Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This computer is configured to require a password in order to start up.


  • This topic is locked This topic is locked
21 replies to this topic

#1 Frog129

Frog129

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 29 June 2013 - 03:04 AM

Hi someone i know got a call from "Microsoft" saying his computer was infected, after giving them remote access to his computer he realized his mistake he has come to me to see if i can fix the problem which it seems i cant do alone as im completly stuck the problem is as follows.

On start up the windows icon appears and then a box shows up saying "this computer is configured to require a password in order to start up"

u41.png

This is a pic of the box, the keyboard and mouse stop working on this screen so it isn't possible to type at all, I've searched a few forums looking for a answer as i have no idea how to fix this, and the common answer i find is to use a bootable disk to get into the computer but the disks never seem to work (i've been using dvd disks im going to try a normal cd tomorrow when i can buy them) I get a black screen saying "reboot and select proper boot device" when i set the computer to boot from the disk. The os is a 32bit windows xp home edition, I can try and find more info if its needed. Any help would be appreciated.

 

 

 



BC AdBot (Login to Remove)

 


#2 .X.

.X.

  • Members
  • 490 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:08 PM

Posted 29 June 2013 - 03:18 AM

You're SOL. Reinstall Windows. Offline NT Password & Registry Editor is supposed to be able to let you clear it but in my experiments it does not.



#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,653 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:08 PM

Posted 29 June 2013 - 03:23 AM

Hi,

this is the password for SAM hive encryption. Therefore the password reset utilities won't help.

Some suggestions were given here: http://www.bleepingcomputer.com/forums/t/470753/remove-a-startup-password-before-account-screen/

My first suggestion however would be to boot from a bootable CD and backup all the data.

regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 Frog129

Frog129
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 29 June 2013 - 03:30 AM

Thank you so much for the replies i'll try these when i get the chance im currently reading the pages you have linked to, I would like to avoid reinstalling windows as he has pictures of his grandkids on the computer and such that he doesnt want to lose and i'm not to sure on how to back them up without being able to log into the computer.



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,653 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:08 PM

Posted 29 June 2013 - 03:38 AM

Hi,

You can create a bootable flash drive like here: http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows
This should allow you to browse the flash drive and backup the files needed to a second hard drive.

regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 .X.

.X.

  • Members
  • 490 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:08 PM

Posted 29 June 2013 - 04:15 AM

Tell him he should have already be doing daily backups to a second physical drive or the cloud. I use Beyond Compare for my daily backups and I keep my data on different partitions, not the OS partition. This makes it much simpler for times when a reinstall is required. 15 minutes to get my computer formated and get my OS back to how it was.
 
In the future as a precaution you should delete syskey.exe from the system32\dllcache folder and then the one in system32. Windows SFC will throw up a warning that files needed to OS are required...just ignore it.
 
Or you can do what I do and with Local Security Policy (it's in Administrative Tools or just start, run, secpol.msc). You go to Software Restriction Policies > Additional Rules, right click the blank space and new path rule, add a path and disallowed. On first run, Additional Rules will not be present. It will tell you this...

4KXf723.png

 

Do, that then you will have this...

 

kPvmfA8.png

 

As you can see, I've already added a few rules. You should do trivial FTP (tfpt.exe) also because some trogans use it to download additional malware.

 

Not many people know about this Windows feature so it's possible the fake Microsoft callers wont know what to do.



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,653 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:08 PM

Posted 29 June 2013 - 04:20 AM

Hi,

in the future, most importantly, teach him to never take phone calls like that seriously and that no reputable company would ever call out of the blue and demand access to their computer. They just don't work that way.
Don't grant strangers access to the PC.

regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 SlickTrick

SlickTrick

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 23 August 2013 - 09:59 AM

FWIW I recently encountered this, and was able to recover from it by performing a manual registry hive recovery Windows XP. I booted to a Linux live disk, and simply backed up the corrupted hives, and replaced them with ones from a week ago. Booted to the desktop and began malware removal process.



