unable to log in after removing malware.

Francesc Nualart
Francesc Nualart used Ask the Experts™
I've got a laptop with windows 8 on it. It is from a relative who has been tricked by a hacker who phone him telling he was a technician from Microsoft. He gained access to his computer and he tried to stole his bank credentials. When he realised  his intentions were not that good, he disconnected the internet and called the bank to cancel every single credit card he has.
I tried to help him, running Malwarebytes anti-malware offline with the latest rules, and it found more than 1400 PUP's and Malware.
After cleaning those threats I was prompted to reboot the system. After this, I was unable to log in into his account which is
password protected and the system restarts in a loop entering auto-repair mode...
now it says there's no admin account on the system.
I've cloned the entire disk, and I'm going to install a fresh copy of Windows 10 on it.
With his HDD in an external enclosure I can navigate the directory structure and see all his important files and folders. So I'll be able to transfer those files to the new Windows 10 system later.
Although I have decided to install windows 10, I would like to know how this problem is solved.
How can I repair the no admin account problem in windows 8? I'm sure it can be repaired and I want step by step  instructions on how to proceed.
Do I need a USB/CD with windows 8 to repair the problem? If he has windows 8 (basic) can I use a windows 8 pro usb/cdrom?

Right now this is what it happens....
- I switch on the laptop
- This image appears: http://prntscr.com/h99jl3
- It promts me to enter the password 3 times. After third attempt computer restarts.. next screen is...
- http://prntscr.com/h99qrq   .... and next one is...
- http://prntscr.com/h99sja ... next on...
- http://prntscr.com/h99oiz
- I press "Advanced Options" and next screen is..
-http://prntscr.com/h99wa1 .... I choose to press Solve Problems (the one with tools) ... then
- http://prntscr.com/h99yt5 and If I choose first option..
- http://prntscr.com/h9a113  - No admin account???
- I go back one step and choose Advanced Options
- http://prntscr.com/h9a432
- All options except the last two (of right column) tell me the same. There is no admin account on this pc.

How can I fix this... I'm sure there a solution you guys can give me.
Thank you in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
I would not waste time on this. Once a computer has been compromised like this, the only practical solution is to back up and start again. Installing Windows 10 is the correct answer here.

The hacker damaged enough that it is unlikely you would ever get it to log in properly.
Distinguished Expert 2017

John addressed, one way boot the system using any boot media, replace utilman.exe with cmd.exe, making sure to first back up until,an.exe
Once done, reboot the system, at login hit the easy access the command window should pop up running with system rights.
Now you can create a new admin user
Net user newuser * /add
Provide password
Net localgroup administrators newuser /add
Try logging in with newuser credentials.
gilnovSystems Administrator

The scammer may have dropped some malware on the computer but most likely he was just after the banking info. My guess is that most of the 1400 PUP's were already on the computer and you just found them because you went looking. From what you describe (no admin account on the computer), your relative's main logon ID WAS the only admin account.

When you set up Windows 10, I would recommend you create a separate admin account and ensure that the primary account (the one your relative will log in to for day-to-day use) is not an admin account. It is bad practice to operate a computer with admin privileges because doing so requires no authorization to install programs.

If your relative had been operating the computer as a standard user when the scammer connected to his computer, he would not have been able to install anything without the admin credentials. Of course, there would be nothing stopping your relative telling the scammer the admin credentials or typing them in him/herself but it does stop sneaky installs and helps prevent some - but not all - future malware infections.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

gilnovSystems Administrator

Oh, and John is 100% correct. There's no point bothering with trying to untangle a computer that has been mangled by malware so badly it won't boot. Time to wipe the slate clean and reload windows. Especially since you have all the data.

Finally, I don't like to wipe hard drives and reuse them. Unless cost is an issue, it would be worth spending a bit extra for a brand new internal drive for the laptop. SSD's have come way down in price and the speed boost will amaze and delight your relative.

obviously when you scan and delete it may kept backup of those files someware on the applcation folder .. just restore it... it may come to regular mode...

as you said you are able to access the filess.

all the best
Most Valuable Expert 2013
Thanks for the translations :)

The "hacker" has changed the built-in Windows Syskey password on the machine and removed backups and access to the admin account.
It's unlikely they will have bothered to install anything else on the machine as the intention is to sell the affected user a "repair" service to fix this by restting the password.  But as everyone has already said you shouldn't really take the chance that any further harm has been done.

The end result is simply Windows wants the Syskey password to allow access, data and other files are untouched which is why you can see all of them if you slave the drive.

Googling Syskey Password Scam will get you more info, but worryingly more info on how to carry this out than dealing with it.  Unless a backup copy of the security SAM hive has ben left (and generally that's the first thing to remove having changed the password) then a reinstall is the easiest way out.



First of all, many thanks to everyone that commented on my post.
I finally managed to solve the problem.
As I had cloned the hdd with Acronis True Image 2018, I found the solution watching a few youtube videos about syskey.
I mounted the image of the laptop on my desktop, then I've taken out the hdd off the laptop and put it on an external case and I've connected it to my desktop pc.
It was a matter of copying the files from M:\Windows\System32\Config\RegBack  (DEFAULT, SAM, SECURITY, SOFTWARE and SYSTEM) - from my cloned laptop hdd (windows assigned letter M after mounting it) to F:\Windows\System32\Config on my laptop hdd connected by usb and inside an external enclosure.
That solved the problem... I needed to grab some e-mail password accounts and websites passwords then I reinstalled OS with a fresh copy of Windows 10.


Thanks everyone that commented on my first post.
I'd like to thank you all.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You are very welcome and I was happy to help you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial