Hacker put password on PC, need help to get into PC

85

22

My Uncle got a phone call from hackers pretending to be TalkTalk and as he is elderly and was tired, they talked him into doing things on his laptop. When they started to talk about banking etc he twigged and hung up but they have put a password on his laptop which we can't get past.

He originally had Windows 7, but had upgraded to Windows 10, but it is a local password that has been added. I've tried booting from a USB but it wants to reinstall windows and he doesn't really want to lose his files. I've tried typing this into DOS that I found on another site:

  Net user administrator /active:yes
  Net user administrator p@ssw0rD

But I haven't got anywhere, please can someone help?

Update

Thanks for all your help. Used Ubuntu and chntpw and managed to remove password. Nothing seems untoward, no software installed and malware bytes found no threats. I guess my uncle cut them off before they did any of that.

AllieP

Posted 2015-11-19T10:53:32.770

Reputation: 867

82Getting the password back is only the first step of a cleanup and the safest thing to do is to reinstall Windows. A professional IT support person should be able to get any personal files saved first (in a safe way) before Windows is reinstalled. – DavidPostill – 2015-11-19T11:05:59.797

7Please see my answer regarding some things you must do immediately to avoid future problems - in particular having his bank account emptied. – DavidPostill – 2015-11-19T11:13:27.803

1Good suggestions, especially to disconnect from the internet NOW and contact the bank NOW. As to getting files, could he perform a boot to Linux on a CD. Then copy files to a pen drive. Finally reformat HDD and re-install Windows? – AlainD – 2015-11-19T11:40:34.160

@AlainD That's indeed possible, depending on the skill set of the OP. – DavidPostill – 2015-11-19T11:42:50.077

@AlainD I don't think he can do that if the Windows user has a password, unless OP can retrieve the password somehow. But worth the try. – Gui Imamura – 2015-11-19T13:12:44.350

3@GuiImamura: Surely you enter the BIOS (eg. tap F12 on startup), set the boot order to boot from CD first, have your Linux CD ready in the drive and exit and save? – AlainD – 2015-11-19T14:12:45.943

13If you know how to do this, take HDD out, put it in an external caddy, connect it to another computer(with AV protection) and copy all files you want to save, then format and reinstall windows(if you have Key/OEM disc). Change all passwords online and offline. We don't know how computer savvy you are so it's hard to advise... – n00dles – 2015-11-19T15:16:38.847

1

In my opinion, the easiest and most painless way to recover files off of the compromised computer is to let it boot off of a Linux Live CD/USB (e.g. Ubuntu 14) and copy files from the computer to a USB pen drive or an external hard drive. Instructions on how to create a bootable USB stick can be found here and if you don't know how to boot a computer from CD/USB, this link should help you figure that out.

– Vinayak – 2015-11-19T17:10:06.973

1

Veering off topic for a second here, but if your uncle gets calls like these often and he uses a smartphone (preferably an Android), he could install Truecaller on his phone, which helps identify and block spammers like the ones who duped your uncle. Fair warning though, it works by crowd-sourcing data from people who've installed the app - meaning that your phonebook contacts will be uploaded to Truecaller servers in return for Truecaller identifying unknown callers for you. Sketchy? Maybe so. However, I am of the opinion that the app has more pros than cons.

– Vinayak – 2015-11-19T17:35:40.517

4In addition to resolving the problem at hand, you may want to look for training classes specifically designed for the elderly. One reason older people are more susceptible to scams is that they're from a time when impersonating you would require both a disguise and the ability to forge your signature. If you can't find a good class, at minimum make absolutely sure your uncle at least knows to **never give information over the phone unless you initiated the contact.** – Dan Henderson – 2015-11-19T22:17:48.733

1If you do not rebuild the machine from scratch, you can never be confident that it's trustworthy. It's not that hard to write something that compromises the OS, especially if you have admin permissions to start with... – Basic – 2015-11-20T02:00:08.893

Could also just use a linux boot stick to get in, grab the files you want to a USB stick, and then proceed with the installation. http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-ubuntu -- situations like this is why Windows lack of file security is handy.. sometimes.

