User accounts have gone missing!

[Yousuf Khan]

I have a perplexing problem here. I went on vacation outside of the
country, and when I got back my Windows 7 desktop lost almost all of its
user login accounts (5 altogether), except for one. The one that isn't
lost, cannot be logged into, as the password doesn't get accepted.

The machine also has a dual-boot to Windows XP, and choosing to boot
into XP gets you the message that that operating system doesn't exist.
Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
password to the one remain account.

Using a Ubuntu Linux, I've taken a look at the Windows file system and
all files seem to be still there and I can access them, and Ubuntu
doesn't report any physical problems with the boot disk (SMART looks
fine). This happened while I was away, so I didn't even observe it
myself, and I can't even login to an account to look at the event logs.

Yousuf Khan

 

[Parko]

I have a perplexing problem here. I went on vacation outside of the
country, and when I got back my Windows 7 desktop lost almost all of its
user login accounts (5 altogether), except for one. The one that isn't
lost, cannot be logged into, as the password doesn't get accepted.

The machine also has a dual-boot to Windows XP, and choosing to boot
into XP gets you the message that that operating system doesn't exist.
Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
password to the one remain account.

Using a Ubuntu Linux, I've taken a look at the Windows file system and
all files seem to be still there and I can access them, and Ubuntu
doesn't report any physical problems with the boot disk (SMART looks
fine). This happened while I was away, so I didn't even observe it
myself, and I can't even login to an account to look at the event logs.

Yousuf Khan

I've used this quite successfully in the past. Fairly straightforward to
use.
http://pogostick.net/~pnh/ntpasswd/

 

[Arno]

I have a perplexing problem here. I went on vacation outside of the
country, and when I got back my Windows 7 desktop lost almost all of its
user login accounts (5 altogether), except for one. The one that isn't
lost, cannot be logged into, as the password doesn't get accepted.

I suppose the machine was running with INternet connectivity?
If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

The machine also has a dual-boot to Windows XP, and choosing to boot
into XP gets you the message that that operating system doesn't exist.
Going to Safe mode in Windows 7 doesn't help as it doesn't accept the
password to the one remain account.

Using a Ubuntu Linux, I've taken a look at the Windows file system and
all files seem to be still there and I can access them, and Ubuntu
doesn't report any physical problems with the boot disk (SMART looks
fine). This happened while I was away, so I didn't even observe it
myself, and I can't even login to an account to look at the event logs.

I would recommend complete sanitization while not connected
to a network.

Arno

 

[Yousuf Khan]

I've used this quite successfully in the past. Fairly straightforward to
use.
http://pogostick.net/~pnh/ntpasswd/

Hey, thanks, this seems to have done the trick. After I ran this, it
showed that all of my missing user accounts were actually still there,
but they were somehow disabled. At least all of the administrator-level
accounts were disabled, but the standard user level accounts were unchanged.

I re-enabled all of those administrator accounts, and changed their
passwords.

If I had gone with the restore from CD or restore from backups route,
then my machine would've been set back to a level from April 2010, and
that would've been too far back.

Yousuf Khan

 

[Yousuf Khan]

Boot from your Win 7 DVD, if you have one, and do a system restore.

I looked into that possibility, but my last full backup was from April
2010, so it would've set the system back too far. Using the password
cracker option, I was able to get it back to the level where I last left
it.

Yousuf Khan

 

[Yousuf Khan]

I suppose the machine was running with INternet connectivity?
If so: Congratulations, you have aquired a SPAM-relay/bot-net node.

I don't think it got to that level. I did a complete virus scan of the
disk, while booted into another operating system, and it checked out as
clean. I think virus scanners can usually pick up root kits too.

Also I told my brother to shut this machine done completely when I heard
what was happening to it. So it's been shut off for over a month now, so
I don't think if somebody was trying to seize this machine, it went
offline fairly quickly and they didn't have time to use it.

However, the fact that all of the administrator accounts were disabled,
while the non-admin accounts were fine does lead me to believe perhaps
someone was trying to seize the machine. However, the machine was behind
a NAT router, so it's hard to understand how they planned to take over
this machine.

Yousuf Khan

 

[Gene E. Bloch]

Hey, thanks, this seems to have done the trick. After I ran this, it
showed that all of my missing user accounts were actually still there,
but they were somehow disabled. At least all of the administrator-level
accounts were disabled, but the standard user level accounts were unchanged.

I re-enabled all of those administrator accounts, and changed their
passwords.

If I had gone with the restore from CD or restore from backups route,
then my machine would've been set back to a level from April 2010, and
that would've been too far back.

Yousuf Khan

In this thread you have twice equated System Restore with restoring your
drive from a backup. That's not what it is.

