Laptop Hacked - Password Changed

boweasel · 16 Mar 2017

My brother's best friend is a nice enough guy, but FAR from being the sharpest knife in the drawer....
A couple days ago he got a call from 'Microsoft', telling him that his computer was infected with a multitude of viruses. Not only did he take the call, but he agreed to pay 'Microsoft' $200 to fix the problems. The scammer had the scamee (my brother's friend) enter some code and his laptop was now being controlled remotely. To make matters worse he actually gave them his Windows password. Incredible.

The upshot is that he is now out 200 bucks, they want more money and until he pays them more, he is locked out of his computer, since the scammer changed the password.

I turned off the laptop 3 times with the power button. The 4th restart gave me the advanced startup options. Every pertinent option seemed to want the Windows password to continue. Fabulous.

I broke out the W10 disk and booted from it. I then again accessed the Advanced options, and this time was not prompted for a password. I went to System Restore and tried to restore it to a date before the 'Microsoft' phone call.

It now has this little box labeled System Restore. Inside that box is a white bar that is constantly filling from left to right with a green bar. It has been doing this for the last 2 hours.

Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password? Cause this Restore doesn't appear to be doing the trick...

Update.... The Restore finally finished with the message System Restore did not complete successfully. Your computer's system files and settings were not changed. It goes on to say that an unspecified error occurred during System Restore (0x80070091)

Bree · 16 Mar 2017

boweasel said:

Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password?

No, but from the command prompt you can enable the built-in Administrator account. Then you can log in as Administrator and reset the password. See Option Four in this Tutorial.
https://www.tenforums.com/tutorials/...a.html#option4

Bree · 16 Mar 2017

boweasel said:

Update.... The Restore finally finished with the message System Restore did not complete successfully. Your computer's system files and settings were not changed. It goes on to say that an unspecified error occurred during System Restore (0x80070091)

That, I'm afraid, is a known problem on some systems - probably nothing to do with what the scammers got up to.
System Restore fails: AppxStaging %ProgramFiles%\WindowsApp 0x80070091

boweasel · 16 Mar 2017

Bree said:

from the command prompt you can enable the built-in Administrator account. Then you can log in as Administrator and reset the password. See Option Four in this Tutorial.
https://www.tenforums.com/tutorials/...a.html#option4

Okay.... I followed all the steps in Option Four right up to Step 8,

Laptop Hacked - Password Changed-moll1.jpg

[
where unlike the Tutorial, I got HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4. No 'S' in the word Account.

Then, in Step 9, when I opened the 000001F4 key, I was instructed to change 11 to 10 in the first column of line 0038. On the problem laptop, the first column of line 0038 has a value of 15, not 11. I would supply a screenshot but I don't know how to do that on a computer that won't start.

So I didn't do anything. I obviously need more help.

Bree · 17 Mar 2017

boweasel said:

Okay.... I followed all the steps in Option Four right up to Step 8,

where unlike the Tutorial, I got HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4. No 'S' in the word Account.

That would appear to be just a simple typo. Look at the bottom of Regedit in the screenshot at step 8 where it too clearly shows \Account\ with no 'S'. @Brink should be able to confirm that. I've just followed the instructions on another PC and it too had Account in the singular.

Then, in Step 9, when I opened the 000001F4 key, I was instructed to change 11 to 10 in the first column of line 0038. On the problem laptop, the first column of line 0038 has a value of 15, not 11. I would supply a screenshot but I don't know how to do that on a computer that won't start.

So I didn't do anything. I obviously need more help.

Very sensible to leave things alone and seek further help. I don't know what the value 15 means, or if its safe to change it. On the machine I just modified it was 11 as expected. Hopefully someone who knows more than me will be along shortly.

boweasel · 17 Mar 2017

Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password?

Bree said:

No....

Actually Bree, there is... I went through some documents from an old computer and found this

Create a new user or reset Windows 10 password with command prompt
⦁ Boot from Windows 10 disk and selected Repair
⦁ Go into Troubleshoot/Advanced Options/Command Prompt
⦁ Navigate to C:\Windows\System32
Back up a file called utilman.exe and overlay it with cmd.exe
⦁ Move utilman.exe utilman.exe.bak
⦁ Copy cmd.exe utilman.exe
Take out the disk and rebooted by typing
⦁ wpeutil reboot
When the laptop gets to the log in screen, click on the Ease Of Access icon on the bottom right of the screen which now brings up a command prompt screen. Type
⦁ net user <username> <password>
where <username> is the Windows user name and <password> is the NEW password
Put the Windows 10 disk back in the optical drive and reboot using that disk. Go to the command prompt as before and rename utilman.exe.bak to utilman.exe.

That's all there is to it. I rebooted, entered the new password, uninstalled the software the scammer had put on the laptop and all is well.

But it makes me wonder why nobody else on this forum knew that. And why it's not already in some sort of tutorial. I hardly have the computer knowledge that most of you responders possess, yet I sort of remembered that there was a way around this. Shouldn't somebody here have known? These events make me question the whole rationale of using forums like this. In the past I've turned to these kinds of places when I couldn't figure it out myself. More and more I'm becoming disillusioned with the caliber of responses I get. The last thread I started in this forum (No Browser But Edge Will Connect) has now gone 3+ weeks without a response. I honestly doubt I'll ever receive an intelligent reply.

And typos in a tutorial? A tutorial where one is supposed to make registry changes? Registry typos can be disastrous. People expect a certain level of expertise and quality here. Sadly, it seems to have fallen by the wayside.

simrick · 17 Mar 2017

@boweasel
I'm sorry you found a typo and it's unfortunate that the tutorial didn't help you regain access to the computer. A question posted in that tutorial thread would have gotten you assistance from the tut author, which might have resolved your problem with the different value you found.

However, your bashing the volunteer help here is unnecessary.

Back to the computer: If the system was remotely accessed by the scammers, the only sensible thing to do is pull the HDD, back up the user data, wipe the drive, and reinstall the OS. Anything less than that is just asking for trouble. You have no idea what they did to that thing. Many of these scammers place time bombs on their victims' systems. It's just not possible to "clean it" and be sure it's good.