User accounts have gone missing!

I have a perplexing problem here. I went on vacation outside of the
country, and when I got back my Windows 7 desktop lost almost all of its
user login accounts (5 altogether), except for one. The one that isn't
lost, cannot be logged into, as the password doesn't get accepted.

The machine also has a dual-boot to Windows XP, and choosing to boot
into XP gets you the message that that operating system doesn't exist.
Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
password to the one remain account.

Using a Ubuntu Linux, I've taken a look at the Windows file system and
all files seem to be still there and I can access them, and Ubuntu
doesn't report any physical problems with the boot disk (SMART looks
fine). This happened while I was away, so I didn't even observe it
myself, and I can't even login to an account to look at the event logs.

Yousuf Khan

On Sun, 25 Jul 2010 13:17:19 -0500, Yousuf Khan scrawled:

> I have a perplexing problem here. I went on vacation outside of the
> country, and when I got back my Windows 7 desktop lost almost all of its
> user login accounts (5 altogether), except for one. The one that isn't
> lost, cannot be logged into, as the password doesn't get accepted.
>
> The machine also has a dual-boot to Windows XP, and choosing to boot
> into XP gets you the message that that operating system doesn't exist.
> Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
> password to the one remain account.
>
> Using a Ubuntu Linux, I've taken a look at the Windows file system and
> all files seem to be still there and I can access them, and Ubuntu
> doesn't report any physical problems with the boot disk (SMART looks
> fine). This happened while I was away, so I didn't even observe it
> myself, and I can't even login to an account to look at the event logs.
>
> Yousuf Khan

I've used this quite successfully in the past. Fairly straightforward to
use.
http://pogostick.net/~pnh/ntpasswd/

--
You will be prompted to restart the computer. Click Yes. "This is not a
psychotic episode. It's a cleansing moment of clarity."





--
You will be prompted to restart the computer. Click Yes. "This is not a
psychotic episode. It's a cleansing moment of clarity."

In comp.sys.ibm.pc.hardware.storage Yousuf Khan <> wrote:
> I have a perplexing problem here. I went on vacation outside of the
> country, and when I got back my Windows 7 desktop lost almost all of its
> user login accounts (5 altogether), except for one. The one that isn't
> lost, cannot be logged into, as the password doesn't get accepted.

I suppose the machine was running with INternet connectivity?
If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

> The machine also has a dual-boot to Windows XP, and choosing to boot
> into XP gets you the message that that operating system doesn't exist.
> Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
> password to the one remain account.

> Using a Ubuntu Linux, I've taken a look at the Windows file system and
> all files seem to be still there and I can access them, and Ubuntu
> doesn't report any physical problems with the boot disk (SMART looks
> fine). This happened while I was away, so I didn't even observe it
> myself, and I can't even login to an account to look at the event logs.

I would recommend complete sanitization while not connected
to a network.

Arno

--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

On 25/07/2010 10:09 PM, Parko wrote:
> I've used this quite successfully in the past. Fairly straightforward to
> use.
> http://pogostick.net/~pnh/ntpasswd/
>

Hey, thanks, this seems to have done the trick. After I ran this, it
showed that all of my missing user accounts were actually still there,
but they were somehow disabled. At least all of the administrator-level
accounts were disabled, but the standard user level accounts were unchanged.

I re-enabled all of those administrator accounts, and changed their
passwords.

If I had gone with the restore from CD or restore from backups route,
then my machine would've been set back to a level from April 2010, and
that would've been too far back.

Yousuf Khan

On 26/07/2010 12:12 AM, Frank wrote:
> Boot from your Win 7 DVD, if you have one, and do a system restore.

I looked into that possibility, but my last full backup was from April
2010, so it would've set the system back too far. Using the password
cracker option, I was able to get it back to the level where I last left
it.

Yousuf Khan

On 26/07/2010 5:35 AM, Arno wrote:
> In comp.sys.ibm.pc.hardware.storage Yousuf Khan<> wrote:
>> I have a perplexing problem here. I went on vacation outside of the
>> country, and when I got back my Windows 7 desktop lost almost all of its
>> user login accounts (5 altogether), except for one. The one that isn't
>> lost, cannot be logged into, as the password doesn't get accepted.
>
> I suppose the machine was running with INternet connectivity?
> If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

I don't think it got to that level. I did a complete virus scan of the
disk, while booted into another operating system, and it checked out as
clean. I think virus scanners can usually pick up root kits too.

