Solved

help with Pre-Login Popup message removal

Posted on 2016-11-27
4
52 Views
Last Modified: 2017-01-17
Hi Experts.
I have a client that for some reason could not find my phone number and used someone else to reset a lost password.  I am not sure what tool they used but now every time the computer starts up it shows this message over the login screen: "Congratulations! The changes about the windows account has become effective"  Click "OK"

No that is not my bad grammar.  That is exactly how the message appears  See image below.

Annoying message pre-login
I can't seem to figure out where this message is coming from.  I have checked all the startup locations I could find and am familiar with including the legalnotice entries under "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"

I have scanned the system for malware and viruses using multiple anti-mailware programs but still this annoying popup keeps showing up on each reboot.  It does not seem to be loading from any of the normal "startup" locations.  It also does not seem to be causing any other issues other than being annoying.

In case it matters this issue was originally created in Windows 8.1 but has progressed through the Windows 10 Pro upgrade.

Any help much appreciated.

Carl
0
Comment
Question by:jctcom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41902870
I think they have used Windows Password Recovery Tool. Can you uninstall it?
http://nib.ro/04/19/windows-password-recovery/
0
 
LVL 1

Author Comment

by:jctcom
ID: 41902872
That is what I thought.  But I don't see any reference to that in the "Programs & Features" control panel nor in the "Program FIles" Or Program Files (x86) folders.

Carl
0
 
LVL 1

Accepted Solution

by:
jctcom earned 0 total points
ID: 41903056
OK Managed to resolve this.  Here is how in case anyone else runs across this or something similar.  I think whoever they had in to work on the computer put this in on purpose for some reason.  Or the software itself did.

Using Total Commander I performed a search for the word "Congratulations".  The first search did not find anything.  I then performed it again but told it to "Find Text" with the following parameters checked:  ANSI, ASCII, UTF16 and UTF8

Not sure it I needed all of those parameters but that's what I had checked off in the additional options.

It came back almost immediately with "C:\ResetPassword.exe"

An executable in the root of C"\ is pretty suspicious.  So I performed a search in Regedit for "ResetPassword"  It came back with a couple of legitimate hits as well as the following:  (Note. It did not have the ".old" at the end originally.  See further down)

Regedit Search Result for ResetPassword
I then looked at the C:\ and found a few other related files including a "ResetPassword.bat" which had the following text:

"sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0"

In any case just to be sure I renamed the registry key, .exe and .bat files with ".old" extensions

Rebooted the computer and Voila.  Message gone.  

I am beginning to think that my client either got sucked into one of "Those" phone calls or downloaded the reset password program himself and it installed the malicious file(s).  Either that or the computer technician did it not realising that the program he installed contained this malicious byproduct.

Hope this helps someone else in a similar situation.

Carl
0
 
LVL 1

Author Closing Comment

by:jctcom
ID: 41909948
It was the one that worked.
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question