Windows XP NTLDR missing

[chipchaser]

Hi, my Dell desktop running XP won't start anymore after running Microsoft Anti Malware Tool!
I knew it had something nasty inside because when I clicked on a site in Google I was taken to a different site. Running Spybot and SpyDoctor found nothing but the trojan or whatever was still there, hence my download and run of the anti malware tool.
The machine locked up and when I tried to restart it told me NTLDR missing and to hit Ctrl Alt Del to restart. It didn't and I was going round in circles. I have a backup on a portable HDD but it is not up to date and recent work is not on it
I used Knoppix on a live CD to look at my XP folders but am now worried as it shows 36.8GB free space on a 37.2GB volume. The disc was more than 75% full, I recall about 6GB being free before disaster struck! Have I lost that data or is it not visible to Knoppix? Looking at the file properties of the four folders visible in Knoppix show a total of only about 250MB.

I intend to put a second HDD in temporarily, clean install XP to that new disc as the master and try to copy whatever I can find across from the original disc (now set as slave) to the new disc. If I get anything back I would then back that up to my portable HDD. I do also have some data recovery software to hand.

I will probably burn my valuable stuff, 5 years of photos etc, to DVD. Unfortunately I can't keep both HDDs as the Dell case is one of those slim things with no space for a second HDD. I had to buy new IDE and power cables as there were not even spare connectors for a second disc.

I guess I have been lucky up to now as I have never had to do this before, so does this sound like a sensible plan? I'd appreciate any comments or advice.
Regards
Graham

 

[Philly]

Graham
Try putting the XP cd in the drive and re-booting from it. You can then choose the "repair" option, which should re-instate the ntldr file and you'll be up and running again.
To get rid of your spyware try rebooting into safe mode and then running your virus checker/spybot, etc. Makes a huge difference and actually gets rid of stuff.
Hope this helps
Philly

 

[Argee]

I'm guessing it won't be that easy. Look up "browser hi-jacks" and you'll get the bigger picture.

Ray

 

[Fecn]

I used Knoppix on a live CD to look at my XP folders but am now worried as it shows 36.8GB free space on a 37.2GB volume.

That's rather a worrying sign as it would indicate that the file allocation table has somehow become corrupt. All the files will still be on the disk, but the overall index saying which files are on which parts of the disk is broken. I think the best thing you could do at this stage is to plug the drive into another working computer, and try some disk recovery software to see if it can find the missing files and copy them to a known-good drive. Most of the disk recovery packages offer 7-day trials, so you can usually get away without having to spend any money.

 

[chipchaser]

Thanks for your advice gentlemen. I don't know why but I had missed that it is more effective to run anti spyware etc in safe mode so thanks Philly and I will do that from now on. I think you are right Ray, it may not be quite so easy to fix. I did try to reinstall missing parts only, from a floppy drive following routines suggested on the internet, but without success.

Fecn, your explanation as to why I cannot see the files and suggestion that they might be there is reassuring and I will try to recover files from my hard disc to a good machine.

These Dell desktops have been very good machines. The only problem I ever suffered was the popping capacitors on a GX270 but Dell replaced the motherboard free of charge. Considering the age of the machine I was very impressed However,I wish I had the tower case with spare drive bays for this sort of occassion.

Thanks again I will let you know how it goes
Graham

 

[kityuser]

Thanks for your advice gentlemen. I don't know why but I had missed that it is more effective to run anti spyware etc in safe mode so thanks Philly and I will do that from now on. I think you are right Ray, it may not be quite so easy to fix. I did try to reinstall missing parts only, from a floppy drive following routines suggested on the internet, but without success.

Fecn, your explanation as to why I cannot see the files and suggestion that they might be there is reassuring and I will try to recover files from my hard disc to a good machine.

These Dell desktops have been very good machines. The only problem I ever suffered was the popping capacitors on a GX270 but Dell replaced the motherboard free of charge. Considering the age of the machine I was very impressed However,I wish I had the tower case with spare drive bays for this sort of occassion.

Thanks again I will let you know how it goes
Graham

just seen this thread, what ever you do for gods sake don't do a fresh xp install then connect back up the suspect drive!!!!!!!!!! (i.e. with no protection) its the easiest way to re-infect your whole system.

boot up the xp install disk, goto the recovery console and at the prompt type
sys c:

that should fix the "Missing NTLDR
Press Ctrl-Alt-Dlt to restart" problem


if thats not the solution, then I`d stick a new disk in there (a good excuse to upgrade), fresh install of xp, then MAKE SURE YOUR SYSTEM IS BULLET PROOF.... a cheap usb enclosure to recover the files from your old drive via a recovery suite.

Steve

 

[chipchaser]

Hi Steve, thanks for advice in your timely post I was just about to start on this.

I did try some routines, recommended on the web, to restart the Dell without reinstalling the OS but none worked. I want to ensure, if at all possible, that the data on the drive is not lost or overwritten. I have many photos and CAD drawing files that I can't replace. Ironically I recently bought a DVD writer to archive those but hadn't got round to it I also have a portable USB HDD but that wasn't backed up recently and it can be temperamental, ocassionally it is not recognised by the PC which is why I bought the DVD writer.

As you can see from my first post I can no longer see all the files on the HDD but hope to use a recovery programme to recover and copy any data files to another HDD. I wouldn't copy any applications/programme files at all.

I also wouldn't try to open any of the data files recovered to the clean machine until I have virus scanned them. Data I want to recover is 80% .jpg and CAD drawing files and the rest is Word documents.

