Mysterious Password Change. Malware Attack?

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
Windows 10 on my sister's Lenovo E585 suddenly stopped accepting her password.
The Windows login recovery security questions have changed, as well, to ones that I don't remember choosing.
I thought maybe the input language had changed but it has not.
She was running as an administrator with full privileges. :/
Does this sound like a malware attack?

I figured I'd try Ophcrack, so I downloaded the ISO and 'burned' it to a USB flash drive but it wouldn't boot unless I changed the BIOS startup options to 'Legacy' mode, and even then it failed to load past the splash screen citing not enough memory, regardless of what mode I try to launch.

I'm thinking of trying Offline NT Password & Registry Editor but that won't crack the password; rather it will wipe it out, and I'd like to see what the new password is in the event that it gives me some insight as to what the core issue is.

Are there any other tools I can try?
 

LunarMist

I can't believe I'm a
Joined
Feb 1, 2003
Messages
15,244
Location
USA
Is she sure it was not changed locally, e.g., by someone that knows the password and has access?
 

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
Scratch that-- I just found the working misspelling. It was only one letter off but it was clearly changed because I know what it used to be and what it is now. She swears up and down that she wasn't prompted for a password change, and that the kids don't know her password so how it changed is anyone's guess.
 

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
Nope, scratch that again. Today she woke up and there were chrome tabs open with Clonezilla and Paragon open. Her taskbar icons are gone and desktop cleared. AOMEI Backupper and EassUS Todo Backup and Macrium Reflect have all been installed (although I'm not sure what an attacker would want with those). Not the work of anyone in this house. Time for a reformat!
 
Last edited:

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
Now I'm noticing that there were a whole lot of failed Windows updates and a pending restart. Also, the desktop folder, which is on a second drive, is still intact, but it's no longer assigned as desktop. Perhaps an update failed and reset the user account to some default state, and reverted the password? (the misspelling I mentioned above was the first version of the password which my sister didn't like and subsequently changed months ago).
 

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
Okay, something is going on but I don't know if it's malicious, anymore. In fact, I'm suspecting a failed Windows update.
The system is booting from the wrong volume. Somehow the drive letters got swapped and the HP SSD EX920 I installed as the system drive has become Drive F, while the Seagate Baracuda which shipped with the machine (and still lives inside of it and has an older version of Windows installed) has become the boot volume, again. This would explain the old password. I'll change the volumes around and see what happens.
 
Last edited:

Piyono

Storage is cool
Joined
Jan 25, 2002
Messages
509
Location
Tel Aviv
It's been a long time since I've dealt Windows Boot Manager issues or used bcdedit... I barely remember how this all works together. So much memory to refresh.
 
Last edited:

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,555
Location
Michigan
M$ broke Windows 7 with an update a few weeks back for systems that boot from a NVMe drive. I had to fix several computers in the office.
 
Top