• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

User accounts have gone missing!

Y

Yousuf Khan

Flightless Bird
I have a perplexing problem here. I went on vacation outside of the
country, and when I got back my Windows 7 desktop lost almost all of its
user login accounts (5 altogether), except for one. The one that isn't
lost, cannot be logged into, as the password doesn't get accepted.

The machine also has a dual-boot to Windows XP, and choosing to boot
into XP gets you the message that that operating system doesn't exist.
Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
password to the one remain account.

Using a Ubuntu Linux, I've taken a look at the Windows file system and
all files seem to be still there and I can access them, and Ubuntu
doesn't report any physical problems with the boot disk (SMART looks
fine). This happened while I was away, so I didn't even observe it
myself, and I can't even login to an account to look at the event logs.

Yousuf Khan
 
P

Parko

Flightless Bird
On Sun, 25 Jul 2010 13:17:19 -0500, Yousuf Khan scrawled:

> I have a perplexing problem here. I went on vacation outside of the
> country, and when I got back my Windows 7 desktop lost almost all of its
> user login accounts (5 altogether), except for one. The one that isn't
> lost, cannot be logged into, as the password doesn't get accepted.
>
> The machine also has a dual-boot to Windows XP, and choosing to boot
> into XP gets you the message that that operating system doesn't exist.
> Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
> password to the one remain account.
>
> Using a Ubuntu Linux, I've taken a look at the Windows file system and
> all files seem to be still there and I can access them, and Ubuntu
> doesn't report any physical problems with the boot disk (SMART looks
> fine). This happened while I was away, so I didn't even observe it
> myself, and I can't even login to an account to look at the event logs.
>
> Yousuf Khan


I've used this quite successfully in the past. Fairly straightforward to
use.
http://pogostick.net/~pnh/ntpasswd/

--
You will be prompted to restart the computer. Click Yes. "This is not a
psychotic episode. It's a cleansing moment of clarity."





--
You will be prompted to restart the computer. Click Yes. "This is not a
psychotic episode. It's a cleansing moment of clarity."
 
F

Frank

Flightless Bird
On 7/25/2010 7:09 PM, Parko wrote:
> On Sun, 25 Jul 2010 13:17:19 -0500, Yousuf Khan scrawled:
>
>> I have a perplexing problem here. I went on vacation outside of the
>> country, and when I got back my Windows 7 desktop lost almost all of its
>> user login accounts (5 altogether), except for one. The one that isn't
>> lost, cannot be logged into, as the password doesn't get accepted.
>>
>> The machine also has a dual-boot to Windows XP, and choosing to boot
>> into XP gets you the message that that operating system doesn't exist.
>> Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
>> password to the one remain account.
>>
>> Using a Ubuntu Linux, I've taken a look at the Windows file system and
>> all files seem to be still there and I can access them, and Ubuntu
>> doesn't report any physical problems with the boot disk (SMART looks
>> fine). This happened while I was away, so I didn't even observe it
>> myself, and I can't even login to an account to look at the event logs.
>>
>> Yousuf Khan

>
> I've used this quite successfully in the past. Fairly straightforward to
> use.
> http://pogostick.net/~pnh/ntpasswd/
>

Boot from your Win 7 DVD, if you have one, and do a system restore.
 
A

Arno

Flightless Bird
In comp.sys.ibm.pc.hardware.storage Yousuf Khan <bbbl67@yahoo.com> wrote:
> I have a perplexing problem here. I went on vacation outside of the
> country, and when I got back my Windows 7 desktop lost almost all of its
> user login accounts (5 altogether), except for one. The one that isn't
> lost, cannot be logged into, as the password doesn't get accepted.


I suppose the machine was running with INternet connectivity?
If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

> The machine also has a dual-boot to Windows XP, and choosing to boot
> into XP gets you the message that that operating system doesn't exist.
> Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
> password to the one remain account.


> Using a Ubuntu Linux, I've taken a look at the Windows file system and
> all files seem to be still there and I can access them, and Ubuntu
> doesn't report any physical problems with the boot disk (SMART looks
> fine). This happened while I was away, so I didn't even observe it
> myself, and I can't even login to an account to look at the event logs.


I would recommend complete sanitization while not connected
to a network.

Arno

--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
 
Y

Yousuf Khan

Flightless Bird
On 25/07/2010 10:09 PM, Parko wrote:
> I've used this quite successfully in the past. Fairly straightforward to
> use.
> http://pogostick.net/~pnh/ntpasswd/
>


Hey, thanks, this seems to have done the trick. After I ran this, it
showed that all of my missing user accounts were actually still there,
but they were somehow disabled. At least all of the administrator-level
accounts were disabled, but the standard user level accounts were unchanged.

