Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 130
  • Last Modified:

help with Pre-Login Popup message removal

Hi Experts.
I have a client that for some reason could not find my phone number and used someone else to reset a lost password.  I am not sure what tool they used but now every time the computer starts up it shows this message over the login screen: "Congratulations! The changes about the windows account has become effective"  Click "OK"

No that is not my bad grammar.  That is exactly how the message appears  See image below.

Annoying message pre-login
I can't seem to figure out where this message is coming from.  I have checked all the startup locations I could find and am familiar with including the legalnotice entries under "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"

I have scanned the system for malware and viruses using multiple anti-mailware programs but still this annoying popup keeps showing up on each reboot.  It does not seem to be loading from any of the normal "startup" locations.  It also does not seem to be causing any other issues other than being annoying.

In case it matters this issue was originally created in Windows 8.1 but has progressed through the Windows 10 Pro upgrade.

Any help much appreciated.

Carl
0
jctcom
Asked:
jctcom
  • 3
1 Solution
 
awawadaCommented:
I think they have used Windows Password Recovery Tool. Can you uninstall it?
http://nib.ro/04/19/windows-password-recovery/
0
 
jctcomAuthor Commented:
That is what I thought.  But I don't see any reference to that in the "Programs & Features" control panel nor in the "Program FIles" Or Program Files (x86) folders.

Carl
0
 
jctcomAuthor Commented:
OK Managed to resolve this.  Here is how in case anyone else runs across this or something similar.  I think whoever they had in to work on the computer put this in on purpose for some reason.  Or the software itself did.

Using Total Commander I performed a search for the word "Congratulations".  The first search did not find anything.  I then performed it again but told it to "Find Text" with the following parameters checked:  ANSI, ASCII, UTF16 and UTF8

Not sure it I needed all of those parameters but that's what I had checked off in the additional options.

It came back almost immediately with "C:\ResetPassword.exe"

An executable in the root of C"\ is pretty suspicious.  So I performed a search in Regedit for "ResetPassword"  It came back with a couple of legitimate hits as well as the following:  (Note. It did not have the ".old" at the end originally.  See further down)

Regedit Search Result for ResetPassword
I then looked at the C:\ and found a few other related files including a "ResetPassword.bat" which had the following text:

"sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0sc stop ResetPassword
sc delete ResetPassword
:Repeat
del %~dp0ResetPassword.exe
if exist ResetPassword.exe goto Repeat
del %0"

In any case just to be sure I renamed the registry key, .exe and .bat files with ".old" extensions

Rebooted the computer and Voila.  Message gone.  

I am beginning to think that my client either got sucked into one of "Those" phone calls or downloaded the reset password program himself and it installed the malicious file(s).  Either that or the computer technician did it not realising that the program he installed contained this malicious byproduct.

Hope this helps someone else in a similar situation.

Carl
0
 
jctcomAuthor Commented:
It was the one that worked.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now