Topic: Transaction change vanished (Read 2462 times)

Yup.  If 1PyDNpaHGaAxazG13Xa7sESVeQbympLrHw is in there, you can take the corresponding private key over to another wallet or client and import it there and you'll have access to the funds.

Did just that... didn't work.

Rebooted the computer and me, and know it works :-)

OK, I get a bunch of:

  "addr": "--------------------------------------",
  "reserve": 1,
  "sec": "---------------------------------------------------------"

where - is blanked out typical bitcoin address signs

I guess it is in the addr field I should be searching, right?

           

Download and save (e.g., in C:\Temp):
 - https://raw.github.com/joric/pywallet/master/pywallet.py

Then in the directory that you saved that script, run:
 C:\> cd C:\Temp
 C:\Temp> python .\pywallet.py --version
pywallet.py 1.2

You are saying you get v1.1?

Wasn't very clear there I can see.

I successfully installed and was running v1.1.   To upgrade to v1.2 (which supports passwords) I simply replaced the pywallet.py file.

Didn't work, still reporting v1.1.... and this is where I am confused.

There is no install.bat, it is a python script. 

So I'm assuming you are a Windows user then.

Windows doesn't come with Python installed, so you would need to install that in order to run the script.

 - http://www.python.org/ftp/python/2.7.2/python-2.7.2.msi


Then download pywallet  (right click and "Save Link As" or something like that):

 - https://raw.github.com/joric/pywallet/master/pywallet.py


Then to run the script from the command prompt it would be something like:
  C:\Temp>  python pywallet.py

Though if the python executable isn't in your path you would need to probably add it and re-open the command prompt so that it is in the path.  There is more info here:

 - http://docs.python.org/2/faq/windows.html#how-do-i-run-a-python-program-under-windows

Yea it shouldn't work without password I guess....  I `tried with v1.1 of pywallet....  Didn't manage to figure out how to download it from the link you gave.

Found a version on http://www.antepedia.com/detail/p/210922838.html;jsessionid=8515700B97FC021E6B8E3A6ADA00D674 and just copied the pywallet.py file to my dir. It was stilll reporting v1.1 however, tried running both update.bat and install.bat after the copy was made.

Know how to do it?

Just to eliminate any remaining possibilities, have you tried extracting the keys for wallet #2 using pywallet, rather than with the bitcoin.org client?

 - https://github.com/joric/pywallet

Use
 -password=
for an encrypted wallet.

Dumped all the backups of all the wallets looking for "1PyDNpaHGaAxazG13Xa7sESVeQbympLrHw", no luck. Last backup of wallet #2 (last before sending and loosing the BTC) has among other stuff the following worrisome contents:

...
"keys": [],
...
"pool": [],
...

 -salvagewallet even without -rescan causes client to "rescanning" and then fails with  "Cannot initialize keypool".

Any more tips what I should be looking for in the files?

I doubt that those two are meant to be used simultaneously.   Try just -salvagewallet

OK, so no use in trying to get the keys from the backups from pre-encryption time then.

Ran "bitcoin-qt -salvagewallet -rescan", but I get "Cannot initialize keypool" error message. Tried several times. Found no helpful information by googling it...

The 100 change adresses pool also gets deleted/flushed and replaced with new addresses when encrypting the wallet. Probably not relevant, but good info to know about.

There is one other option that can be tried on the computer with the wallet that sent this payment (and should have received change), but it will require first upgrading the Bitcoin client to version 0.7.1:


After closing Bitcoin and making another wallet.dat backup, you can install the latest Bitcoin release. Then start Bitcoin-qt with this command-line option which will do an aggressive search to recover unreadable Bitcoin wallet addresses and restore them to a new wallet file, and then search the blockchain for any missing payments to wallet addresses:

cd \Program Files (x86)\Bitcoin
bitcoin-qt -salvagewallet -rescan

Disregard my earlier messages (I've deleted them).  They were based on the understanding that you were not intentionally sending to 1PyDNpaHGaAxazG13Xa7sESVeQbympLrHw. Now that you've explained otherwise, it becomes obvious that the addresses I listed belong to the online wallet.

All Bitcoins are "beta", those are the correct checksums for v0.7.0 release client.