– ctote – 2015-11-20T21:39:40.463

Answers

179

They talked him into doing things on his laptop

  1. Please disconnect this PC from the internet right now.

    • If your uncle has used the PC for intenet banking then his bank account details may already be compromised.

  2. Let his bank know what has happened immediately.

    • They will be able to advise him how to change his internet banking details over the phone.

    • The talktalk scammers have already conned some individuals out of thousands of pounds.

  3. Change all his passwords (email, websites, etc)

    • Do this from another computer you know is clean.

  4. Then get professional advice on how to fix this.

    • You don't know exactly what trojans or whatever nasties have been left behind on this PC.

    • Getting the password back is only the first step of a cleanup and the safest thing to do is to reinstall Windows.

    • A professional IT support person should be able to get any personal files saved first (in a safe way) before Windows is reinstalled.

  5. But I really want to clean up this mess myself!

    If you feel you have the technical skills to fix this then:

DavidPostill

Posted 2015-11-19T10:53:32.770

Reputation: 118 938

4Hi, thanks for this David. I did this. It actually happened to him in July as well and that time they got money from his account. I cleaned up his machine but they didn't put a password on it then. The bank got his money back and I told him to hang up as soon as they rang. But he got back from travelling a couple of days ago and was tired and vulnerable and he is a very trusting man and he kept saying to them 'Are you sure you're TalkTalk'! I can't believe he did it again. – AllieP – 2015-11-19T12:42:03.210

1@AllieP Oh dear :/ I hope you can sort it out one way or another. Please let me know if I can help any further. If you are confident about cleaning up yourself then see my updated answer (how to get access, and cleanup instructions). – DavidPostill – 2015-11-19T12:44:58.890

36If you are supporting the PC maybe consider that his user doesn't need admin rights. Hackers won't be able to talk him into compromising it, if he doesn't have the ability to change those settings. – JamesRyan – 2015-11-19T12:45:07.180

@AllieP And he somehow missed all the news reports about TalkTalk being hacked again? Or maybe he was away when the last episode happened ... – DavidPostill – 2015-11-19T12:50:27.600

19@JamesRyan Note that while lack of admin rights might protect the OS and other users on the same machine, it won't do anything to protect the compromised user's files, banking details, etc.. – Bob – 2015-11-19T13:08:20.190

6@Bob Especially if it's a social engineering attack. The TalkTalk scam is particulary bad. TalkTalk got hacked (user account details leaked). "Hello, I am from TalkTalk. We want to compensate you for the hack. Please give me your bank account details so we can give you a fat refund". 10 minutes later the account is empty. – DavidPostill – 2015-11-19T13:11:37.180

@Bob the answer to that isn't a technical solution. However doing this will give as much technical protection as there can be by stopping them from installing any kind of keylogger/trojan giving remote access. – JamesRyan – 2015-11-19T13:13:24.340

1@JamesRyan Will it prevent a (disguised) team viewer request (please click on this link so we can help you) AKA "Microsft Support Scam"? I'm not sure. In any case it's worth restricting access. – DavidPostill – 2015-11-19T13:21:55.210

1@AllieP, you may also want to consider changing his phone number (to prevent related repeat attacks). Also consider getting him an identity protection service plan to help audit his life continuously. – Matthew Peters – 2015-11-19T14:01:53.607

Using a normal User will also not protect you from a malicious party from doing any number of still harmful things, if you allow them, to connect to your computer. You simply can't uninstall the Windows feature because they will just use a different application like Teamviewer instead. – Ramhound – 2015-11-19T17:37:56.153

Thanks for all help. Used Ubuntu and chntpw and removed pw. Ran malware bytes, no threats. Made myself admin account. – AllieP – 2015-11-20T12:37:12.757

1@AllieP: You might want to investigate some data-backup solution for your Uncle so you don't have to recover his data from a compromised system next time this happens. – RedGrittyBrick – 2015-11-20T16:05:00.683

2@AllieP Don't forget to check for new hidden administrator accounts. You should really, really reinstall that OS. He might also try Linux. Nowadays it's really not more complicated to operate (given a standard internet browsing and managing emails usage pattern), except for the (slightly) different user interface. – moooeeeep – 2015-11-24T07:48:15.293

28

I would copy all important files to an external drive, and reinstall the computer, since you never know what the cybercriminals did to the current install.

