Two days ago, my wife, not being technically skeptical enough, allowed our computer to be remotely taken over by one of those phone phishing scams a couple days ago. While this is a common and well-documented scam, it is our first experience with it. They use legit remote access software from Ammyy to offer (and in our case, access) to work on your computer remotely. But Ammyy isn't any part of the scam. I have read a number of the posts here about this scam, but haven't found one with my issue, which is I now can't get into my computer. Will make a long story short - some guy cold-called our house, asked my wife if we have been having computer problems and have an older maching, both of which are accurate in our case. After pointing out all the "problems" as recorded in the Event Viewer, my wife allowed him to take remote control of our computer. Once he did the "free scan" and removed the some initial "problems", he offered to do make us a 'premium customer' for $80. At that point, she ended the call. But not before, of course, some damage had been done. Clearly thru the remote access he planted some malware that I can't get by, and I'm wondering/hoping the damage may have ended there. Specific questions: When I start the computer, it won't let me in without a special admin password. (the Dell logo shows, followed by the XP logo, then the bogus login window). This is something they planted and we don't have a 'password' for. I have tried starting in Safe Mode and Last Known Good Config, neither of which work -- I still get the log in screen. Any ideas on how I can get past this? If I boot from the OS disk that Dell sent with the computer, will that work? Haven't done this before -- anything special to know? Can other computers that access our wifi be impacted? We havene't seen evidence of this yet. My wife didn't provide any credit card info, so am wondering just how much they can get. No online banking is done thru this machine, tho my wife receives email from her mom's bank, as we handle some of her basic financial dealings. As I type, they are both at Wells Fargo now changing accounts. However, I haven't taken any action yet thru our bank. Haven't seen any issues yet and been watching closely. So am wondering just what can be done by these bad guys. My wife does some Amazon online purchasing, but again, acct numbers and such are usually "x'd" out except for last few numbers, and that is always on the Amazon (or other merchant) side. Am wondering if all they were looking for was to try and get credit card info for use. The malware they planted could be a botnet and they are using it to plant similar bad stuff on computers thru an email contact list. any way of knowing? Once I get in, I am going to scan with MalwareBytes and Microsoft Security Essentials. Any other suggestions?

Or try to remove the password through a software called as ERD commander Please check below link to know have to restore your system with the help of this software http://www.youtube.com/watch?v=nHvJlwf88vQ Let me know if this was helpful.

It seems the scammer has used the trick of boot on screen password , To reset bios password please try the following things; http://www.technibble.com/how-to-bypass-or-remove-a-bios-password/ This will help you to crack the boot on screen password. or you have to pull the registry files from the Snapshot folder and replaced the ones in the Config folder. I hope this helps someone if you are stuck with something like this Best of luck

ok, more progress. I didn't go in thru Safe Mode, just in as I normally do since the Hiren reg restore has allowed me to. I will re-set thru the System Restore when I get home from work tonight. However, just coming in as normal, I found as you suggested: "AA_v3" in the docs and settings directory for my wife under my docs\downloads. You mention to just add "bad" or similar to it and not delete it yet. Whhy not? As noted in earlier post, I deleted the Ammyy folder thru earlier work in mini XP, so why save this AA_v3 at all? I also found an "AA_V3.exe-0851DF62.pf in the c:\windwows\prefetch directory (whatever that is) and did as you instructed - just deleted it. What did that file do? When I looked for an Ammyy admin service thru the Run function, didn't see one (glad they are listed alpha - there were a lot). BTW - to a couple earlier posts on the password - this is not an 'admin' password, but an XP startup password. Thru the Hiren's i found how to re-set the Admin password. Thinking that might be my issue, I did reset it. Howevver, coming in thru Safe Mode, 'Administrator" appeared as a user (which I don't ever recall it doing), but was able to log on with the p/w I had re-set to thru Hiren's. Re: the lsass.exe error, I found a discussion here on it. since I seem to be close to maybe resolving my issue, I am not opposed to nuking the whole thing and reinstalling the OS, add ons, Office, etc. It would probably clear up some other nagging issues I have, some I don't knoow I have, and maybe improve some performance since this is a 10 yr old machine that has been used by 3 teenagers and ann unsuspecting wife (so I know there is a lot of junk on it). http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/cannot-start-computer-get-error-lsassexe-system/fc6a2300-edce-41e0-bd6e-47804c5a3454 In this thread, just from a couple months back, ElderL you suggest the registry corruption. thanks for your continued help.

