Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting rid of Win7 Startup Password requirement when you know the password!


  • Please log in to reply
4 replies to this topic

#1 Navionmi

Navionmi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 17 August 2016 - 01:34 PM

Hi, I have a client who JUST about got nailed by the little b******s that push a fake virus page to you then give you a number to call etc etc. 

They called me JUST as they were ALSO on the phone with the scammer, and I got them to hang up before any serious damage could be done...especially to their VISA card!

However, the little buggers managed to put a start up password in Windows BEFORE you get to the users/login screen. This is where the fortunate part comes in. The client was WATCHING AND PAYING ATTENTION! (I know! How rare is that???)

The password used was 'inbound'.

So to use the computer, all you have to do is put in the password 'inbound' and you get to the login screen. 

The faker created a homegroup and a hidden homegroup admin account for himself. I got rid of the homegroup and that user, but try as I might, I can't find out where you go to get rid of that password requirement. 

Any ideas?

(Win 7 home on an Asus i5 laptop)



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 PM

Posted 17 August 2016 - 01:44 PM

Is the password box the same as what is shown on this page.That would be a System password that can be removed by copying the System   (Sam) Hive from the Regback folder of C:\Windows\System32\config\Regback. 

 

First option is to do a System Restore . Edit: It should be SAM hive. Sorry.

 

Second would be to use a live linux disk to rename the System Hive in C:\Windows\System32\config\ and copy the one from Regback. This would only work if the date on the System Hive in Regback is before the problem began.

 

Edit: There is a file on the page but I have never downloaded it or used it. I suggest you at least scan it with Virustotal if you wish to use it to disable the password box.


Edited by JohnC_21, 17 August 2016 - 01:48 PM.


#3 Navionmi

Navionmi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 17 August 2016 - 01:51 PM

Yup: That's the one. 

 

Thanks for the input! I'll try the SAM hive replacement and let you know. 


Edited by Navionmi, 17 August 2016 - 01:54 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:10 PM

Posted 18 August 2016 - 07:21 PM

Topic moved to more appropriate forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:01:10 PM

Posted 19 August 2016 - 01:07 AM

Those affected read, http://www.bleepingcomputer.com/forums/t/614238/syskey-detection-and-removal/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users