Sparda Posted August 23, 2007 Posted August 23, 2007 A friend called me 3 days ago saying his computer won't boot with a missing NTLDR.exe (isn't that the windows kernel?) error and he has important data on it that needs recovering. So, he brings the PC over, I boot Kubuntu (what else would it be? lol) and mount the partition, bits of windows are there but most of it missing (including documents and settings, program files etc.). i mount the HP recovery partition, every thing is there as it should be (i believe, not using recovery partitions I wouldn't know exactly, but it looks like there is the contents of a windows install disk there) I think to my self, what is most likely to be the problem? Given that the owner of the computer knows very little about computers and probably sees it as just another house appliance, the HD is probably riddled with bad sectors and that's the cause. I set spinrite off using level 5 when I went to bed, when I woke up spinrite hadn't finished but showed all good so far, I let it finish any way, finished with no errors and the state of the HD hadn't changed. So some thing much worse must have happened. More thinking ensued, I resulted to putting the drive in my main desktop (which has made windows very unhappy, lots of BSOD'ing) and set EnCase to work on the drive (takes about 2 days to do every thing necessary to try and recover every thing it can, still hasn't finished). I initially used the quicker method with EnCase (which is less thorough) and loads of 'deleted' files and directories showed up, including many from the windows directory. Any way, to my 'question': I suspect that either some one has used a skiddie tool to delete every thing on the windows partition or some form of malware attempted to delete every thing. In both instances the malware/skiddie tool would have had to install a system driver in windows to achieve the 'level' (for lack of a better word) of deletion that has occurred. Either that of some one booted a different OS. Any suggestions as to how I might be able to proof/disproof my theory (btw, as I said before, the recovery partition is intact, so what ever happened only targeted the partition windows was installed on)? Any other thoughts? Quote
VaKo Posted August 23, 2007 Posted August 23, 2007 He did something. When people tell you "i have no idea what happened, it just stopped working", it usually means "I was fucking about and I broke something, now i can't fix it". Quote
moonlit Posted August 23, 2007 Posted August 23, 2007 He did something. When people tell you "i have no idea what happened, it just stopped working", it usually means "I was fucking about and I broke something, now i can't fix it". Sounds right to me... Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 That's the thing, some of the files that have been deleted (including the kernel) can't be deleted simply by selecting the windows dir in explorer and hitting delete. So I really don't know whats happened. Quote
deleted Posted August 23, 2007 Posted August 23, 2007 Someone being mean and using a live cd to go in and Delete the Windows Files or Taking out the Hard Drive and doing a Morris Dance on it. Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 Virus? Someone being mean and using a live cd to go in and Delete the Windows Files or Taking out the Hard Drive and doing a Morris Dance on it. It must be either or. But how many viruses are actually destructive any more? You can't spread your self by nuking the system you'v infected. Quote
Joerg Posted August 23, 2007 Posted August 23, 2007 Maybe a skiddie "attack" It's very easy to delete the whole system via batch -- If there are important files you can try to unerase them Quote
deleted Posted August 23, 2007 Posted August 23, 2007 Have you tried the Recovery Part of the Windows install CD (assuming winxp or vista)? Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 Windows won't let you delete windows while it's running (even from a command script). yet some how it was (as far as I know no other OS was booted on the computer). So...? Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 Have you tried the Recovery Part of the Windows install CD (assuming winxp or vista)? Do you mean the recovery console? Quote
Joerg Posted August 23, 2007 Posted August 23, 2007 Sparda, i did this so often in a vm ;) it should be del /f /s /q /a C:* Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 That actually worked. It achieved the same surface effect, but upon further inspection this left more of the file system intact then what ever mutilated this partition. So while some thing similar was done, what was actually done was much worse. Quote
cooper Posted August 23, 2007 Posted August 23, 2007 I'm just wondering what we're trying to determine here? How he got it in this state, or what should be done to return the system to normal operating condition? Quote
Sparda Posted August 23, 2007 Author Posted August 23, 2007 I'm just wondering what we're trying to determine here? How he got it in this state, or what should be done to return the system to normal operating condition? Trying to recover what ever I can from the documents and settings directory. At a guess I'd say there is zero chance of getting it working again short of a reinstall of windows. As an additional attempt to figure out how it happened thus educating the user to avoid it in the future, as well as keep backups. It probably was a virus, after all they use IE. Quote
VaKo Posted August 23, 2007 Posted August 23, 2007 Viruses these days are not that destructive, a dead computer doesn't make money. Todays spyware/malware/virus/trojan market is all about using your system to either silently get and transmit data or use your pc to mass mail people. Given the level of destruction he's got, find out exactly what happend, ask lots of questions. Quote
Sparda Posted August 24, 2007 Author Posted August 24, 2007 Viruses these days are not that destructive, a dead computer doesn't make money. Todays spyware/malware/virus/trojan market is all about using your system to either silently get and transmit data or use your pc to mass mail people. Given the level of destruction he's got, find out exactly what happend, ask lots of questions. That's what I keep saying to my self "Viruses aren't destructive any more".Trouble is, he might have been social engined over IM or some thing (Hot Girl2 says: "here's a photo of me naked" *Hot Girl2 would like to send you pic.exe* etc..). Having recovered nothing yet (EnCase still reconstructing the file system) I can't say. Was just wanting some helpful suggestions and speculation at this point. Quote
