Solved

help with Pre-Login Popup message removal

Posted on 2016-11-27
4
32 Views
Last Modified: 2017-01-17
Hi Experts.
I have a client that for some reason could not find my phone number and used someone else to reset a lost password.  I am not sure what tool they used but now every time the computer starts up it shows this message over the login screen: "Congratulations! The changes about the windows account has become effective"  Click "OK"

No that is not my bad grammar.  That is exactly how the message appears  See image below.

Annoying message pre-login
I can't seem to figure out where this message is coming from.  I have checked all the startup locations I could find and am familiar with including the legalnotice entries under "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"

I have scanned the system for malware and viruses using multiple anti-mailware programs but still this annoying popup keeps showing up on each reboot.  It does not seem to be loading from any of the normal "startup" locations.  It also does not seem to be causing any other issues other than being annoying.

In case it matters this issue was originally created in Windows 8.1 but has progressed through the Windows 10 Pro upgrade.

Any help much appreciated.

Carl
0
Comment
Question by:jctcom
  • 3
4 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41902870
I think they have used Windows Password Recovery Tool. Can you uninstall it?
http://nib.ro/04/19/windows-password-recovery/
0
 
LVL 1

Author Comment

by:jctcom
ID: 41902872
That is what I thought.  But I don't see any reference to that in the "Programs & Features" control panel nor in the "Program FIles" Or Program Files (x86) folders.

Carl
0
 
LVL 1

Accepted Solution

by:
jctcom earned 0 total points
ID: 41903056
OK Managed to resolve this.  Here is how in case anyone else runs across this or something similar.  I think whoever they had in to work on the computer put this in on purpose for some reason.  Or the software itself did.

Using Total Commander I performed a search for the word "Congratulations".  The first search did not find anything.  I then performed it again but told it to "Find Text" with the following parameters checked:  ANSI, ASCII, UTF16 and UTF8

Not sure it I needed all of those parameters but that's what I had checked off in the additional options.

It came back almost immediately with "C:\ResetPassword.exe"

An executable in the root of C"\ is pretty suspicious.  So I performed a search in Regedit for "ResetPassword"  It came back with a couple of legitimate hits as well as the following:  (Note. It did not have the ".old" at the end originally.  See further down)

Regedit Search Result for ResetPassword
I then looked at the C:\ and found a few other related files including a "ResetPassword.bat" which had the following text:

"sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0"

In any case just to be sure I renamed the registry key, .exe and .bat files with ".old" extensions

Rebooted the computer and Voila.  Message gone.  

I am beginning to think that my client either got sucked into one of "Those" phone calls or downloaded the reset password program himself and it installed the malicious file(s).  Either that or the computer technician did it not realising that the program he installed contained this malicious byproduct.

Hope this helps someone else in a similar situation.

Carl
0
 
LVL 1

Author Closing Comment

by:jctcom
ID: 41909948
It was the one that worked.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Troubleshooting MDT 13 44
Windows 10 bootup error 22 53
windows 10 onedrive installation 25 66
windows 10 update never updates 6 44
My experience with Windows 10 over a one year period and suggestions for smooth operation
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question