Contact the bank and let them know what happened, and change ALL his passwords for ALL his online services (Banking, Social Media, PayPal, Shopping)

Some of these steps (like installing Windows) should be left to a professional if you don't know what you're doing.

  1. Get a thumbdrive, and install any flavour of Live Linux to it. Perhaps Linux Mint (http://community.linuxmint.com/tutorial/view/389)

  2. Boot the PC in Linux and see if the files are accessible. (eg. not encrypted by the hacker)

  3. Plug in an external hard drive, and copy all important files from the computer's internal drive to the external drive.

  4. Reinstall Windows and any other applications he uses.

  5. Create a user account for him WITHOUT Administrative rights, AND an admin account which is password protected.

  6. Give him access to the standard user account only.

svin83

Posted 2015-11-19T10:53:32.770

Reputation: 402

Thank you for this but I can't access his files. I can't get onto windows at all. If I could get his files off I would wipe pc and start again, but he would like his files. – AllieP – 2015-11-19T12:44:08.053

3Oh, OK sorry, I then read on and you instructed how to do this! – AllieP – 2015-11-19T12:44:44.810

3Do be aware that depending on how sophisticated the scammers were, the files you try to recover can also carry malware. I would especially be cautious (or even outright refuse) to try recovering executable files. – Kevin – 2015-11-20T08:18:53.337

1Try removing the harddisk from the machine and using an external hdd docking station on another machine to browse for important files, copy them over. When you are sure you have everything you need reinstall the harddisk into the original machine and reinstall windows like mentioned by svin83. – Smeerpijp – 2015-11-20T13:28:03.773

21

While I would heed the advice to not trust the computer anymore, as well as change all passwords everywhere (as suggested by others)...

If you want to simply change the password on this box - to get files, setup, etc... without the need for "other tools" like HBCD (Hiren Boot CD) or UBCD (Ultimate Boot CD)

Sticky Keys Hack/Trick

I would look into the "Sticky Keys Hack". All you need is a Windows CD so you can get into "Repair Mode" command line... you then replace the sticky key .exe file with the cmd.exe file. When you reboot, you hit shift five times and BAM you have administrator command line.

This trick is available from many places. Random Example - Relevant passage quoted below

To reset a forgotten administrator password, follow these steps:

  1. Boot from Windows PE or Windows RE and access the command prompt.
  2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.

  3. Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):

    copy c:\windows\system32\sethc.exe c:\

    This creates a copy of sethc.exe to restore later.

  4. Type this command to replace sethc.exe with cmd.exe:

    copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

    Reboot your computer and start the Windows installation where you forgot the administrator password.

  5. After you see the logon screen, press the SHIFT key five times.

  6. You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):

    net user your_user_name new_password

    If you don’t know your user name, just type net user to list the available user names.

  7. You can now log on with the new password.

After the password is reset and you've logged in successfully, make sure to reverse the process so that you don't have an "open door" into your system.

I've successfully used this "trick" a few times to unlock passwords without having to jump through hoops learning new tools.

WernerCD

Posted 2015-11-19T10:53:32.770

Reputation: 4 263

4

Please read How to reference material written by others when you copy verbatim from somewhere else. I've fixed you answer this time.