I re-enabled all of those administrator accounts, and changed their
passwords.

If I had gone with the restore from CD or restore from backups route,
then my machine would've been set back to a level from April 2010, and
that would've been too far back.

Yousuf Khan
 
Y

Yousuf Khan

Flightless Bird
On 26/07/2010 12:12 AM, Frank wrote:
> Boot from your Win 7 DVD, if you have one, and do a system restore.


I looked into that possibility, but my last full backup was from April
2010, so it would've set the system back too far. Using the password
cracker option, I was able to get it back to the level where I last left
it.

Yousuf Khan
 
Y

Yousuf Khan

Flightless Bird
On 26/07/2010 5:35 AM, Arno wrote:
> In comp.sys.ibm.pc.hardware.storage Yousuf Khan<bbbl67@yahoo.com> wrote:
>> I have a perplexing problem here. I went on vacation outside of the
>> country, and when I got back my Windows 7 desktop lost almost all of its
>> user login accounts (5 altogether), except for one. The one that isn't
>> lost, cannot be logged into, as the password doesn't get accepted.

>
> I suppose the machine was running with INternet connectivity?
> If so: Congratulations, you have aquired a SPAM-relay/bot-net node.


I don't think it got to that level. I did a complete virus scan of the
disk, while booted into another operating system, and it checked out as
clean. I think virus scanners can usually pick up root kits too.

Also I told my brother to shut this machine done completely when I heard
what was happening to it. So it's been shut off for over a month now, so
I don't think if somebody was trying to seize this machine, it went
offline fairly quickly and they didn't have time to use it.

However, the fact that all of the administrator accounts were disabled,
while the non-admin accounts were fine does lead me to believe perhaps
someone was trying to seize the machine. However, the machine was behind
a NAT router, so it's hard to understand how they planned to take over
this machine.

Yousuf Khan
 
G

Gene E. Bloch

Flightless Bird
On Wed, 28 Jul 2010 14:17:27 -0400, Yousuf Khan wrote:

> On 25/07/2010 10:09 PM, Parko wrote:
>> I've used this quite successfully in the past. Fairly straightforward to
>> use.
>> http://pogostick.net/~pnh/ntpasswd/
>>

>
> Hey, thanks, this seems to have done the trick. After I ran this, it
> showed that all of my missing user accounts were actually still there,
> but they were somehow disabled. At least all of the administrator-level
> accounts were disabled, but the standard user level accounts were unchanged.
>
> I re-enabled all of those administrator accounts, and changed their
> passwords.
>
> If I had gone with the restore from CD or restore from backups route,
> then my machine would've been set back to a level from April 2010, and
> that would've been too far back.
>
> Yousuf Khan


In this thread you have twice equated System Restore with restoring your
drive from a backup. That's not what it is.

System Restore basically just fixes a few (mostly Windows) problems from a
backup-like stash of a few (mostly Windows) items, supposedly without
affecting user data. These backups are made frequently and automatically.

Google for it so you can see what I'm talking about.

--
Gene E. Bloch (Stumbling Bloch)
 
F

Frank

Flightless Bird
On 7/28/2010 11:18 AM, Yousuf Khan wrote:
> On 26/07/2010 12:12 AM, Frank wrote:
>> Boot from your Win 7 DVD, if you have one, and do a system restore.

>
> I looked into that possibility, but my last full backup was from April
> 2010, so it would've set the system back too far. Using the password
> cracker option, I was able to get it back to the level where I last left
> it.
>
> Yousuf Khan


Glad you go it fixed although you don't seem to fully understand system
restore.
 
A

Arno

Flightless Bird
In comp.sys.ibm.pc.hardware.storage Yousuf Khan <bbbl67@spammenot.yahoo.com> wrote:
> On 26/07/2010 5:35 AM, Arno wrote:
>> In comp.sys.ibm.pc.hardware.storage Yousuf Khan<bbbl67@yahoo.com> wrote:
>>> I have a perplexing problem here. I went on vacation outside of the
>>> country, and when I got back my Windows 7 desktop lost almost all of its
>>> user login accounts (5 altogether), except for one. The one that isn't
>>> lost, cannot be logged into, as the password doesn't get accepted.

