Because computers don't fix themselves

Archive for January, 2012

EPHD Bios Translation Error with Symantec Encryption

Tried to load Symantec Endpoint Encryption on a brand new Dell E6520, and got the error:

EPHD Bios Translation Driver: bad resident memory provision using to (memory address), want resident at (memory address), available ends at (memory address).

Simple solution: Go into the bios of the machine (hit F2 while booting up), go to SATA operation, and change it from Raid to AHCI.

Even though most people do not use RAIDs on a single-user laptop, the E series apparently comes configured as if it were going to use a RAID. Symantec Endpoint Encryption doesn’t work on RAID-enabled machines. Change it back to AHCI, voila!

Windows Vista/7 Recovery Screen and Encryption

I work with a lot of computers that are encrypted for confidentiality purposes. Symantec Endpoint Encryption has all sorts of stupid “features” that annoy me to death.

One “feature” is that it disables the keyboard and mouse for certain parts of the boot-up process. If a Windows 7 or Vista computer is shut down improperly, sometimes upon startup, it will stop at a “windows recovery” screen, and prompt you to choose which operating system you wish to boot from and/or force you to choose whether or not to try to “repair” windows. These prompts require a keyboard input. Which you can’t give it if your computer has disabled the keyboard. Catch 22. You’re stuck there until you can decrypt your machine (which can take hours), just so you can hit enter once, and then go through the process of re-encrypting it. What a pain!

If you run this command, however, it will prevent those recovery screens from ever appearing, even if your computer is shut down improperly:

From an elevated command prompt (Windows key+R, then type cmd[enter]):

bcdedit /set {default} bootstatuspolicy ignoreallfailures

the hit enter. When the command completes successfully, you’re done. Type exit to leave the DOS prompt.

Basically, if you have Win7 or Vista, and you use Symantec Encryption (read: Ameriprise advisors), you should absolutely do this on your computer. It can save you hours of hassle later.

Redirect virus

I’ve been struggling with a pretty nasty bit of spyware which has hit a few client computers recently. Tonight, I think I figured out the bugger.

It’s a typical fake “your computer has problems” spyware, which puts dozens of “corrupt hard drive” messages on the screen and generally is very annoying. If left long enough, it will also disable most anti-virus programs as well as make your desktop black, and hide not only all the icons on your desktop and your start menu, but also hide all the files on your computer.

However, all of those symptoms are typical. This one goes one step further. It actually creates a 1 megabyte extra partition on your hard drive, flags it as bootable, and then has some malicious code in that partition which makes sure that the virus is still alive on your computer because it re-initiates itself every time you reboot the computer.

I’ve been able to remove all the above symptoms with either combofix, or malwarebytes, and then using unhide, getting computers back up and running. But, the code in the partition causes a browser redirect which is so far un-stoppable with any of my usual tools. Only ESET online scanner even recognized it as a rootkit, but still couldn’t fix it. The rest couldn’t even see it.

So, long story short, I was able to use UBCD 5 to boot to Parted Magic. From there, I could delete the rogue partition, and flag the main OS partition as bootable again. Reboot, and voila! We win. I still have to use malwarebytes and unhide, but that’s still better than a reformat, which is what I wound up doing before I figured this trick out.

So, if you had spyware on your computer, thought you removed it, but you have a persistent browser redirect, this trick might work for you.