Good luck finding the address & key, it should be in some wallet.dat file or earlier backup if the wallet wasn't lost or extremely corrupted, especially if you haven't sent over 100 transactions using one wallet. One thing that can make for an unreliable backup is if you tried to copy the wallet.dat while Bitcoin was still running, even as a tray icon. If the address pool was exhausted, more reserve keys will be created by Bitcoin that may only be in the current wallet or recent backups.

The machine sending the 99 BTC losing the 1 BTC was running v0.7.0Beta, giving the results:

0800981efc79096f2e23e4f0e928cd5d *bitcoin-qt.exe
393afc1d8f937e05eb20c8a9bb3dea1f *bitcoind.exe

Can't find any info about what they should be..

Note: The wallet used here was a backup from a few months ago (same on the first transaction that got messed up), due to system re-installment the client responsible for creating that wallet is no longer available for hash checking, unfortunately.

I will continue with dumping the keys.

Yes, that was actually me from an online wallet testing to see if those showed up somewhere for some reason. They didn't of course.

Thanks for all the tips, I will work on checking the hashes..

Analysis

1. The transaction sending the money looks normal, but only if you had just the 100BTC payment as your balance and not received any other smaller payments to any other wallet addresses that could have been used to send 1BTC.

2. When a transaction that involves "change" happens, you do not see it in the client at all, you would only see the 1BTC being sent and your balance would remain at 99BTC.

So this means one of a few scenarios I can envision:

1. Your wallet is messed up, a reserve pool address (one of 100 hidden addresses that Bitcoin pre-creates) that should be in your wallet was used for change but the client couldn't recognize the returning payment,

2. You are using an altered version of Bitcoin or other malware client that sends it's change to a bad person, either obtained by a bad download link or something altering the official client

3. There is some new malware clever enough to replace unencrypted wallet.dat reserve pool addresses with it's own, laying in wait to get change when they are used.

4. You screwed up somewhere with all your wallet file swapping. (most likely)

Something else sent the "change" address two more payments of .1 BTC the next day which do not look at all like change.

Where do we go from here?

1. Verify that you are using the official Bitcoin application or discover if it is some unofficial altered bastardized version you were tricked into downloading and using. We must check the program hashes to see if the files are the official unaltered client. These instructions are for Windows.

Authenticity of files can be checked with MD5, available as a download here: http://www.etree.org/md5com.html#download - put the downloaded file into your C:\Windows directory so it can be used from any other directory (linux will already include md5sum).

Then open a cmd prompt and do this:

C:\>cd "\Program Files (x86)\Bitcoin"

C:\Program Files (x86)\Bitcoin>md5sum bitcoin-qt.exe
c2d2af1bd1fe0dd7f80af352a3be1fd1 *bitcoin-qt.exe

C:\Program Files (x86)\Bitcoin>cd daemon

C:\Program Files (x86)\Bitcoin\daemon>md5sum bitcoind.exe
248fb133ade47991fdb96f607ff5eecf *bitcoind.exe

These are the values for v0.7.1, if you have this version and different values you have a problem!

Then the next thing we must do is find the wallet that has (hopefully) the address 1PyDNpaHGaAxazG13Xa7sESVeQbympLrHw. If the various wallets are unencrypted, I would install python and use pywallet to dump all the addresses in every wallet file and backup you have, and locate and secure the address and it's private key.

Correct, 1 BTC and then 99 BTC was sent to t1NNdZiBH3yLsBSxrdVrJRptaj99hQwvbKy, which ends up in wallet #3. They arrived fine.

Haven't tried the -rescan command on wallet #2, but removing the index files should do the same, right?

Going to try the dump private keys thing as later on today.

Now I'm confused.  You said the 99 went in transaction 724d1caf9cc4302d02564908fcbd1d47878732b6eb4da818a3495709d595944c:
 - http://blockchain.info/tx-index/34640934/724d1caf9cc4302d02564908fcbd1d47878732b6eb4da818a3495709d595944c

So from that transaction I see that the 1 BTC went to 1NNdZiBH3yLsBSxrdVrJRptaj99hQwvbKy:
 - http://blockchain.info/address/1NNdZiBH3yLsBSxrdVrJRptaj99hQwvbKy

But that 1.0 BTC amount hasn't been spent since that transaction.  And that address later had another 99 BTC sent to it, so it now holds 100 BTC.

Have you tried launching the Bitcoin-Qt from the command line with -rescan?

 Bitcoin-Qt -rescan

No, they are not listed in the transaction history or my receiving addresses in the GUI.  Where are they from?