Widespread Incidence of NTLDR Missing

A customer of the company I work for began experiencing a problem last week. Three files on the root of the boot drive (C are being removed and result in the box being unable to boot. The affected files are ntldr, boot.ini, ntdetect.com. The timeline appears to be that the files are deleted and then the box reboots. I've not been present when this happens, but have seen the results shortly after.

I’ve fixed nine machines yesterday (and the Ricoh copier guy fixed the two PCs attached to their scanners) and one machine last week. This morning I’ve fixed two more.

We’ve scanned some of the machines for malware and while we’ve found some, none of what we’ve identified should have this effect. Currently they have Symantec Endpoint Protection that is up to date, we are currently ripping that software out and replacing it with the enterprise version of Trend Micro (not my choice, it's what the customer wanted).

All of the affected machines are running Windows XP Pro with about half running SP2 and the rest running SP3. Most of the machines are Dells, but a good margin are HPs. All desktops with the exception of one notebook.

I've begun looking at updates to see if any might cause this problem, but with no success.

Has anyone seen this sort of phenomenon before?

 

If it coincides with installing or updating to IE8, yes, it's common. Uninstall IE8 and it will automatically roll back to IE7 and fix the problem. You will need to replace the boot.ini file after the roll back. I doubt the other two files are missing but replace them if so.

That works in most cases but if not you'll have to make a boot.ini manually.

Reference

 

I checked a few machines and all had IE7 installed. Auto updates are turned on.

boot.ini, ntldr, and ntdetect.com are all missing on the affected boxes.

 

hmm...That'll be a new one. In the meantime you could set them up with a floppy or a CD with the those three files to sub for the missing bootloader files.

I have some HERE for all around use but you may want to make one to be more system specific.

It may be some time before someone comes up with a fix. It sounds Malware/Virus possible but can still be the result of some clash between a recent auto-update and particular systems.

 

Are these machines networked? Could you have some miscreant in the organization that is doing this to annoy you? Have you checked in EVENTVWR.EXE of these machines for any possible clue?

 

I've been using a boot "disk" from this site: http://tinyempire.com/notes/ntldrismissing.htm which seems to be working pretty well. I'll take a look at yours too, can't have too many tools!

 

Yes, it is about a 125 node network and 12 servers at a single site.

I've looked through the logs on a couple of affected boxes, but they're all pretty much setup withe defaults for auditing in XP. So there ain't much to go on there.

At this point, I'm suspecting some sort of worm, since the affected machines do not appear to be infected with anything that I can detect that would cause this problem. Alternately, it might be an update or a confluence of several things that result in this issue.

I have also not ruled out the possibility of it being some sort of rootkit that is not being installed successfully. I still need to check a few unaffected boxes for malware and run rootkitrevealer to determine if that might be a possibility or not.