System Restore basically just fixes a few (mostly Windows) problems from a
backup-like stash of a few (mostly Windows) items, supposedly without
affecting user data. These backups are made frequently and automatically.

Google for it so you can see what I'm talking about.

 

[Arno]

I don't think it got to that level. I did a complete virus scan of the
disk, while booted into another operating system, and it checked out as
clean. I think virus scanners can usually pick up root kits too.

At least they should. With current signatures I would say your
assumption is reasonable.

Also I told my brother to shut this machine done completely when I heard
what was happening to it. So it's been shut off for over a month now, so
I don't think if somebody was trying to seize this machine, it went
offline fairly quickly and they didn't have time to use it.
Agreed.

However, the fact that all of the administrator accounts were disabled,
while the non-admin accounts were fine does lead me to believe perhaps
someone was trying to seize the machine. However, the machine was behind
a NAT router, so it's hard to understand how they planned to take over
this machine.

Hmm. Maybe they hacked the NAT first? Would not be the first time.
Anyways, good success with the cleanup.

Arno

 

[GlowingBlueMist]

I looked into that possibility, but my last full backup was from April
2010, so it would've set the system back too far. Using the password
cracker option, I was able to get it back to the level where I last left
it.

Yousuf Khan

Glad you got it working too.

I wonder, did you try booting into the safe mode and using the built in
Administrator account or was that disabled as well?

 

[Gordon]

Glad you got it working too.

I wonder, did you try booting into the safe mode and using the built in
Administrator account or was that disabled as well?

The built-in Administrator Account is disabled by default in Windows 7.
That's why its very good practice to have an administrator account for
elevation and emergency purposes and a Standard User account for day to
day running...

 

[Yousuf Khan]

Glad you got it working too.

I wonder, did you try booting into the safe mode and using the built in
Administrator account or was that disabled as well?

That was disabled as well.

Yousuf Khan

 

[Yousuf Khan]

Hmm. Maybe they hacked the NAT first? Would not be the first time.
Anyways, good success with the cleanup.

Well, I don't know how they can, the firewall is inside a Dlink
broadband router with all external interfaces turned off. It's not the
well-known hackable Linksys WRT54G router.

I'm going through the event logs right now, but it's a needle in a
haystack. Where would I notice unauthorized access? Will it even leave a
trace in the event logs? There were several errors, warnings, and
criticals during the time period in question, but that's no different
than what was there before that time period.

Yousuf Khan

 

[Gordon]

That was disabled as well.

Yousuf Khan

That's by default, so don't worry about that.

 

[Arno]

Well, I don't know how they can, the firewall is inside a Dlink
broadband router with all external interfaces turned off. It's not the
well-known hackable Linksys WRT54G router.

I'm going through the event logs right now, but it's a needle in a
haystack. Where would I notice unauthorized access? Will it even leave a
trace in the event logs? There were several errors, warnings, and
criticals during the time period in question, but that's no different
than what was there before that time period.

You can try a different appoach: Seach for known vulnerabilities
for this device.

It is quite possible that the logs will not help.

Arno

 

[Yousuf Khan]

That's by default, so don't worry about that.

It's still a mystery why the other accounts got disabled. Wonder if it
could've been a Microsoft bug?

Yousuf Khan

 

[Yousuf Khan]

More likely, an operator error.

Good answer, considering that there were no operators around at the time.

Yousuf Khan

 

[Mr Baracuda]

frank is this newsgroups senile wrinkled old bastard that thinks he knows
stuff about computers... BUT HE DOESN’T!

ignore him, or better yet, if try making fun of him like I do... its really
enjoyable to kick suck a lowlife in the ass!



"Yousuf Khan" wrote in message

More likely, an operator error.

Good answer, considering that there were no operators around at the time.

Yousuf Khan

 

[Mr Baracuda]

There are 2 ways to motivate a person

with a stick
or with a carrot

we stuck both in franks ass and he is still not motivated!

DAMN THE OLD BASTARD!

"Frank" wrote in message

Good answer, considering that there were no operators around at the time.

Yousuf Khan

Really? So your computer destroyed itself all by itself?
WoW! I've never heard that one before.
Well, maybe capin' crunch has used that excuse for his incompetence.

 

[Mr Baracuda]

you are old and gay...

you are more of a creep than I thought....

give me your csons email so I can send him what his daddy is posting in
newsgroups

ill bet they will be proud of you

Ill CC it to your local pastor too.....

"Frank" wrote in message

 

[Parko]

Really? So your computer destroyed itself all by itself? WoW! I've never
heard that one before.

Not heard of a brown out, Fwank? It's the opposite of a power surge.

http://www.dtidata.com/resourcecenter/2007/08/07/hard-drive-recovery-
power-failure-surge-brown-out/

And your solution to the OP's problem was useless, as usual.