>>
>> I suppose the machine was running with INternet connectivity?
>> If so: Congratulations, you have aquired a SPAM-relay/bot-net node.


> I don't think it got to that level. I did a complete virus scan of the
> disk, while booted into another operating system, and it checked out as
> clean. I think virus scanners can usually pick up root kits too.


At least they should. With current signatures I would say your
assumption is reasonable.

> Also I told my brother to shut this machine done completely when I heard
> what was happening to it. So it's been shut off for over a month now, so
> I don't think if somebody was trying to seize this machine, it went
> offline fairly quickly and they didn't have time to use it.


Agreed.

> However, the fact that all of the administrator accounts were disabled,
> while the non-admin accounts were fine does lead me to believe perhaps
> someone was trying to seize the machine. However, the machine was behind
> a NAT router, so it's hard to understand how they planned to take over
> this machine.


Hmm. Maybe they hacked the NAT first? Would not be the first time.
Anyways, good success with the cleanup.

Arno

--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
 
G

GlowingBlueMist

Flightless Bird
On 7/28/2010 1:18 PM, Yousuf Khan wrote:
> On 26/07/2010 12:12 AM, Frank wrote:
>> Boot from your Win 7 DVD, if you have one, and do a system restore.

>
> I looked into that possibility, but my last full backup was from April
> 2010, so it would've set the system back too far. Using the password
> cracker option, I was able to get it back to the level where I last left
> it.
>
> Yousuf Khan

Glad you got it working too.

I wonder, did you try booting into the safe mode and using the built in
Administrator account or was that disabled as well?
 
G

Gordon

Flightless Bird
On 29/07/10 17:00, GlowingBlueMist wrote:
> On 7/28/2010 1:18 PM, Yousuf Khan wrote:
>> On 26/07/2010 12:12 AM, Frank wrote:
>>> Boot from your Win 7 DVD, if you have one, and do a system restore.

>>
>> I looked into that possibility, but my last full backup was from April
>> 2010, so it would've set the system back too far. Using the password
>> cracker option, I was able to get it back to the level where I last left
>> it.
>>
>> Yousuf Khan

> Glad you got it working too.
>
> I wonder, did you try booting into the safe mode and using the built in
> Administrator account or was that disabled as well?


The built-in Administrator Account is disabled by default in Windows 7.
That's why its very good practice to have an administrator account for
elevation and emergency purposes and a Standard User account for day to
day running...
 
Y

Yousuf Khan

Flightless Bird
On 29/07/2010 12:00 PM, GlowingBlueMist wrote:
> On 7/28/2010 1:18 PM, Yousuf Khan wrote:
>> On 26/07/2010 12:12 AM, Frank wrote:
>>> Boot from your Win 7 DVD, if you have one, and do a system restore.

>>
>> I looked into that possibility, but my last full backup was from April
>> 2010, so it would've set the system back too far. Using the password
>> cracker option, I was able to get it back to the level where I last left
>> it.
>>
>> Yousuf Khan

> Glad you got it working too.
>
> I wonder, did you try booting into the safe mode and using the built in
> Administrator account or was that disabled as well?


That was disabled as well.

Yousuf Khan
 
Y

Yousuf Khan

Flightless Bird
On 28/07/2010 6:31 PM, Arno wrote:
>> However, the fact that all of the administrator accounts were disabled,
>> while the non-admin accounts were fine does lead me to believe perhaps
>> someone was trying to seize the machine. However, the machine was behind
>> a NAT router, so it's hard to understand how they planned to take over
>> this machine.

>
> Hmm. Maybe they hacked the NAT first? Would not be the first time.
> Anyways, good success with the cleanup.


Well, I don't know how they can, the firewall is inside a Dlink
broadband router with all external interfaces turned off. It's not the
well-known hackable Linksys WRT54G router.

I'm going through the event logs right now, but it's a needle in a
haystack. Where would I notice unauthorized access? Will it even leave a
trace in the event logs? There were several errors, warnings, and
criticals during the time period in question, but that's no different
than what was there before that time period.

Yousuf Khan
 
G

Gordon

Flightless Bird
On 29/07/10 23:11, Yousuf Khan wrote:
> On 29/07/2010 12:00 PM, GlowingBlueMist wrote:
>> On 7/28/2010 1:18 PM, Yousuf Khan wrote:
>>> On 26/07/2010 12:12 AM, Frank wrote:
>>>> Boot from your Win 7 DVD, if you have one, and do a system restore.
>>>
>>> I looked into that possibility, but my last full backup was from April
>>> 2010, so it would've set the system back too far. Using the password
>>> cracker option, I was able to get it back to the level where I last left
>>> it.
>>>
>>> Yousuf Khan

>> Glad you got it working too.
>>
>> I wonder, did you try booting into the safe mode and using the built in
>> Administrator account or was that disabled as well?