– DavidPostill – 2015-11-19T14:35:13.293

@DavidPostill Had link and had the passage quoted already. Sorry if it was the "wrong" quote format. Made it even more apparent - as well as fixed a few formatting quoibles. – WernerCD – 2015-11-19T14:48:33.867

Perfect. No problem. Just a pointer for the future - so you don't get accused of plagiarism ;) – DavidPostill – 2015-11-19T14:50:07.140

I'm fairly certain most of my posts (here and elsewhere) have the same basic layout. My opinion, link and quotes (not necessarily in that order). Always a challenge to stay within the "guidelines" of a million different websites :) Interested to know why I was down-voted, since this is a perfectly valid "solution" to resetting a windows password with nothing but a Windows DVD. – WernerCD – 2015-11-19T14:53:29.813

1Just a quick note, it wasn't my downvote ... – DavidPostill – 2015-11-19T15:01:19.210

@DavidPostill Didn't think it was... I can't win everyone over, but just trying to see if something I posted was wrong (minor minutia and verbiage aside). – WernerCD – 2015-11-19T15:20:42.613

Let us continue this discussion in chat.

– WernerCD – 2015-11-19T20:14:02.363

First option to disable after windows install is sticky keys – PeterM – 2015-11-25T09:36:01.220

@PeterM While I agree with that (Amoungst other security related stuff), the vast majority of users wouldn't know sticky keys from the cup holder on their computer. I'd bet money that Uncle, Grandpa, mom, friend, etc haven't done ANYTHING to secure their PC. I'll even give you good odds... – WernerCD – 2015-11-25T14:40:45.970

Sure, they might not know that trick. However this feature is simply annoying. – PeterM – 2015-11-25T15:31:11.443

@PeterM Users won't know what sticky keys are, much less this "trick". That's my point. It'll pop up randomly and I'll bet money that 95% of users won't progress to the point of disabling it - much less booting to Windows Repair Mode and co-opting it for admin console. How often do users accidentally hit it? Outside of gamers that spam the wrong button at the wrong time? It's why this trick will still be useful for a majority of cases. Also, I think... I might be wrong... but you can enable this feature without administrator permission as well. – WernerCD – 2015-11-25T15:53:03.637

10

As an attempt to get around this new password set by the scammers I would recommend Ultimate Boot CD

By creating one of these CD's and booting from it there is a tool under 'Recovery' Which is an Offline Registry Editor and could be a possible option to get into Windows so you can perform your backup.

However, In this circumstance, I would recomend not being connected to the internet while you are doing this. Furthermore, the only way to ensure future safety would be to re-install windows.

The tool will not work will all machines and operating systems, but it is definatly worth trying to achieve your goal.

The software can be found here: http://www.ultimatebootcd.com/

Harvey

Posted 2015-11-19T10:53:32.770

Reputation: 795

5

Follow these steps in order to change or disable your computer's password:

  1. Download Hiren Boot CD and burn it to a DVD or put it on a USB drive

  2. Restart and boot from either the DVD or USB drive. It's CLI and not GUI so, just go through it.

  3. Follow the guide from Hiren's website.

Mr. Ali

Posted 2015-11-19T10:53:32.770

Reputation: 51

Could you please take the steps from the link and put it into your answer? Links can go down in the future, making your answer useless. – Insane – 2015-11-20T05:02:37.273

1This method no longer works on newer UEFI-based computers due to Hirens' not supporting the EFI boot system. You could make it work with CSM, but there's no guarantee that it will (It refuses to for me, FWIW). – Kaz Wolfe – 2015-11-20T05:24:15.823

4

Getting access back

There are many ways to reset a windows password. My two favorites are chntpw on a linux live CD and Trinity Rescue Kit (TRK).

Trinity Rescue Kit is really out of date, but I used it recently. The password reset works because NT passwords have not really changed. It is good that the password is local, because otherwise it would confirm his email was hacked.

Future Methods of Prevention

These scams are much too common. Almost all news sources say never allow the access to the computer.

First, only allow limited user rights, so you can reset it with your admin rights. Also, make sure your uncle knows to never allow access from a third party to this computer.

Change all of his passwords on all services. Make sure that your uncle does not use a master password (maybe create a password book for him).

