XP suddenly requires a password

[LoriLori]

Hi,

My computer (Windows XP Media Center Edition, SP3) has suddenly decided that I need a Windows password to get in. Problem is, I’ve never set up a Windows password. I have tried several things to get around the sign-in screen, but all have failed.

There have been a few changes and/or events recently, and surely the problem is tied to one or more: 1) possible virus/worm about a month ago, 2) accidentally deleted PCHealth from my computer about two weeks ago, 3) unable to access Windows XP Help Center, and 4) I set up Symantec Identity Safe. Here’s the timeline of events and a list of things I’ve tried. I think there are further steps I could take re safe mode, but I’m not sure how to go about that and need some guidance. I apologize for the lengthy message.

One month ago, when exiting AOL, a window opened up in IE7 (which had not been running) that said at the top “about: blank” and showed a web site I had been to a couple days before (a reputable one). This window duplicated itself over and over. I started a scan in Ad-Aware, but the program crashed and would not restart. I tried to open Firefox and AOL, but both opened the same IE duplicating window. Norton, BitDefender, etc. scans were all negative. Ad-Aware would not work anymore so I reinstalled it, but from then on whenever I would get to my desktop from standby or restart, the Ad-Aware program folder would be open. I also had two programs that had been working fine, but now would not open (Ad-Aware was one of them). With both programs, the initial screen would appear as if it was going to open, but then would just disappear. I posted a query to the Ad-Aware user forum. The moderator suggested Revio Software Removal tool to completely remove A-A, reinstall it, run HiJack This, post results, and he would get back to me. Revio found no traces of Ad-Aware, but did find a program called PCHealth. Several sites from Google search said this was a worm or Trojan, so I deleted it. I ran HiJack This, posted the results, but have had no response from the moderator (three weeks). My system appears to be working fine.

Couple weeks later a routine BitDefender scan showed a file called simply “rootkit”, with a message that said it had not been able to do anything to resolve it. Symantec, BitDefender (again), F-secure, AVG, and a couple other scans were all negative.

Two days ago I set up Symantec Identity Safe, including passwords for editing Identity Safe settings. Same evening I noticed that I couldn't access Windows XP Help Center (said it couldn’t find the file). I rebooted thinking this would solve the Help Center problem, but when it came back up it took me to the Windows log-in screen and asked for my password. As I have never set up a Windows password, I obviously don’t know what it is. And in case you’re wondering, yes I saved my Identity Safe passwords, but they’re in a Word file...on my computer…as it gave no indication that it would affect the Windows password.

Called Symantec. They said Identity Safe does not control Windows password and I should contact Dell.

Called Dell and explained issues with Help Center and password. They said that someone must have snuck in and changed my [nonexistent] password when I wasn’t looking. They advised a complete reinstall of XP to factory level.

So far I have tried:
--Ctrl Alt Delete to other signon screen, signed in as Administrator, failed as password was required.
--[Enter] to bypass password, failed as password required.
--Booted the Dell Diagnostics CD that came with my computer and everything passed, except for CD-ROM which said “Optical drive BIST-OPU test failed. Error Code OFOO:286E”.
--Went into Setup and it shows that no Windows password is in place.
--Tried to do a repair install of XP so I could get in and change my supposed Windows password, but I never saw the option “boot to CD”. Tried it again by hitting F12, but got an error message: “Selected boot device not available. Hit F1 retry or F2 Setup”.
--Went into Setup and changed my BIOS settings to boot from CD first. Tried repair reinstall again, several times, but always receive the same error message that the boot device was not available. Obviously I’m able to boot from CD, so I don’t understand why I can’t access the CD to repair the Windows install.
--Tried restoring to last know good configuration, which took me back to the same Windows log-in screen that I can’t get past.
--Tried starting in Safe Mode. I got to the black screen, but then it flipped over to the same Windows log-in screen, only this time there were two users to pick from, Administrator and [me], both password protected.
--Ran Ophcrack from bootable CD (more than once) on both the main drive and backup drive. It could not find a Windows password on either one, but on one drive it showed the last three digits and said my passwords had been saved to .txt file, but I could not find that .txt file.

Help. I use this computer for work and need to get it up and running. Thanks again for any advice. –Lori

[glc]

Quote:

They advised a complete reinstall of XP to factory level.

Concur.

Quote:

a routine BitDefender scan showed a file called simply “rootkit

I'd zero fill the hard drive before reinstalling Windows. I would also assume that any sensitive information you had on that machine, such as online banking logins, credit card numbers, etc. have been compromised.

[LoriLori]

Thanks for the advice, I appreciate it. May I ask what you mean by zero fill the hard drive? I have never had to reinstall Windows before.

[juppy]

Quote:

Originally Posted by LoriLori May I ask what you mean by zero fill the hard drive?

To zero fill, you'll need to go to the website of the manufacturer of your hard drive (i.e. Western Digital, Seagate, etc) and download their zero fill utility. It's a little program that basically goes through and writes zeros to all the individual memory locations on your hard drive, thus erasing anything on it. It's not a "have to" thing for just reinstalling Windows, mind you, but it is useful for situations like this where you might have someone intruding in your system, because it helps to be sure that whatever WAS on there ISN'T on there anymore. A lot of people use a zero fill when they're selling their old computer too, because they don't want the new owner getting ahold of any of their banking/credit card numbers, so they zero fill, reinstall Windows, and sell it to the buyer feeling more secure that their personal info is not on the computer anymore.

[glc]

Here is a zero fill utility that works on any brand of hard drive.

However, Dell hard drives have 3 or 4 partitions, depending on whether you have Media Direct or not. Zero filling will remove them all - main, diagnostic, recovery, and Media Direct.