>
> That was disabled as well.
>
> Yousuf Khan


That's by default, so don't worry about that.
 
A

Arno

Flightless Bird
In comp.sys.ibm.pc.hardware.storage Yousuf Khan <bbbl67@spammenot.yahoo.com> wrote:
> On 28/07/2010 6:31 PM, Arno wrote:
>>> However, the fact that all of the administrator accounts were disabled,
>>> while the non-admin accounts were fine does lead me to believe perhaps
>>> someone was trying to seize the machine. However, the machine was behind
>>> a NAT router, so it's hard to understand how they planned to take over
>>> this machine.

>>
>> Hmm. Maybe they hacked the NAT first? Would not be the first time.
>> Anyways, good success with the cleanup.


> Well, I don't know how they can, the firewall is inside a Dlink
> broadband router with all external interfaces turned off. It's not the
> well-known hackable Linksys WRT54G router.


> I'm going through the event logs right now, but it's a needle in a
> haystack. Where would I notice unauthorized access? Will it even leave a
> trace in the event logs? There were several errors, warnings, and
> criticals during the time period in question, but that's no different
> than what was there before that time period.


You can try a different appoach: Seach for known vulnerabilities
for this device.

It is quite possible that the logs will not help.

Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
 
Y

Yousuf Khan

Flightless Bird
On 30/07/2010 2:48 AM, Gordon wrote:
> On 29/07/10 23:11, Yousuf Khan wrote:
>> On 29/07/2010 12:00 PM, GlowingBlueMist wrote:
>>> I wonder, did you try booting into the safe mode and using the built in
>>> Administrator account or was that disabled as well?

>>
>> That was disabled as well.
>>
>> Yousuf Khan

>
> That's by default, so don't worry about that.
>


It's still a mystery why the other accounts got disabled. Wonder if it
could've been a Microsoft bug?

Yousuf Khan
 
F

Frank

Flightless Bird
On 7/30/2010 2:56 PM, Yousuf Khan wrote:
> On 30/07/2010 2:48 AM, Gordon wrote:
>> On 29/07/10 23:11, Yousuf Khan wrote:
>>> On 29/07/2010 12:00 PM, GlowingBlueMist wrote:
>>>> I wonder, did you try booting into the safe mode and using the built in
>>>> Administrator account or was that disabled as well?
>>>
>>> That was disabled as well.
>>>
>>> Yousuf Khan

>>
>> That's by default, so don't worry about that.
>>

>
> It's still a mystery why the other accounts got disabled. Wonder if it
> could've been a Microsoft bug?
>
> Yousuf Khan


More likely, an operator error.
 
Y

Yousuf Khan

Flightless Bird
On 30/07/2010 7:39 PM, Frank wrote:
> More likely, an operator error.


Good answer, considering that there were no operators around at the time.

Yousuf Khan
 
M

Mr Baracuda

Flightless Bird
Is that what you tell your nurse when she finds out you have peed and shit
on yourself again?

Frank: sorry Nurse, it was "an operator error"
Nurse: Yeah like the time you grabbed my arse and then said sorry you
thought I was a goat huh?

LOL!

Why don’t you leave the computer and return to the real world frank??

NO!!!!! wait that’s a horrible idea.. Its safer for everyone that you cling
to your computer and express your madness in cyberspace, than in real
life.....

You poor rotten muderfaker!



"Frank" wrote in message news:4c536283@news.x-privat.org...

On 7/30/2010 2:56 PM, Yousuf Khan wrote:
> On 30/07/2010 2:48 AM, Gordon wrote:
>> On 29/07/10 23:11, Yousuf Khan wrote:
>>> On 29/07/2010 12:00 PM, GlowingBlueMist wrote:
>>>> I wonder, did you try booting into the safe mode and using the built in
>>>> Administrator account or was that disabled as well?
>>>
>>> That was disabled as well.
>>>
>>> Yousuf Khan

>>
>> That's by default, so don't worry about that.
>>

>
> It's still a mystery why the other accounts got disabled. Wonder if it
> could've been a Microsoft bug?
>
> Yousuf Khan


More likely, an operator error.
 
Top