Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 10 "Microsoft Tech Support" Scam; can't get past Win Logon Password


  • Please log in to reply
21 replies to this topic

#1 WindozeWasher

WindozeWasher

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 12:24 PM

Friend's machine; he fell for the phone call scam, now Windows 10 Logon screen will not accept alleged Password even in Safe mode; no Restore Points exist (probably deleted by the scammer).

 

How do I clear the "Password" / access Windows for further disinfection/repairs?

 



BC AdBot (Login to Remove)

 


#2 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 12:38 PM

Does the window look like this...

 

1461865015.png



#3 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 12:56 PM

That's it!

#4 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 01:45 PM

Read this... http://www.bleepingcomputer.com/forums/t/470753/remove-a-startup-password-before-account-screen/?p=2859997



#5 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 01:56 PM

I'm not certain how that solves the problem on Windows 10? This was a "Push" install of Win10 from Win7; client has no restore/repair disks.

#6 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 02:19 PM

You need to restore the registry hive from a backup that Windows keeps.  Since you can't boot into Windows, you have to make a live bootable disc or USB with something like PuppyLinux in order to restore it.  See this.



#7 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 02:35 PM

Oh, I've got TRK 3.4, Hirens 15.2, UBCD 6, so I can access the file-system, but that discussion you linked to seems to imply that the process could damage the User Accounts (under Windows 10).


Edited by WindozeWasher, 28 April 2016 - 02:36 PM.


#8 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 02:47 PM

Do you mean this statement?

 

If it DOES look like this I strongly recommend not to try a repair install, as this may easily break your install further as detailed here: Windows NT System Key Permits Strong Encryption of the SAM



#9 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 02:54 PM

In part, but I've been updating my knowledge-base on this critter for about the last six hours or so, and I have read a LOT, from various websites (this one, Tom's, MS, TechSupport forums, etc., etc.). I've undoubtedly got some conflicting info running around my brain like a Squirrel in a Wheel that I still need to integrate. I can't currently point to a single discussion, but some seem to indicate that doing the Hive transplant can render some accounts un-accessible.

 

In fact, I think I'm starting to see spots!  :unsure:


Edited by WindozeWasher, 28 April 2016 - 02:56 PM.


#10 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 03:02 PM

According to myrti...

 

you can restore a registry hive from a system restore snapshot from outside windows, however when you're doing this for the SAM hive and you choose the wrong date in time, user accounts may get deleted, which would lead to your friends data being deleted along with his account. As this is a risk, I would recommend a backup of the C\documents & settings folder before starting this.

You should also backup the hive before you restore it.  Backing up is the best you can do.  I don't see another choice.



#11 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 03:22 PM

Well, whatever I do, the PC's owner now want's to let the guy from "MS Tech Support, George Matthews" remotely unlock it..... "He said there'll be no charge!"

 

:hysterical:

 

The same Azzhat that he let talk him into letting him in!  

 

Oy!   :angry:

 

"George Matthews" is one of at least three names KNOWN to be associated with these scammers!


Edited by WindozeWasher, 28 April 2016 - 03:26 PM.


#12 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 03:36 PM

I hope he doesn't keep on allowing this guy to remote into his computer.  Who knows what this scammer could plant on his computer.



#13 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 03:40 PM

If he does, I'll wash my hand's of it!



#14 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 04:01 PM

I washed my hands as soon as your friend said he'll allow this guy to unlock his machine.  If he is so gullible, he deserves everything that happened.  Good luck to him.



#15 WindozeWasher

WindozeWasher
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 28 April 2016 - 04:10 PM

In the meanwhile, I have to wait for it to finish the Win10 build Rollback (most current to previous); it was apparently working on part of that when this mess occurred (but of course, he can't give me details). As I recall, a laptop I did last week took nearly six hours to come up to the most recent build, so I'm thinking the build rollback will likely take a bit longer. He decided on his latter course of action AFTER this process was already underway; he didn't really understand why I can't interrupt the thing!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users