Before you do ANYTHING, any reformatting or wiping is going to delete ALL your data files. Do you have backups? If not, being that you cannot get into Windows to back them up, you will need to remove the hard drive and connect it to another computer using this adapter.

You can TRY a standard system recovery (which WILL delete all your files) by pressing Ctrl+F11 on startup. This returns the hard drive back to the state it was in when the computer was delivered. This MIGHT not get rid of the rootkit though but it's worth a try before you start nuking partitions and reloading with CD's.

[LoriLori]

My important documents I have backed up on flash drives. But a little education, please, on rootkits.

Does a rootkit attach itself to all file types on a computer, particularly my Word files and digital photos?

Since my flash drives have Word files and photos copied from the computer with the rootkit, should I assume that the flash drives are also infected with this rootkit, and if so, won't plugging them into another computer then infect that computer? Likewise, if I use the adapter to connect to another computer, do I run the risk of infecting the other computer?

[glc]

You should be safe if you hotplug the adapter or your flash keys as long as the host computer has a quality, up to date antivirus package on it with some kind of background protection or resident shield AND rootkit detection. Immediately after connecting, as soon as it's accessible, do a complete virus scan on it.

A rootkit can embed itself in a part of the drive that is not cleared by a standard format - that's my concern.

[kilgoretrout]

If you don't want to remove the hard drive and install it on another box, you should be able to access the drive with a linux livecd. I usually recommend slax since it's a relatively small download and pretty user friendly for someone unfamiliar with linux. You can then copy your data to some external media like a flash drive or usb external hard drive. Here's the link:

http://www.slax.org/get_slax.php

Download the CD version iso, burn it as an image to a cd-r or cd-rw, set your system to boot from the cd drive first in your bios setup, insert your slax cd and boot up. You will boot to a linux desktop and will have access to your hard drive. Connect your flash drive or external hard drive and it will be automatically detected. Transfer the files off your hard drive that you want.

Once your done, I agree with everyone else here on doing a zero fill. A rootkit can hide on your hard drive mbr and even a full format and reinstall won't get rid of it. Once you see evidence of a rootkit, a zero fill is prudent IMHO.

[LoriLori]

Hi everyone...You've all been so helpful. I wanted to give you and update and ask how to proceed from here.

I used the linux live cd and copied files to my flash drive. I burned the zero-fill program to cd, so it's ready to go. I finally tried Ctrl F11 and was able to restore my computer with a restore point created by Norton Ghost. I'm in!

However, I still want to zero-fill and reinstall but am a little unsure about the process. I've read several posts on various forums where they talk about reformatting the hard drive, partitions, and basically lots of stuff that makes my eyes glaze over and slight panic to set in.

So, I install the zero-fill cd and I'm assuming just follow the prompts, correct? Once that is done, do I simply insert the XP reinstallation CD that came with my computer and again follow the prompts? What about this reformatting of the hard drive I'm reading about? Maybe I'm making this too difficult, but I like to be prepared. Step-by-step instructions for this novice would be so much appreciated. And for what it's worth, my reinstallation cd still does not work in the cd drive, but I was able to open it in my dvd/rw drive (haven't tried booting to it yet though). Maybe it's something the rootkit did.

And on separate note, I have another computer infected with the Sony rootkit that's been sitting in my closet for five years. Now that you kind people have educated me on how to zero-fill and resintall I'm ready to tackle this computer, as well. Problem is this: Sony rootkit destroyed the cd/dvd drives, which I obviously will need to perform the zero-fill/reinstallation. So, if I install a new cd drive, won't the rootkit simply destroy that one, as well, before I even have a chance to zero-fill? What are the steps I should take to get this computer up and running?

Even though these rootkits are a pain in the neck, I've learned a lot in the process...so thanks to everyone for helping me along.

[glc]

If you zero fill, you will lose the recovery partition - then reinstall from CD is your only option. Why don't you just scan with a rootkit detector now that you have it back up and running?

http://www.f-secure.com/en_EMEA/secu...ght/index.html

A rootkit cannot destroy an optical drive.

[LoriLori]

Because I was told here that was the only way to be sure the rootkit was gone. I scanned this morning with F-secure...it found nothing. Scanned with Rootkit Revealer and am waiting on their forum to analyze the results.

And the Sony rootkit did destroy the CD drive, if you tried to remove the rootkit. See these old posts at the links below, plus there's a lot more out there on the subject if you're interested. While looking these up for you, I see that Microsoft has something now that will remove Sony's rootkit, which I will try, but as it stands now my cd/dvd drive is inoperable because of it. I was part of the class action lawsuit against Sony/BMG and was rewarded $25 for my trouble. Maybe the removal tool will make it operable again, we'll see. --L

http://blogs.technet.com/markrussino...e-too-far.aspx
http://blogs.technet.com/antimalware...17/414741.aspx
http://www.boingboing.net/2006/09/14...it-disabl.html

[glc]

That doesn't kill the drive itself - it just disables it within the operating system. Boot the Sony with some kind of bootable utility CD (like maybe a zero fill?) - if it won't boot, it's not the rootkit that killed the drive, the drive is faulty for another reason.

If your Dell comes up verified clean, you should be fine and there's no need to destroy all the factory partitions. Like I said, the recovery WAS worth a try! NOTE that the Dell CD drive may be shot.

[LoriLori]

Actually, all is well on the rootkit front. The computer that had the Sony rootkit is up and running rootkit-free (and the cd drive is working fine). Yea! And I'm back into the computer I was locked out of and I can find no evidence of a rootkit via F-secure, Rootkit Revealer, or Microsoft's Malicious something scan.

Thanks again for your help!