I've searched my @ss off for a solution but not even google has something on this. (two or three useless pages)
One of our customers rebooted their machine and all of a sudden their usernames at the logon screen is gone, and instead there is three new ones named, HDSADMIN, HDSUSER and SMSINSTALL. Now just to be clear, it was NOT a previously owned machine and they have absolutely nothing to do with some company called HDS or anything. Their system worked fine for years and now all of a sudden this popped up. Below is what i've done so far and this morning when it seemed fine, it happened again. At first we booted it fine, but after a reboot it happened again.
PS. None of the users data or folders were deleted in Documents and Settings
OS: Windows XP Proffessional
Done so far:
- Did a repair install of Windows which didn't fix anything. Same problem.
- Used a bootable cd with a password resetter and logged in as localadmin.
- Created new accounts, logged in them to create the Documents and settings folders, logged in as localadmin again and deleted the new accounts. Renamed the old existing accounts to the newly created ones (so windows will point to the old accounts). This worked fine. All files were under the correct username.
- Scanned with MBAM and SuperAntispyware malware removal programs, found no threats
- Took the HDD out and slaved it to a test station and scanned for malware again, no threats found.
- In the office i rebooted about 4times and everything was fine.
- This morning however, it booted up fine, but when the customer rebooted again, it erasedd the accounts again and gave them the HDSADMIN, HDSUSER, and SMSINSTALL accounts which were password protected again.
So i can crack the passwords and gtet in the system, but it creates these accounts out of nowhere and deletes the other ones, but the files and Documents still stay in Documents and Settings.
I know this is a long post but I'm really out of ideas. I hope someone has encountered this and can help me. I'm sure someone else has ran into this problem too. (they just didn't post it online)
Hope to hear from you guys soon. Seeing that google doesn't give much results, i assume it's a rare issue.