I have not seen that lsass error before. If you can get into Safe Mode, check the Services applet to be sure the Ammyy Admin is not listed, if it is you can delete the Service as indicated earlier using the SC command, but I don't think that has anything to do with your lsass error. If you can get into Safe Mode, are you able to do a System Restore (from Accessories, System Tools) to a date a few days prior to this incident? You might need to try a few Restore Points since sometime they might not work right. The Hiren's registry restore is okay to get you rout of a jam, but I would see if you can do a System Restore. And now that you are able to boot either on Hiren's and/or Safe Mode, you will be able to copy any of your personal files (documents, pictures, musics, etc.) to an external HDD just in case you do need to need your system. The bad part about nuking is you will have to reinstall all your XP, MS updates, Service Packs, and all your third party applications, but some folks also recommend that you do that when your system has been compromised by some hacker/scammer (present company excluded of course).

Click OK to lauch the Service applet and find the Ammyy Admin Service (observe and report the Status and Startup Type columns), right click it, choose properties and set the Startup type to Disabled click OK and close the Service applet. That should keep it from starting. Thanks for the detailed steps - I am grateful for your efforts on my behalf. As I mentioned earlier, I deleted the Ammyy folder when I first got into mini XP with Hiren's. Does that make a difference? Did the service get deleted too? And do I need to go in thru Safe Mode now that I rolled back the system registry to Oct 31 and it is letting me in without even seeing the XP Startup Password box? And what about the detail on the lsass.exe? Does that indicate an corrupt important registry element has been suggested in other forums? These other places have indicated a clean install is needed.

Ammyy phishing scam - can't access my computer now

Anonymous

Two days ago, my wife, not being technically skeptical enough, allowed our computer to be remotely taken over by one of those phone phishing scams a couple days ago. While this is a common and well-documented scam, it is our first experience with it. They use legit remote access software from Ammyy to offer (and in our case, access) to work on your computer remotely. But Ammyy isn't any part of the scam.

I have read a number of the posts here about this scam, but haven't found one with my issue, which is I now can't get into my computer.

Will make a long story short - some guy cold-called our house, asked my wife if we have been having computer problems and have an older maching, both of which are accurate in our case. After pointing out all the "problems" as recorded in the Event Viewer, my wife allowed him to take remote control of our computer. Once he did the "free scan" and removed the some initial "problems", he offered to do make us a 'premium customer' for $80. At that point, she ended the call. But not before, of course, some damage had been done. Clearly thru the remote access he planted some malware that I can't get by, and I'm wondering/hoping the damage may have ended there.

Specific questions:

When I start the computer, it won't let me in without a special admin password. (the Dell logo shows, followed by the XP logo, then the bogus login window). This is something they planted and we don't have a 'password' for. I have tried starting in Safe Mode and Last Known Good Config, neither of which work -- I still get the log in screen. Any ideas on how I can get past this? If I boot from the OS disk that Dell sent with the computer, will that work? Haven't done this before -- anything special to know?
Can other computers that access our wifi be impacted? We havene't seen evidence of this yet.
My wife didn't provide any credit card info, so am wondering just how much they can get. No online banking is done thru this machine, tho my wife receives email from her mom's bank, as we handle some of her basic financial dealings. As I type, they are both at Wells Fargo now changing accounts. However, I haven't taken any action yet thru our bank. Haven't seen any issues yet and been watching closely. So am wondering just what can be done by these bad guys. My wife does some Amazon online purchasing, but again, acct numbers and such are usually "x'd" out except for last few numbers, and that is always on the Amazon (or other merchant) side. Am wondering if all they were looking for was to try and get credit card info for use.
The malware they planted could be a botnet and they are using it to plant similar bad stuff on computers thru an email contact list. any way of knowing?
Once I get in, I am going to scan with MalwareBytes and Microsoft Security Essentials. Any other suggestions?

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

24 answers

Anonymous

2013-06-16T01:50:07+00:00

Or try to remove the password through a software called as ERD commander

Please check below link to know have to restore your system with the help of this software

http://www.youtube.com/watch?v=nHvJlwf88vQ

Let me know if this was helpful.
Was this answer helpful?

