HELP w/ T42 Windows Crash [OR] EFS & SecureDrive Recovery

[huxleyb]

Can someone help me out?

SUMMARY: I need to make Windows bootable again [OR] I have two different sets of encrypted data that I need to recover from a crashed system. I can send a few bucks via PayPal if successful! One set of data are files encrypted using EFS and the other set is the data that was stored on the IBM built-in R:/SecureDrive (.vol file). I have been searching the crashed drive for the .pfx file to import the private key to another computer but cannot find it. I need help either making Windows functional (bootable) or recovering the encrypted files/drive from another computer by importing the key that I cannot find (for EFS) and importing/accessing the SecureDrive.vol.

When I lost Windows I got an error message regarding i386\ntoskrnl.exe - a copy from another computer was pasted into windows\system32 folder.

DETAILS: I have the IBM Thinkpad T42 2373 with Windows XP Pro SP2. After installing SP3 my system became very unstable, so I uninstalled it days later. Later, one day Windows crashed and upon reboot, led to a black screen. I have spent 3 weeks trying to get it restored - no luck. I did find that I had been hijacked with a backdoor trojan and multiple others, for who knows how long?

After not being able to boot (Safe Mode included) and having no restore/backup points, I used IBM Rescue & Recovery to recover non-encrypted files. Initial indicators were corrupt boot/mft files. I ran bootfix and fixmbr - no help. After R&R was of no more use, I used the XP installation CD to do a REPAIR of Windows, which did preserve pre-existing data. Using this crashed drive as an external USB drive, I can view all the files on the drive with no problem.

I recall at some point it was reported that NTLDR and another one (can't recall) were missing, so I copied the files from another computer just to make a little progress (it worked but maybe this is the problem?)

In trying to boot, the Windows Splash screen (post?) flashes but then the screen goes blank (cursor top left). Sitting overnight gets no progress. Trying to boot to Safe Mode give me the black Safe Mode screen (Safe Mode printed in all 4 corners) but it stalls there - no functionality. If I could just get Windows to work properly, I believe all encrypted files/SecureDrive will be accessible. I know the password. If I can recover them another way, that's fine too.

At this point IBM R&R partition is also corrupt. All files appear present, but it will not load by pressing 'Access IBM' on the keyboard. I do have the utility on CD and can boot from CD into IBM R&R. The only use it has at this point is that I can 'restore to factory contents' and lose all data. I wish to recover encrypted files/drive before doing so.

As an external USB drive, I just ran Avira Rescue CD, Antivir Antivirus and Malwarebytes on the crashed drive. There were 30+ trojans/viruses. They were removed/renamed when possible. Trying to boot after this cleanup is no help. On a couple of occasions I have seen the error ~ $mft error when viewing it as an external USB drive, but I see this on all external USB HDDs.

Browsing the drive externally, the EFS-encrypted files show the user and thumbprint for the encryption but I cannot find the needed key (.pfx file) anywhere on the bad drive.

I tried EFS key recovery ( http://support.microsoft.com/kb/241201 ) but I can't find the key.

GETTING TO THE POINT:
1) Did my Windows REPAIR overwrite/erase the private key? All other data was preserved. If it did overwrite the EFS key, I still have the R:/SecureDrive to recover. Also, before doing the REPAIR XP install, I created an ISO image of the corrupt drive (USB connected), but it would not write the encrypted files (obviously) - I mention this b/c maybe (?) the private key got backed-up on this ISO.

2) When I search for *.vol to look for the R:/SecureDrive partition I cannot find it. I believe this 'partition' is stored in My Documents, which is an EFS encrypted folder.

3A) Since Windows won't boot, is there a way that I can manually show the computer my password in order to unlock A) SecureDrive B) EFS files? OR.....

3B) How do I repair windows so that it will boot? This would be the ideal solution.

4) Should 'Simple File Sharing' be enabled or no?

5) IBM encryption chip was not used to encrypt these files, although maybe it interacts with R:/SecureDrive.vol since IBM logon usually asks for the "PrivateDisk" password when it is first accessed. Even if Windows will not boot, can I manually activate THAT IBM logon screen (PrivateDisk/SecureDrive)?



Thanks for your Kindness!
Bill S.