Admin3X

Posted 2015-11-19T10:53:32.770

Reputation: 151

3

Grab a copy of Kon-Boot. It's a utility software that will bypass local Windows authentication and give you administrative access over the Windows machine.

It's fairly easy to use. You can burn the downloaded Kon-Boot ISO file into a CD/DVD or make a bootable USB disk using an included utility program. To gain access to the locked computer, you would boot the computer off of the Kon-Boot CD/DVD or bootable USB disk and that's pretty much it. Kon-Boot works by making temporary changes to the system kernel. Kon-Boot is paid software but it has a free version with fairly limited OS support available here.

Kon-Boot was discussed in a SuperUser blog post 3 years ago and you can learn a bit more about it by reading this blog post.

Gareth Wright

Posted 2015-11-19T10:53:32.770

Reputation: 49

1The answer is a bit terse bit why was this down voted? – Vinayak – 2015-11-19T16:49:49.270

I didn't downvote, but the reason may be because the solution requires more than just grabbing a copy of some software. Can you expand your answer to describe how to accomplish the solution, or at least what makes this software a good solution? Good guidance on recommending software here: http://meta.superuser.com/questions/5329/how-do-i-recommend-software-in-my-answers

– fixer1234 – 2015-11-19T17:08:49.780

2@GarethWright - I read your answer and I am left with my own question, How exactly do I do this? I don't normally find an answer, that leaves me with more questions unanswered then it answers, to be very helpful. Let me clear I actually know how to do it, or I am skilled enough to figure it out, I am more concerned with everyone else that isn't. – Ramhound – 2015-11-19T17:40:21.767

3@fixer1234 I made some drastic changes to Gareth's answer. I hope that's encouraged and that he won't mind. – Vinayak – 2015-11-19T18:14:20.653

@Vinayak: Nice job. That's how it's done. – fixer1234 – 2015-11-19T18:21:37.430

I don't mind at all @Vinayak. Apologies that you found the answer terse. Simply looking up the software tells you everything you need to know so I didn't think I needed to elaborate further. I'll be more detailed in future answers though. – Gareth Wright – 2015-12-21T09:35:09.180

3

Get a live cd/dvd of any linux distribution. Then insert it in the cd/dvd-drive and while booting, press f2/f12/esc key (on the first screen u see after starting the computer, it mentions something like 'press f2 for boot options' ) then run the cd as 'live cd'.

Then it will take some time to load up and you will end up with a home screen.

then mount the hard disk partition on which you have installed windows. Then go double click on it on the desktop, go to Windows/System32. There, Change the name of Utilman.exe to Utilman2.exe. Then copy and paste cmd.exe and rename it to Utilman.exe

Now shutdown and restart the computer with windows.

On the login screen, click on the button through which we get on-screen Key board etc. (It's usually in the bottom-left corner in windows 10)

It will open an administrator cmd (as its login screen) then write in the cmd:

net users

Their the local users will be listed choose the one you want and then write:

net user your-choosed-user *

Then when prompted with the password, write any password, eg- 123 Rewrite it again for the confirmation

Enter that same password in the password box and Voila! You have entered into the pc!!

To remove popping up of the cmd on clicking the Utilities icon on the login screen, boot up again with the live cd and then delete Utilman.exe and rename Utilman2.exe to Utilman.exe

Sorry as I can't paste pics right now as i don't have that much reputation.

Devansh Surana

Posted 2015-11-19T10:53:32.770

Reputation: 31

Mostly a duplicate of Werner's post but with less exposition and the less user friendly Linux boot (vs. Windows Recovery). Few general users will know how to mount under your unnamed distro--or simply find either of these! Disclaimer: I use Linux as my main OS, but I wouldn't expect most of my family to get anywhere on it. Although in this case, the OP did it. :) – underscore_d – 2015-11-20T21:42:12.307

Asked: 2015-11-19T10:53:32.770

Viewed: 38 541 times

Active: 2015-12-16T23:42:25.477