moonlit Posted August 24, 2007 Posted August 24, 2007 I agree with the theory that viruses aren't that destructive any more, but that's just mainstream viruses... and by that I mean some wannabe hacker could cobble together a "virus" that deletes random files and/or renders Windows unusable... it's not all that hard, it's just in the realm of someone starting out. Think about it, wannabe blackhat thinks "hey, haha, I know, I'll make a virus... but wait, what to make it do? I know, kill Windows! That'll fuck 'em!". Alternatively, could've been an install of something like FlyAKiteOS gone wrong... unlikely as it is, that sort of installer really does screw with a lot of system files... Quote
Joerg Posted August 24, 2007 Posted August 24, 2007 i suggest unerasing the important files before installing something new Quote
VaKo Posted August 24, 2007 Posted August 24, 2007 I still think asking some more pointed questions might help here, ie getting an exact blow by blow account of how the machine went from happily running to fubar'd. Things like this just don't happen without some form of user interaction or even just noticing that the HD is thrashing while windows ins crashing. So while your waiting for the technical stuff to finish, work on your soft skills. Quote
digip Posted August 24, 2007 Posted August 24, 2007 Chances are he/she did somehtign manually or downloaded something and upon opening it did its little payload. Now given it could have been a virus, I am sure there are malicious exploits that can take advantage of an unpatched machine, but liek everyone has said, if its not a functioning machine, it can't spread itself. Is it possible, that even though the ntldr wasn't working, his hard drive got corrupted, ie, bad hard disk surface area or power surge, static electricity, etc, and it wiped the boot loader and some data on it bcause it got damaged physically? I once had a computer that I used to record music on with my band that was in the loft of an old house with bad wiring and it would seem to always have a lot of static charge up there and give me problems with all the equipment we had hooked up to it. Wav files always had extra spikes of static noise and random audio from other files inthe same file.(ghost in the machine...) One time while recording the computer crashed and scan disk could not fix the drive. It would boot, and then do the chkdisk and then reboot itself. I eventually had to install over it and reformat the drive to get it working, but the hard drive was damaged at that point and would frequently give me problems from there on out. Until I replaced it, the problem would keep coming back. The components of the drive were damaged somehow and I would lose data we recorded or it would get corrupted on a regular basis and cause all kinds of strange issues with the files, similar to a destructive virus, and yet this pc was NEVER hooked to the internet. It was a music workstation only. Now, does he use surge protection or have any faulty equipment? Could something have shorted out the drive or damaged it physically(lightning, static, etc)? Quote
The1 Posted August 24, 2007 Posted August 24, 2007 A friend called me 3 days ago saying his computer won't boot with a missing NTLDR. exe (isn't that the windows kernel?) error and he has important data on it that needs recovering. The same thing happened to me 2 years ago, the computer wouldn't boot cause of a missing NTLDR file, don't really think it's a exe. And yeah my brother deleted it!!! I was so stupid setting the folder options to display protected operating system files, and letting him use my pc. Right before writing this i deleted the NTLDR file without getting any message (and restored it of course) just to see if it was possible, how stupid from microsoft for not displaying the" Error deleting file or folder" message. Hope you fix the problem somehow. Sorry about the English. Quote
Sparda Posted August 24, 2007 Author Posted August 24, 2007 Is it possible, that even though the ntldr wasn't working, his hard drive got corrupted, ie, bad hard disk surface area or power surge, static electricity, etc, and it wiped the boot loader and some data on it bcause it got damaged physically? I once had a computer that I used to record music on with my band that was in the loft of an old house with bad wiring and it would seem to always have a lot of static charge up there and give me problems with all the equipment we had hooked up to it. Wav files always had extra spikes of static noise and random audio from other files inthe same file.(ghost in the machine...) One time while recording the computer crashed and scan disk could not fix the drive. It would boot, and then do the chkdisk and then reboot itself. I eventually had to install over it and reformat the drive to get it working, but the hard drive was damaged at that point and would frequently give me problems from there on out. Until I replaced it, the problem would keep coming back. The components of the drive were damaged somehow and I would lose data we recorded or it would get corrupted on a regular basis and cause all kinds of strange issues with the files, similar to a destructive virus, and yet this pc was NEVER hooked to the internet. It was a music workstation only. This is some thing different. If that kind of thing had happened spinrite would have shown some kind of error. The files where removed in a controlled manor (meaning software did it, not a hardware malfunction). Quote
digip Posted August 24, 2007 Posted August 24, 2007 I think its possible, like the above comment, that the ntldr file was deleted. That woudl cause it not to be able to boot. Wouldn't a partition disk like Grub or should be able to fix it? http://neosmart.net/blog/2005/fixing-a-broken-mbr/ Quote
Sparda Posted August 24, 2007 Author Posted August 24, 2007 ntldr is the windows kernel (I still believe). but that's only the surface problem, the actual problem is that (at a guess) 90% of the file system is gone. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.