0 comments No comments
Anonymous

2013-06-16T01:27:31+00:00

It seems the scammer has used the trick of boot on screen password , To reset bios password please try the following things;

http://www.technibble.com/how-to-bypass-or-remove-a-bios-password/

This will help you to crack the boot on screen password.

or you have to pull the registry files from the Snapshot folder and replaced the ones in the Config folder. I hope this helps someone if you are stuck with something like this

Best of luck
Was this answer helpful?

0 comments No comments
Anonymous

2012-11-26T16:49:57+00:00

ok, more progress. I didn't go in thru Safe Mode, just in as I normally do since the Hiren reg restore has allowed me to. I will re-set thru the System Restore when I get home from work tonight.

However, just coming in as normal, I found as you suggested: "AA_v3" in the docs and settings directory for my wife under my docs\downloads. You mention to just add "bad" or similar to it and not delete it yet. Whhy not? As noted in earlier post, I deleted the Ammyy folder thru earlier work in mini XP, so why save this AA_v3 at all?

I also found an "AA_V3.exe-0851DF62.pf in the c:\windwows\prefetch directory (whatever that is) and did as you instructed - just deleted it. What did that file do?

When I looked for an Ammyy admin service thru the Run function, didn't see one (glad they are listed alpha - there were a lot).

BTW - to a couple earlier posts on the password - this is not an 'admin' password, but an XP startup password. Thru the Hiren's i found how to re-set the Admin password. Thinking that might be my issue, I did reset it. Howevver, coming in thru Safe Mode, 'Administrator" appeared as a user (which I don't ever recall it doing), but was able to log on with the p/w I had re-set to thru Hiren's.

Re: the lsass.exe error, I found a discussion here on it. since I seem to be close to maybe resolving my issue, I am not opposed to nuking the whole thing and reinstalling the OS, add ons, Office, etc. It would probably clear up some other nagging issues I have, some I don't knoow I have, and maybe improve some performance since this is a 10 yr old machine that has been used by 3 teenagers and ann unsuspecting wife (so I know there is a lot of junk on it).

http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/cannot-start-computer-get-error-lsassexe-system/fc6a2300-edce-41e0-bd6e-47804c5a3454

In this thread, just from a couple months back, ElderL you suggest the registry corruption.

thanks for your continued help.
Was this answer helpful?

0 comments No comments
Anonymous

2012-11-26T14:57:00+00:00

I have not seen that lsass error before.

If you can get into Safe Mode, check the Services applet to be sure the Ammyy Admin is not listed, if it is you can delete the Service as indicated earlier using the SC command, but I don't think that has anything to do with your lsass error.

If you can get into Safe Mode, are you able to do a System Restore (from Accessories, System Tools) to a date a few days prior to this incident? You might need to try a few Restore Points since sometime they might not work right. The Hiren's registry restore is okay to get you rout of a jam, but I would see if you can do a System Restore.

And now that you are able to boot either on Hiren's and/or Safe Mode, you will be able to copy any of your personal files (documents, pictures, musics, etc.) to an external HDD just in case you do need to need your system.

The bad part about nuking is you will have to reinstall all your XP, MS updates, Service Packs, and all your third party applications, but some folks also recommend that you do that when your system has been compromised by some hacker/scammer (present company excluded of course).
Was this answer helpful?

0 comments No comments
Anonymous

2012-11-26T14:40:38+00:00

Click OK to lauch the Service applet and find the Ammyy Admin Service (observe and report the Status and Startup Type columns), right click it, choose properties and set the Startup type to Disabled click OK and close the Service applet. That should keep it from starting.

Thanks for the detailed steps - I am grateful for your efforts on my behalf. As I mentioned earlier, I deleted the Ammyy folder when I first got into mini XP with Hiren's. Does that make a difference? Did the service get deleted too?

And do I need to go in thru Safe Mode now that I rolled back the system registry to Oct 31 and it is letting me in without even seeing the XP Startup Password box?

And what about the detail on the lsass.exe? Does that indicate an corrupt important registry element has been suggested in other forums? These other places have indicated a clean install is needed.
Was this answer helpful?

0 comments No comments

Share via

Ammyy phishing scam - can't access my computer now

24 answers