Also I told my brother to shut this machine done completely when I heard
what was happening to it. So it's been shut off for over a month now, so
I don't think if somebody was trying to seize this machine, it went
offline fairly quickly and they didn't have time to use it.

However, the fact that all of the administrator accounts were disabled,
while the non-admin accounts were fine does lead me to believe perhaps
someone was trying to seize the machine. However, the machine was behind
a NAT router, so it's hard to understand how they planned to take over
this machine.

Yousuf Khan

On Wed, 28 Jul 2010 14:17:27 -0400, Yousuf Khan wrote:

> On 25/07/2010 10:09 PM, Parko wrote:
>> I've used this quite successfully in the past. Fairly straightforward to
>> use.
>> http://pogostick.net/~pnh/ntpasswd/
>>
>
> Hey, thanks, this seems to have done the trick. After I ran this, it
> showed that all of my missing user accounts were actually still there,
> but they were somehow disabled. At least all of the administrator-level
> accounts were disabled, but the standard user level accounts were unchanged.
>
> I re-enabled all of those administrator accounts, and changed their
> passwords.
>
> If I had gone with the restore from CD or restore from backups route,
> then my machine would've been set back to a level from April 2010, and
> that would've been too far back.
>
> Yousuf Khan

In this thread you have twice equated System Restore with restoring your
drive from a backup. That's not what it is.

System Restore basically just fixes a few (mostly Windows) problems from a
backup-like stash of a few (mostly Windows) items, supposedly without
affecting user data. These backups are made frequently and automatically.

Google for it so you can see what I'm talking about.

--
Gene E. Bloch (Stumbling Bloch)

In comp.sys.ibm.pc.hardware.storage Yousuf Khan <> wrote:
> On 26/07/2010 5:35 AM, Arno wrote:
>> In comp.sys.ibm.pc.hardware.storage Yousuf Khan<> wrote:
>>> I have a perplexing problem here. I went on vacation outside of the
>>> country, and when I got back my Windows 7 desktop lost almost all of its
>>> user login accounts (5 altogether), except for one. The one that isn't
>>> lost, cannot be logged into, as the password doesn't get accepted.
>>
>> I suppose the machine was running with INternet connectivity?
>> If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

> I don't think it got to that level. I did a complete virus scan of the
> disk, while booted into another operating system, and it checked out as
> clean. I think virus scanners can usually pick up root kits too.

At least they should. With current signatures I would say your
assumption is reasonable.

> Also I told my brother to shut this machine done completely when I heard
> what was happening to it. So it's been shut off for over a month now, so
> I don't think if somebody was trying to seize this machine, it went
> offline fairly quickly and they didn't have time to use it.

Agreed.

> However, the fact that all of the administrator accounts were disabled,
> while the non-admin accounts were fine does lead me to believe perhaps
> someone was trying to seize the machine. However, the machine was behind
> a NAT router, so it's hard to understand how they planned to take over
> this machine.

Hmm. Maybe they hacked the NAT first? Would not be the first time.
Anyways, good success with the cleanup.

Arno

--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

On 7/28/2010 1:18 PM, Yousuf Khan wrote:
> On 26/07/2010 12:12 AM, Frank wrote:
>> Boot from your Win 7 DVD, if you have one, and do a system restore.
>
> I looked into that possibility, but my last full backup was from April
> 2010, so it would've set the system back too far. Using the password
> cracker option, I was able to get it back to the level where I last left
> it.
>
> Yousuf Khan
Glad you got it working too.

I wonder, did you try booting into the safe mode and using the built in
Administrator account or was that disabled as well?

On 29/07/10 17:00, GlowingBlueMist wrote:
> On 7/28/2010 1:18 PM, Yousuf Khan wrote:
>> On 26/07/2010 12:12 AM, Frank wrote:
>>> Boot from your Win 7 DVD, if you have one, and do a system restore.
>>
>> I looked into that possibility, but my last full backup was from April
>> 2010, so it would've set the system back too far. Using the password
>> cracker option, I was able to get it back to the level where I last left
>> it.
>>
>> Yousuf Khan
> Glad you got it working too.
>
> I wonder, did you try booting into the safe mode and using the built in
> Administrator account or was that disabled as well?

The built-in Administrator Account is disabled by default in Windows 7.
That's why its very good practice to have an administrator account for
elevation and emergency purposes and a Standard User account for day to
day running...