Computer hacked, now can't login, win 2k
Win2k, here is the story: Client was using his computer, just doing some stuff with ms word. Then all of a sudden weird things start happening (that's the only description I got). So he called for a PC tech.
Win2k, here is the story:
Client was using his computer, just doing some stuff with ms word. Then all of a sudden weird things start happening (that's the only description I got). So he called for a PC tech. One of my co-workers went down there and tried to shut down the computer. A message displayed that he did not have permission to shutdown the computer. The tech then decided to look at the files on the harddrive. He went to My computer, and then C drive, and nothing was displayed. However if he went to the properties of C it would display it as 8gigs full or so. The tech ended up shutting down the computer. Not through windows. When booted back up, safe mode or not, you cannot login. You get an error message:
Quote:Logon Message:The system can not log you on due to the following error:
The paramater is incorrect
Please try again or consult your system administrator.
No matter what account you try to log in as you get that message, even if you try the administrator account. My first thought was the attack had disabled all the accounts. So to fix this I ran a linux boot disk with chntpw and sure enough the admin account was disabled/locked out. So I enabled it and reset the password to nothing. Yet when I rebooted, safe mode or not, the same error message appears.
I then booted to a Norton Anti-Virus CD I had and did a virus scan from there, no virii were found.
My backup plan is too hookup the harddrive as a secondary harddrive and then get the data off. I'm guessing NTFS permission will give me trouble, so then my fall back plan is to use GetDataBack NTFS to recover the files needed.
But not only do I want to fix it because it's fun, but also because he wants things off of there like his outlook calendar and stuff like that.
No matter what, though, I will be reformatting the computer in the end. But it would be nice to atleast fix some of it so I can login and get files off and maybe see exactly what went on.
So what I'm looking for is any tips. I've never seen anything like this, and I'm going to be running out of ideas soon as I can't find any info on the error message I get. I'm going to be researching this and working on it, but if you can point me in the right direction I'd appreciate it.
The computer is not supposed to be loggin on to the domain, and according to the windows logon gui it is not trying to do so.
I can login to the administrator account by booting into Recovery Console. From there I also tried copying a good userinit.exe file to the system32 folder and naming it wsaupdater.exe. That didn't work so I also tried just replacing the userinit.exe with the good one. That obviously didn't work either.
Client was using his computer, just doing some stuff with ms word. Then all of a sudden weird things start happening (that's the only description I got). So he called for a PC tech. One of my co-workers went down there and tried to shut down the computer. A message displayed that he did not have permission to shutdown the computer. The tech then decided to look at the files on the harddrive. He went to My computer, and then C drive, and nothing was displayed. However if he went to the properties of C it would display it as 8gigs full or so. The tech ended up shutting down the computer. Not through windows. When booted back up, safe mode or not, you cannot login. You get an error message:
Quote:Logon Message:The system can not log you on due to the following error:
The paramater is incorrect
Please try again or consult your system administrator.
No matter what account you try to log in as you get that message, even if you try the administrator account. My first thought was the attack had disabled all the accounts. So to fix this I ran a linux boot disk with chntpw and sure enough the admin account was disabled/locked out. So I enabled it and reset the password to nothing. Yet when I rebooted, safe mode or not, the same error message appears.
I then booted to a Norton Anti-Virus CD I had and did a virus scan from there, no virii were found.
My backup plan is too hookup the harddrive as a secondary harddrive and then get the data off. I'm guessing NTFS permission will give me trouble, so then my fall back plan is to use GetDataBack NTFS to recover the files needed.
But not only do I want to fix it because it's fun, but also because he wants things off of there like his outlook calendar and stuff like that.
No matter what, though, I will be reformatting the computer in the end. But it would be nice to atleast fix some of it so I can login and get files off and maybe see exactly what went on.
So what I'm looking for is any tips. I've never seen anything like this, and I'm going to be running out of ideas soon as I can't find any info on the error message I get. I'm going to be researching this and working on it, but if you can point me in the right direction I'd appreciate it.
The computer is not supposed to be loggin on to the domain, and according to the windows logon gui it is not trying to do so.
I can login to the administrator account by booting into Recovery Console. From there I also tried copying a good userinit.exe file to the system32 folder and naming it wsaupdater.exe. That didn't work so I also tried just replacing the userinit.exe with the good one. That obviously didn't work either.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
I hooked it up as a secondary harddrive to an xp install, right now i'm scanning it with a a few progs. So far I've found many variances of netsky and backdoor.defender. It looks like backdoor.defender is the one that caused all the problems though, telling windows to start certain services.