Windows XP Startup password - not login - after bogus Windows support call

andrewdeerpark

Have a laptop from a customer of mine that was locked up by those nasty Asian "Windows support" individuals.

The customer was stupid enough to give them remote control of the system and they held him to ransom and locked him out of his laptop demanding cash to fix the issue. A new sinister move as far as I can see.

Now note this is not a BIOS password or a USER login password, it displays before the user login even in safe mode.

Anyone come across this before and have a solution? Their is some stuff on the web about the issue:

http://www.techtalkz.com/windows-xp/30534-windows-xp-startup-password-2.html

However nothing about breaking an already locked system? These fixes assume you know the password and just want rid of the nag screen.

I know I can just format and reinstall however I am looking for an easier approach.

I have a pic attached of what is displaying.

Mr E

Load in safe mode, and do a system restore from before the hijack.

andrew241983

Can u not just do fresh install of windows.. I know everything will be lost but better thatt than hand over money to a scam artist

andrewdeerpark

Ok I cannot load safe mode or safe mode with networking. I tried last known good configuration aswell all did not work.

I also reset the user password using http://pogostick.net/~pnh/ntpasswd/
Had no effect.

I believe this is a reg hack so if I booted MINI XP from the Hiren Boot CD and then loaded the system registry I might be able to turn it off.

I know I can format and reinstall however I am looking for a less brutal fix.

Mr E

Pretty comprehensive suggestions here:

http://www.pcreview.co.uk/forums/microsoft-support-scam-help-t4041003.html

I think the OP just backed up photos etc. and did a wipe. Worth a read though if you want to try some other things first.

Capt'n Midnight

Don't forget that old copies of the registry files are in the System volume information folder

Fysh

Thanks for posting this - I've never heard of this, but in trying to figure it out I've discovered the Syskey utility, which I've never heard of.

Sounds like that's what has been used to bodge your install. I've seen a few suggestions that current versions of NTPasswd include an option to turn off Syskey, so my advice would be:

1) Clone the disk (or take an image of it)
2) Test the cloned drive/image
3) Boot NTPassWD and remove Syskey protection, then test
4) If that fails, do a repair install using original OS media.

andrewdeerpark

Fysh
A big help your suggestions especially the syskey keyword

Anyway when I boot NTPasswd I do not get 2 the syskey removal menu?

I have Hiren bootcd 15.1 and I also tried it on its own from the website. Am I missing a version update of NTPasswd the one I am using is http://pogostick.net/~pnh/ntpasswd/cd110511.zip ??

Plus here is a youtube video of the fix:
http://www.youtube.com/watch?v=MTgepTw5ZOc

andrewdeerpark

Got it its on the current version just hidden from the menu

http://www.conradshome.com/ntpasswd/editor.html

2010-06-27

• Patches from Frediano Ziglio adding or fixing:
• - buffer overflow in export_subkey printing keyname
• - reg export: some quoting error (name and string values must be quoted)
• - adding support for wide character encoding in keys and value names
• - and some other bugs fixed
• New function from from Aleksander Wojdyga to decode Digital Product ID. Now in registry editor, may be moved later. example dpi \Microsoft\Windows NT\CurrentVersion\DigitalProductId
• Syskey menu selection has been removed from text, but can still be selected as number 2. So that people stop emailing me when it bombs out.
• Some other minor tweaks

Anyway system booted now will just do a system restore a few days back and hopefully that is it.


Thanks to all for their help and suggestions

Fysh

Glad to hear you got it fixed

Mr E

@Capt'n Midnight: What do you think about linking to this thread from the Applications and Fixes sticky? It's bound to come up again....

andrewdeerpark

Sounds good fire away.