Solved

help with Pre-Login Popup message removal

Posted on 2016-11-27
4
21 Views
Last Modified: 2017-01-17
Hi Experts.
I have a client that for some reason could not find my phone number and used someone else to reset a lost password.  I am not sure what tool they used but now every time the computer starts up it shows this message over the login screen: "Congratulations! The changes about the windows account has become effective"  Click "OK"

No that is not my bad grammar.  That is exactly how the message appears  See image below.

Annoying message pre-login
I can't seem to figure out where this message is coming from.  I have checked all the startup locations I could find and am familiar with including the legalnotice entries under "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"

I have scanned the system for malware and viruses using multiple anti-mailware programs but still this annoying popup keeps showing up on each reboot.  It does not seem to be loading from any of the normal "startup" locations.  It also does not seem to be causing any other issues other than being annoying.

In case it matters this issue was originally created in Windows 8.1 but has progressed through the Windows 10 Pro upgrade.

Any help much appreciated.

Carl
0
Comment
Question by:jctcom
  • 3
4 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41902870
I think they have used Windows Password Recovery Tool. Can you uninstall it?
http://nib.ro/04/19/windows-password-recovery/
0
 
LVL 1

Author Comment

by:jctcom
ID: 41902872
That is what I thought.  But I don't see any reference to that in the "Programs & Features" control panel nor in the "Program FIles" Or Program Files (x86) folders.

Carl
0
 
LVL 1

Accepted Solution

by:
jctcom earned 0 total points
ID: 41903056
OK Managed to resolve this.  Here is how in case anyone else runs across this or something similar.  I think whoever they had in to work on the computer put this in on purpose for some reason.  Or the software itself did.

Using Total Commander I performed a search for the word "Congratulations".  The first search did not find anything.  I then performed it again but told it to "Find Text" with the following parameters checked:  ANSI, ASCII, UTF16 and UTF8

Not sure it I needed all of those parameters but that's what I had checked off in the additional options.

It came back almost immediately with "C:\ResetPassword.exe"

An executable in the root of C"\ is pretty suspicious.  So I performed a search in Regedit for "ResetPassword"  It came back with a couple of legitimate hits as well as the following:  (Note. It did not have the ".old" at the end originally.  See further down)

Regedit Search Result for ResetPassword
I then looked at the C:\ and found a few other related files including a "ResetPassword.bat" which had the following text:

"sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0"

In any case just to be sure I renamed the registry key, .exe and .bat files with ".old" extensions

Rebooted the computer and Voila.  Message gone.  

I am beginning to think that my client either got sucked into one of "Those" phone calls or downloaded the reset password program himself and it installed the malicious file(s).  Either that or the computer technician did it not realising that the program he installed contained this malicious byproduct.

Hope this helps someone else in a similar situation.

Carl
0
 
LVL 1

Author Closing Comment

by:jctcom
ID: 41909948
It was the one that worked.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No matter the version of Windows you are using, you may have some problems with Windows Search running too slow or possibly not running at all. Before jumping into how you can solve this issue, just know there are many other viable alternative deskt…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now