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 53,865 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:08 PM

Posted 23 August 2013 - 11:21 AM

FWIW:

 

Data Recovery , GParted, AA - http://www.bleepingcomputer.com/forums/topic474881.html

 

Data Recovery Using Puppy Linux, Brooks - http://www.bleepingcomputer.com/forums/t/489067/dual-boot-system-bluescreens-1-of-my-startup-choices/

 

Louis



#10 Guest_Wolf2674_*

Guest_Wolf2674_*

  • Guests
  • OFFLINE
  •  

Posted 28 August 2013 - 07:39 AM

Hi there, This may not be of any help but could work if you live in the United States or another country you could ring the real microsoft on a different computer perhaps a laptop and use skype if using a landline  or normal phone is to expensive make sure you are talking to a real american and not a person from the middle east or asia regions and explain to them what has happened and they may be able to assist you for free as the real microsoft is aware of these scammers and I would think they would be able to help you.

 

Contact Microsoft Customer Service

Microsoft Customer Service agents are available to answer your general questions regarding Microsoft products and services, licenses and more.
See all worldwide customer service phone numbers.

1-800-Microsoft (642-7676)

Weekdays

5 A.M. - 9 P.M. (Pacific Time)

Weekends

6 A.M. - 3 P.M. (Pacific Time)

TTY: 1-800-892-5234

Contact Microsoft Technical Support

For product support please select your product from our directory to contact a Microsoft Support Professional by email, chat or phone.

 

or if you have another computer you can use try this

 

https://support.microsoft.com/oas/default.aspx

 

That is a link to the American Microsoft

 

 

This is the number to Microsoft America you should get a american rep as other places around the world use call centers whom employ people from Asia or the middle east and those reps from those area's are most times unfriendly, rude and may rip you off.



#11 anywhereman2013

anywhereman2013

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 30 September 2013 - 06:39 PM

I actually downloaded a password cracking program that appears to be in Linux. It also has a utility to remove the SYSKEY. Worked great!



#12 .X.

.X.

  • Members
  • 490 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:08 PM

Posted 30 September 2013 - 08:50 PM

What's the name of the program?



#13 hamluis

hamluis

    Moderator


  • Moderator
  • 53,865 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:08 PM

Posted 01 October 2013 - 08:57 AM

I actually downloaded a password cracking program that appears to be in Linux. It also has a utility to remove the SYSKEY. Worked great!

 

Totally immaterial...as explained by Myrti in her post.

 

<<this is the password for SAM hive encryption. Therefore the password reset utilities won't help.>>

 

Louis

 



#14 ghostrlb

ghostrlb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:08 PM

Posted 21 January 2014 - 03:12 PM

I have browsed this site many times over a long period of time and always found the information very helpful from its admins and members. So now I wish to contribute.

 

If you have this popping up on you're Windows XP or Windows 7 PC's, and you have had no success afterwards to get to a good start,

 

Then your previous Registry settings located in %SYSTEMROOT%\system32\config\RegBack are most likely still intact and not changed.

 

try this.

 

 
  • POWER OFF your PC immediately.
  • Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder.
  • Backup the registry hives in this folder to a temporary location. The files are:
    1. SOFTWARE
    2. SYSTEM
    3. SAM
    4. SECURITY
    5. DEFAULT
  • Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
  • Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
  • Reboot the PC.                                                                                                                                                                                                                                                                                                             I have used this on no less than 40  systems that come across my desk over the past 8-12 months with 100% success so far.

Love this site and appreciate all you all do.

 



#15 technonymous

technonymous

  • Members
  • 2,451 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:08 PM

Posted 21 January 2014 - 09:25 PM

 

I actually downloaded a password cracking program that appears to be in Linux. It also has a utility to remove the SYSKEY. Worked great!

 

Totally immaterial...as explained by Myrti in her post.

 

<<this is the password for SAM hive encryption. Therefore the password reset utilities won't help.>>

 

Louis

 

 

It's probably that chntpw. The utility is on Hirens boot cd and it does have a syskey option. Probably send the pc into a endless boot loop. lol Always backup first. Could load a Xp vm and test how it turns out.






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users