made by Trojan. These have been removed.

3. System has been restarted and...after BIOS did its usual thing, a PGP console supposed to start asking for the passphrase. Not this time...On a black screen got an error: "loading password authentication driver...Internal error accessing disk 0x00008080. Some required files are missing or corrupted. You may be able to continue through the Advanced menu or recovery tool. Internal error accessing disk 0x00000000."

4. After Googling and reading here and there, I did 2 things: created a PGP Recovery Disk and Win 7 64 Bit Recovery Disk. Equipped with both I began my crusade. Started with PGP Desktop Recovery Disk and after few minutes of search it found PGPWDE record. Password authentication driver has been loaded and I moved to "Advanced" menu option prior to entering passphrase. System storage shows disk 1 floppy (???) 1MB not encrypted, disk 2 298GB (this is the system one) - not encrypted and finally external drive - disk 3 of 931GB - not encrypted - I am somewhat surprised as I recall HDD being encrypted...

5. Returned to previous menu to enter passphrase & then continued (instead of "D" - decrypting) - Windows Error Recovery screen appeared. Long story short, repair was not possible: Windows Repair Tool does not see any system drive C:, no Windows installation whatsoever, so I moved to command prompt, used chkdsk and the end result was that "type of the file system is RAW. Chksdk is not available for RAW drives". Of course I cannot jump to C: either...

6. Then I tried the same scenario as in point (4) and (5), but with a Safe Mode - blue screen with errors appeared: 0x0000007B (0xFFFFF880009A98E8, 0xFFFFFFFFC0000034, 0x0000000000000000). Then after another restart I tried "Start Windows Normally" and the blue screen error appeared again - this time with "unmountable boot volume" & a number of additional Stop errors (attached photo): 0x0000007B (0xFFFFF880009A98E8, 0xFFFFFFFFC0000034, 0x0000000000000000).

I really do not know what to do now...I have about 110GB data to recover, would love to be able not to re-install Win 7 as everything will be lost (I was actually doing an Iron Mountain Backup while Trojan hit & backup got corrupted...)

Your help is much appreciated.

Thank you in advance.

Rado

PS. Few screenshots are attached, apologies upfront for the quality of photos.

You will need to create a Windows PE disk with the PGP tools included.  Take a look at this article:

http://www.symantec.com/business/support/index?page=content&id=TECH149634&actp=search&viewlocale=en_US&searchid=1304456277904

Once you have your PE disk, boot to that and then use the recover command as others have stated on this thread:

pgpwde --recover -d 1 --passphrase "token/passphrase"
(i.e: pgpwde --recover -d 1 " DCBWM-430U2-PJ4CL-QQ2B6-QXJ2X-E4E" )

          Change to i.e:  pgpwde -recover -disk 1 -passphrase " Your passphrase/token here"

Once the process is complete (it can take 15min to a couple of hours) it will report success/failure.  If successful the drive should be bootable, but i would only do so to recover the data.  It's preferable to slave the drive to recover the data.  Low level format the drive after you have recovered your data before you begin to use it again.

It is also possible to preform all of this from another computer with PGP installed and working without the PE disk.

Thank you Jonathan for your response.

I have to admit that even after reading the suggested article, I am confused what to do next...Here is what I have done since my yesterday's query, prior to reading your post:

1. Purchased SATA to USB adapter, removed the 2.5" hard drive from a laptop and connected it via USB to my desktop computer (it runs on Windows XP Home)

2. System is able to see the drive, but shows the size as "0" and wants to format it...

3. I installed 30 days free trial copy of the PGP Desktop on the desktop PC 

4. Entered command prompt/DOS mode and typed "pgpwde --info -d 2", PGP returned the information as follows:
"Disk information for disk 2.
Model number: Hitachi HTS725032A9A364 USB Device
Total number of sectors on disk: 625139712
Request sent to display disk information was successful"

5. Now used the command "pgpwde -- recover --disk 2 --passphrase "passphrase" and now waiting for the outcome as sectors are being searched.

To be continued...

Hello,

Below is the end result of the "recover" command - now it's time for rebooting, please keep your fingers crossed:

After rebooting & starting Windows, PGP Desktop asked for a passphrase and after providing it I was able to see the Hitachi drive with 170GB free out of 298GB.

Just began copying to the external 1TB WD Passport drive whatever I can.

This is not the end though... The question remains how can I boot a laptop with this drive (currently Windows XP from the desktop PC shows the laptop's HDD file system as RAW)? What should I do now? Is it now everything OK with its boot sector, would Windows 7 start or everything is doomed and HDD has to be re-imaged?

Please let me know what I need to be prepared for.

Thank you once again - a huge burden is currently falling from my shoulders!

Rado

I am trying to do this but i am getting an error on the second compand. it says that pgpwde is not recognized as an internal or external compand

any ideas

You can always just cd to %programfiles%\pgp corporation\pgp desktop

Then issue the pgpwde commands from there as well

just cd to %programfiles%\pgp corporation\pgp desktop

then run pgpwde --enum from in there

got it thank you for your help.

now is there any way from here to uninstall pgp or to fix the corrupted file so it will restart in the computer?

thanks