Am I wrong in believing that the virus or trojan can't reinstall itself if I don't open infected data files?

If I follow my plan to:
1 remove the infected drive
2 install a new clean drive into the PC
3 after setting up XP re-connect the infected drive and start in Safe Mode (thanks Philly!)
4 recover/copy data only to the new drive
5 virus scan all data before opening it
6 re-install clean programmes from their CDs

Is there a risk from applications on the infected slave disc if I don't open or copy them to the clean disc? I cannot see any programme files using Knoppix which shows file properties for "PROGRAM FILES" as occupying 96.4MB. I cannot open "PROGRAM FILES" to follow the file path any further.

As I said above I have been lucky in the past and not had to do this before so have no experience of possible pitfalls!

Regards
Graham

 

[kityuser]

Hi Steve, thanks for advice in your timely post I was just about to start on this.

I did try some routines, recommended on the web, to restart the Dell without reinstalling the OS but none worked. I want to ensure, if at all possible, that the data on the drive is not lost or overwritten. I have many photos and CAD drawing files that I can't replace. Ironically I recently bought a DVD writer to archive those but hadn't got round to it I also have a portable USB HDD but that wasn't backed up recently and it can be temperamental, ocassionally it is not recognised by the PC which is why I bought the DVD writer.

As you can see from my first post I can no longer see all the files on the HDD but hope to use a recovery programme to recover and copy any data files to another HDD. I wouldn't copy any applications/programme files at all.

I also wouldn't try to open any of the data files recovered to the clean machine until I have virus scanned them. Data I want to recover is 80% .jpg and CAD drawing files and the rest is Word documents.

Am I wrong in believing that the virus or trojan can't reinstall itself if I don't open infected data files?

If I follow my plan to:
1 remove the infected drive
2 install a new clean drive into the PC
3 after setting up XP re-connect the infected drive and start in Safe Mode (thanks Philly!)
4 recover/copy data only to the new drive
5 virus scan all data before opening it
6 re-install clean programmes from their CDs

Is there a risk from applications on the infected slave disc if I don't open or copy them to the clean disc? I cannot see any programme files using Knoppix which shows file properties for "PROGRAM FILES" as occupying 96.4MB. I cannot open "PROGRAM FILES" to follow the file path any further.

As I said above I have been lucky in the past and not had to do this before so have no experience of possible pitfalls!

Regards
Graham

graham, be 100% sure that you have a secure system BEFORE you re-connect the infected drive.
Various things do happen in the background and some files invariably get parsed and scanned even just by connecting up the drive.
I would make sure you have a half decent anti-virus/firewall program installed before connecting the old drive. Before you attempt any recovery do a full virus scan of the old drive.

steve

 

[RobertMP]

Personally I wouldn't worry about connecting an infected drive as a secondary drive to a clean system. You have to run a virus file to start it off (or the web browser runs it if that is how you got it).

If the disk is working OK then recovery software should get your files back off the drive even if the FAT is corrupted and nothing is visible to windows. Being corrupted and any files still on it invisible to the operating system also makes it safer from a virus infection point of view.

Sandisk give away a recovery program with some of their memory cards that is quite good. Think it works with hard drives too. There are others you can download from the net. There may be some genuinely free ones but a lot will show you what they found then expect to buy it to actually get the files back.

Had a quick search this free one looks like it might do it. Good luck.

 

[kityuser]

Personally I wouldn't worry about connecting an infected drive as a secondary drive to a clean system. You have to run a virus file to start it off (or the web browser runs it if that is how you got it).

If the disk is working OK then recovery software should get your files back off the drive even if the FAT is corrupted and nothing is visible to windows. Being corrupted and any files still on it invisible to the operating system also makes it safer from a virus infection point of view.

Sandisk give away a recovery program with some of their memory cards that is quite good. Think it works with hard drives too. There are others you can download from the net. There may be some genuinely free ones but a lot will show you what they found then expect to buy it to actually get the files back.

Had a quick search this free one looks like it might do it. Good luck.

I have heard of some nasties that can be triggered by the windows "preview scan" where it asks if you want to look at piccies or listen to music on a drive.
One such particular nasty can hide in the thumbs.db file......

Steve

 

[chipchaser]

Robert, thanks for pointer to PC Inspector. The website looks convincing so have downloaded it and will report back as to whether it worked for me later. I actually now have 5 in total alternative free data recovery tools and all the other bits of software I think I might need on the HDD of this my backup machine.

Also have an app to resize partitions on my new disc and copy an image of the corrupt disc. I created several partitions on the new disc to cover what I thought would be all my possible needs but after doing that decided I would make a complete copy of the corrupt disc to work from. I need to make one of my new partitions larger to accommodate that copy. Installed XP to the new disc ok from the Dell reinstallation CD except that it doesn't install the monitor information file so had only 640x480 resolution until downloaded and installed the monitor driver and the latest video adapter driver.

Steve, thanks for cautions about running any options offered by Windows. I have only installed the minimum necessary to get the tools required to sort this problem. I particularly wanted to avoid connecting to the internet until I have (I hope) recovered my data. This made installing antivirus difficult as they all want to connect to their maker's website as part of the installation process. I downloaded and attempted installing 3 different offerings before I succeeded with "Avira Antivir Personal", which let me disable connecting to the net.

It will probably be a couple of days or so before I start trying to recover my data as I must do some proper work.