Sparda Posted August 23, 2007 Share Posted August 23, 2007 A friend called me 3 days ago saying his computer won't boot with a missing NTLDR.exe (isn't that the windows kernel?) error and he has important data on it that needs recovering. So, he brings the PC over, I boot Kubuntu (what else would it be? lol) and mount the partition, bits of windows are there but most of it missing (including documents and settings, program files etc.). i mount the HP recovery partition, every thing is there as it should be (i believe, not using recovery partitions I wouldn't know exactly, but it looks like there is the contents of a windows install disk there) I think to my self, what is most likely to be the problem? Given that the owner of the computer knows very little about computers and probably sees it as just another house appliance, the HD is probably riddled with bad sectors and that's the cause. I set spinrite off using level 5 when I went to bed, when I woke up spinrite hadn't finished but showed all good so far, I let it finish any way, finished with no errors and the state of the HD hadn't changed. So some thing much worse must have happened. More thinking ensued, I resulted to putting the drive in my main desktop (which has made windows very unhappy, lots of BSOD'ing) and set EnCase to work on the drive (takes about 2 days to do every thing necessary to try and recover every thing it can, still hasn't finished). I initially used the quicker method with EnCase (which is less thorough) and loads of 'deleted' files and directories showed up, including many from the windows directory. Any way, to my 'question': I suspect that either some one has used a skiddie tool to delete every thing on the windows partition or some form of malware attempted to delete every thing. In both instances the malware/skiddie tool would have had to install a system driver in windows to achieve the 'level' (for lack of a better word) of deletion that has occurred. Either that of some one booted a different OS. Any suggestions as to how I might be able to proof/disproof my theory (btw, as I said before, the recovery partition is intact, so what ever happened only targeted the partition windows was installed on)? Any other thoughts? Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.