Solved

help with Pre-Login Popup message removal

Posted on 2016-11-27
4
14 Views
Last Modified: 2016-12-02
Hi Experts.
I have a client that for some reason could not find my phone number and used someone else to reset a lost password.  I am not sure what tool they used but now every time the computer starts up it shows this message over the login screen: "Congratulations! The changes about the windows account has become effective"  Click "OK"

No that is not my bad grammar.  That is exactly how the message appears  See image below.

Annoying message pre-login
I can't seem to figure out where this message is coming from.  I have checked all the startup locations I could find and am familiar with including the legalnotice entries under "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"

I have scanned the system for malware and viruses using multiple anti-mailware programs but still this annoying popup keeps showing up on each reboot.  It does not seem to be loading from any of the normal "startup" locations.  It also does not seem to be causing any other issues other than being annoying.

In case it matters this issue was originally created in Windows 8.1 but has progressed through the Windows 10 Pro upgrade.

Any help much appreciated.

Carl
0
Comment
Question by:jctcom
  • 3
4 Comments
 
LVL 18

Expert Comment

by:awawada
Comment Utility
I think they have used Windows Password Recovery Tool. Can you uninstall it?
http://nib.ro/04/19/windows-password-recovery/
0
 
LVL 1

Author Comment

by:jctcom
Comment Utility
That is what I thought.  But I don't see any reference to that in the "Programs & Features" control panel nor in the "Program FIles" Or Program Files (x86) folders.

Carl
0
 
LVL 1

Accepted Solution

by:
jctcom earned 0 total points
Comment Utility
OK Managed to resolve this.  Here is how in case anyone else runs across this or something similar.  I think whoever they had in to work on the computer put this in on purpose for some reason.  Or the software itself did.

Using Total Commander I performed a search for the word "Congratulations".  The first search did not find anything.  I then performed it again but told it to "Find Text" with the following parameters checked:  ANSI, ASCII, UTF16 and UTF8

Not sure it I needed all of those parameters but that's what I had checked off in the additional options.

It came back almost immediately with "C:\ResetPassword.exe"

An executable in the root of C"\ is pretty suspicious.  So I performed a search in Regedit for "ResetPassword"  It came back with a couple of legitimate hits as well as the following:  (Note. It did not have the ".old" at the end originally.  See further down)

Regedit Search Result for ResetPassword
I then looked at the C:\ and found a few other related files including a "ResetPassword.bat" which had the following text:

"sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0"

In any case just to be sure I renamed the registry key, .exe and .bat files with ".old" extensions

Rebooted the computer and Voila.  Message gone.  

I am beginning to think that my client either got sucked into one of "Those" phone calls or downloaded the reset password program himself and it installed the malicious file(s).  Either that or the computer technician did it not realising that the program he installed contained this malicious byproduct.

Hope this helps someone else in a similar situation.

Carl
0
 
LVL 1

Author Closing Comment

by:jctcom
Comment Utility
It was the one that worked.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
OfficeMate Freezes on login or does not load after login credentials are input.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now