Hacker put password on PC, need help to get into PC

Question

My Uncle got a phone call from hackers pretending to be TalkTalk and as he is elderly and was tired, they talked him into doing things on his laptop. When they started to talk about banking etc he twigged and hung up but they have put a password on his laptop which we can't get past.

He originally had Windows 7, but had upgraded to Windows 10, but it is a local password that has been added. I've tried booting from a USB but it wants to reinstall windows and he doesn't really want to lose his files. I've tried typing this into DOS that I found on another site:

  Net user administrator /active:yes
  Net user administrator p@ssw0rD

But I haven't got anywhere, please can someone help?

---

Update

Thanks for all your help. Used Ubuntu and chntpw and managed to remove password. Nothing seems untoward, no software installed and malware bytes found no threats. I guess my uncle cut them off before they did any of that.

Answer 1

They talked him into doing things on his laptop

1. Please disconnect this PC from the internet right now.

   • If your uncle has used the PC for intenet banking then his bank account details may already be compromised.

2. Let his bank know what has happened immediately.

   • They will be able to advise him how to change his internet banking details over the phone.

   • The talktalk scammers have already conned some individuals out of thousands of pounds.

3. Change all his passwords (email, websites, etc)

   • Do this from another computer you know is clean.

4. Then get professional advice on how to fix this.

   • You don't know exactly what trojans or whatever nasties have been left behind on this PC.

   • Getting the password back is only the first step of a cleanup and the safest thing to do is to reinstall Windows.

   • A professional IT support person should be able to get any personal files saved first (in a safe way) before Windows is reinstalled.

5. But I really want to clean up this mess myself!

   If you feel you have the technical skills to fix this then:

   • See What can I do if I forgot my Windows password? to get back access to the machine.

   • See How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? for cleanup instructions.

   • As per comment by JamesRyan consider giving your uncle user access rights only (standard user account). If you are willing to support him in the future keep the Admin rights to yourself. That will at least limit the damages if it happens again.

Answer 2

I would copy all important files to an external drive, and reinstall the computer, since you never know what the cybercriminals did to the current install.

Contact the bank and let them know what happened, and change ALL his passwords for ALL his online services (Banking, Social Media, PayPal, Shopping)

Some of these steps (like installing Windows) should be left to a professional if you don't know what you're doing.

1. Get a thumbdrive, and install any flavour of Live Linux to it. Perhaps Linux Mint (http://community.linuxmint.com/tutorial/view/389)

2. Boot the PC in Linux and see if the files are accessible. (eg. not encrypted by the hacker)

3. Plug in an external hard drive, and copy all important files from the computer's internal drive to the external drive.

4. Reinstall Windows and any other applications he uses.

5. Create a user account for him WITHOUT Administrative rights, AND an admin account which is password protected.

6. Give him access to the standard user account only.

Answer 3

While I would heed the advice to not trust the computer anymore, as well as change all passwords everywhere (as suggested by others)...

If you want to simply change the password on this box - to get files, setup, etc... without the need for "other tools" like HBCD (Hiren Boot CD) or UBCD (Ultimate Boot CD)

Sticky Keys Hack/Trick

I would look into the "Sticky Keys Hack". All you need is a Windows CD so you can get into "Repair Mode" command line... you then replace the sticky key .exe file with the cmd.exe file. When you reboot, you hit shift five times and BAM you have administrator command line.

This trick is available from many places. Random Example - Relevant passage quoted below

To reset a forgotten administrator password, follow these steps:

1. Boot from Windows PE or Windows RE and access the command prompt.
2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.

3. Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):

   copy c:\windows\system32\sethc.exe c:\

   This creates a copy of sethc.exe to restore later.

4. Type this command to replace sethc.exe with cmd.exe:

   copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

   Reboot your computer and start the Windows installation where you forgot the administrator password.

5. After you see the logon screen, press the SHIFT key five times.

6. You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):

   net user your_user_name new_password

   If you don’t know your user name, just type net user to list the available user names.

7. You can now log on with the new password.

After the password is reset and you've logged in successfully, make sure to reverse the process so that you don't have an "open door" into your system.

I've successfully used this "trick" a few times to unlock passwords without having to jump through hoops learning new tools.

Answer 4

As an attempt to get around this new password set by the scammers I would recommend Ultimate Boot CD

By creating one of these CD's and booting from it there is a tool under 'Recovery' Which is an Offline Registry Editor and could be a possible option to get into Windows so you can perform your backup.

However, In this circumstance, I would recomend not being connected to the internet while you are doing this. Furthermore, the only way to ensure future safety would be to re-install windows.

The tool will not work will all machines and operating systems, but it is definatly worth trying to achieve your goal.

The software can be found here: http://www.ultimatebootcd.com/

Answer 5

Follow these steps in order to change or disable your computer's password:

1. Download Hiren Boot CD and burn it to a DVD or put it on a USB drive

2. Restart and boot from either the DVD or USB drive. It's CLI and not GUI so, just go through it.

3. Follow the guide from Hiren's website.

Answer 6

Getting access back

There are many ways to reset a windows password. My two favorites are chntpw on a linux live CD and Trinity Rescue Kit (TRK).

Trinity Rescue Kit is really out of date, but I used it recently. The password reset works because NT passwords have not really changed. It is good that the password is local, because otherwise it would confirm his email was hacked.

Future Methods of Prevention

These scams are much too common. Almost all news sources say never allow the access to the computer.

First, only allow limited user rights, so you can reset it with your admin rights. Also, make sure your uncle knows to never allow access from a third party to this computer.

Change all of his passwords on all services. Make sure that your uncle does not use a master password (maybe create a password book for him).

Answer 7

Grab a copy of Kon-Boot. It's a utility software that will bypass local Windows authentication and give you administrative access over the Windows machine.

It's fairly easy to use. You can burn the downloaded Kon-Boot ISO file into a CD/DVD or make a bootable USB disk using an included utility program. To gain access to the locked computer, you would boot the computer off of the Kon-Boot CD/DVD or bootable USB disk and that's pretty much it. Kon-Boot works by making temporary changes to the system kernel. Kon-Boot is paid software but it has a free version with fairly limited OS support available here.

Kon-Boot was discussed in a SuperUser blog post 3 years ago and you can learn a bit more about it by reading this blog post.

Answer 8

Get a live cd/dvd of any linux distribution. Then insert it in the cd/dvd-drive and while booting, press f2/f12/esc key (on the first screen u see after starting the computer, it mentions something like 'press f2 for boot options' ) then run the cd as 'live cd'.

Then it will take some time to load up and you will end up with a home screen.

then mount the hard disk partition on which you have installed windows. Then go double click on it on the desktop, go to Windows/System32. There, Change the name of Utilman.exe to Utilman2.exe. Then copy and paste cmd.exe and rename it to Utilman.exe

Now shutdown and restart the computer with windows.

On the login screen, click on the button through which we get on-screen Key board etc. (It's usually in the bottom-left corner in windows 10)

It will open an administrator cmd (as its login screen) then write in the cmd:

net users

Their the local users will be listed choose the one you want and then write:

net user your-choosed-user *

Then when prompted with the password, write any password, eg- 123 Rewrite it again for the confirmation

Enter that same password in the password box and Voila! You have entered into the pc!!

To remove popping up of the cmd on clicking the Utilities icon on the login screen, boot up again with the live cd and then delete Utilman.exe and rename Utilman2.exe to Utilman.exe

Sorry as I can't paste pics right now as i don't have that much reputation.