Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Impersonation Scam - Fixing password required before Windows boots


  • Please log in to reply
1 reply to this topic

#1 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:38 AM

Posted 08 December 2014 - 01:42 PM

Hello All,

 

           I am posting this here because it appears that we are back in "high season" for the Microsoft Impersonation Scam.  I've recently had a relative get scammed, and although she "cut things off" in mid-scam it was too late and the damage had been done.

 

           These folks exploit a little known feature in Windows (going way back, at least to XP) where they make the machine insist on the entry of a password that's unknown to you before Windows will continue booting.   Even if you guess one of the common ones they use, "1234", no one wants this stuff hanging around on their computers.

 

           None of the typical software packages (e.g., Malwarebytes) can remove this because you have to be able to boot into Windows itself in order to run it.  I'm not even sure it will remove it if you do happen to guess the correct password to allow the system to boot.  I have a tech support request in with Malwarebytes about this and will report back with what I learn.

 

           There is, however, a remarkably simple way to fix this.   I take no credit for having come up with this.  The solution was originally posted by forum participant ghostrlb in post #14 on a thread entitled, This computer is configured to require a password in order to start up, on these very forums.  I am repeating it here, with some additions that get very detailed about how each step is done for those who've never even used either a Windows Recovery Disc or a command prompt window in their lives:

 

  • POWER OFF the PC immediately.  You do not want to chance having Windows do one of its routine hive backups and overwriting your good backed-up hives.
  • Boot to external media of some sort, typically a Windows Recovery Disc.  Many people never bother to create one of these, but the good news is that you can create Windows Recovery disc on another computer that's running the same version of Windows as the infected computer (e.g., Win7 32-bit or Win8 64-bit).  Or at least that's what I've always done.  Someone else may be able to confirm whether a Windows Recovery Disc is completely independent of the Windows version that creates it or not.
    • To boot to a Windows Recovery Disc, when you start the computer and get your first system screen, which is always white on black in my experience, you will generally see a line at the bottom that tells you to press one function key to "Enter Setup" and another function key to get into "Boot Menu."  Immediately start pressing the function key for "Boot Menu" about once a second until the Boot Menu itself appears.  [I've generally found the boot menu function key is F12, but I'm sure some manufacturer has it set to something else, that's why I advise you to look.]
    • Put the Windows Recovery Disc in to your CD/DVD drive.
    • Use the up or down arrows to get yourself to the entry for your CD/DVD drive in the boot menu.  It is not necessary to rearrange the boot order since you'll only be doing this one time.  Once you're resting on the entry for the CD/DVD drive press <Enter>.
    • You will most probably be forced to go through Windows Startup Repair, which is fine, but it won't find anything.   Do pay attention to where the Windows installation root directory is shown as having been located.  It's not always C:\Windows [the system I just repaired was D:\Windows].  This is the folder that is referred to by %SYSTEMROOT% further down in the instructions.
    • After Startup Repair completes, probably having found nothing, there will be a link on that dialog screen that allows you to go to advanced recovery options.   Click that link.
    • On the Advanced Recovery option dialog that pops up, choose the option for getting a Command Prompt window.
    • In the Command Prompt Window, type the drive letter followed by a colon that was shown for the system root directory (e.g., C: or D:), which will switch you to be working on that drive. 
    • Create a temporary folder, I call mine "oldhives," for use in the steps that follow.  This is your temporary directory where you will be moving the infected hive files to.  You can do this by typing:  mkdir oldhives
  • Navigate to the %SYSTEMROOT%\system32\config folder. 
    • If you've followed all my prior steps, you will do this by typing:  cd Windows\system32\config
  • Backup the registry hives in this folder to the temporary location you created. In my specific instructions I am going to presume you created an "oldhives" folder/directory.  If you want them somewhere else, adjust the commands I give accordingly.  The filenames are:
    1. SOFTWARE
    2. SYSTEM
    3. SAM
    4. SECURITY
    5. DEFAULT

This is done by typing, move <filename> ..\..\..\oldhives, for each of the filenames in the list above

  • Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.  If you're still where you were at the end of the last step you can do this by typing:  cd regback
  • Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.  This is done by typing:  copy <filename> ..\   for each filename mentioned above.
  • Reboot the PC.  If the backed up hives had not yet been written over by an automatic system hive backup (which they probably weren't if the PC was shut down soon after the damage was done) it will most likely boot up again like nothing had ever happened.
  • For good measure you should do a full system scan with your antivirus software.   I also recommend downloading the free versions of Malwarebytes (available at malwarebytes.org) and Spybot Search & Destroy (available at safer-networking.org) and installing these, updating their definitions databases to the latest versions, and letting each run a scan.  If either finds anything suspicious let it remove/quarantine it.  These are good tools to have on any system in case of an infection anyway.
  • After you've done the above and are sure your system is back to the land of the living, you should open a Windows Explorer/File Explorer window, open the drive on which you created the oldhives temporary directory, then delete that directory and all its contents.  Good riddance to bad rubbish!!

 

I hope that this nauseatingly detailed step-by-step set of instructions may prove helpful, particularly to the non-tech-geek who finds themselves in a post-Microsoft-Impersonation-Scam quandry.

 

Blessings on the original poster, ghostrlb, and the bleepingcomputer forums.  The help available here is simply incredible.

 

Brian


Edited by britechguy, 08 December 2014 - 02:15 PM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 AM

Posted 08 December 2014 - 04:52 PM

We appreciate your thoughtful comments and taking the time to express your sentiments to the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users