Getting hacked through workgroup

Question

I’m getting remote accessed through a workgroup and they have changed group policies in the register to maintain persistent control and using tasks to keep me at there mercy.

i don’t use workgroup the attached it to my account and are using group police to out rank my authority and using my credentials against me .

they made a restore point so any reinstall of windows is never clean.

they are hacking through my firewall even after I removed the workgroup from my computer the are using n t authority and system and making my computer share at all times and any time I try to work on the damage they cause the damage the company worse and they changed my outlook mail to not let me contact Microsoft security to get help .

the returned mail says my Microsoft 360 mail is misconfigured but I don’t use that I just use outlook mail and passkeys no longer work. i really need help because this is now 2 years in and I’m still not able to get the support I need.

Answer 1

Hi Michael Montgolf,

I understand how concerning this situation feels, especially after dealing with it for such a long time. The AI assist has given some baseline suggestions, so I’ll just clarify a couple of important points to help you focus on what matters most:

On Windows Home, there is no domain-level control, so things like “being outranked by group policy” are not expected behavior. This means the control you’re seeing is likely something running locally on the device, posing as “workgroup takeover.”

The message about misconfigured Microsoft 365 mail does not mean your account was replaced. However, since you mentioned Mail issues and passkeys not working, it’s still worth to double-check everything:

1. On another trusted device, log into your Microsoft account: account.microsoft.com/security
2. Click View my sign-in activity > Expand any suspicious session > select Secure your account.
3. Go back and click Manage how I sign in > change password and turn on 2-step verification
4. Check the list > remove any email, phone, passkey you don’t recognize
5. Scroll down to the bottom of the page and click:
   1. Sign out everywhere to kick anyone using your account off from it.
   2. Generate a new code: if anyone has the old one, they won’t be able to use it to log in anymore.
6. Go to Your info section > Account info > click Edit account info
7. If you see any weird username (email/phone number) > Remove it.
8. Open Change sign-in preferences > you can uncheck all options beside primary.

After making sure that your account is secured with the above steps, you can attempt to clean up the system with what suggested in the AI Answer. If system-level changes keep returning after that, the environment might not be fully clean.

At that point, continuing to troubleshoot individual registry entries, policies, or services is not reliable long-term. You need to move straight to a clean rebuild and I recommend that we try to perform a clean install to get your computer back into a working condition.

You can find instructions on how to perform a clean install by navigating to the bottom of this guide: Reinstall Windows with the installation media - Microsoft Support. Please ensure that you backup any important data, including Documents, Pictures, Videos, and more.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Follow these steps to regain control and stop persistent access, focusing on Microsoft’s documented recovery and security guidance.

1. Treat the device as compromised

• The behavior described (unauthorized Group Policy/registry changes, scheduled tasks, persistent access, firewall tampering) matches a compromised Windows system.
• If registry and shell values are altered and cannot be reliably fixed, the device must be considered compromised and handled accordingly.

2. Disconnect and scan for malware

• Disconnect the PC from the network (unplug Ethernet, disable Wi‑Fi) to stop remote access while working.
• Use an up-to-date antivirus solution and run a full scan before changing any passwords or accounts. On Windows 10/11, enable and use Windows Defender:
  • Select Start.
  • Search for “Windows Defender” and open it.
  • Follow on-screen instructions and run a full scan.
• Ensure automatic updates and regular scans are enabled.

3. Recover and secure the Microsoft account

• Follow the official guidance for a hacked or compromised Microsoft account:
  • Run the antivirus scan first.
  • Then sign in and change the Microsoft account password using the official password change page.
  • If sign-in is blocked, use the password reset flow.
• After regaining access, review and correct account settings:
  • Check connected accounts, forwarding, and automatic replies for anything unknown and remove it.

4. Address Outlook / email abuse

• In Outlook on the web, after account recovery:
  • Check Settings → Mail → Rules and delete any suspicious rules.
  • Check Mail → Forwarding and remove unknown forwarding addresses.
  • Check automatic replies and connected accounts for attacker changes.
• Use “Sign out everywhere” from Microsoft Account Security to terminate all active sessions.

5. Handle registry and logon tampering (if applicable)

• If Windows logs on and logs off immediately or the shell is broken, verify these registry values on the affected machine (or via Remote Registry from a clean admin machine):
  • Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Ensure:
    • Shell = explorer.exe
    • Userinit = C:\windows\system32\userinit.exe
• If these values cannot be corrected or files are missing, the system should be treated as compromised and rebuilt.

6. Consider a clean rebuild if persistence remains

• If malware or attacker persistence (tasks, services, GPO-like changes) cannot be fully removed, perform a clean OS reinstall from trusted media and do not use attacker-created restore points.
• After reinstall, immediately:
  • Apply all Windows updates.
  • Install and enable Microsoft Defender Antivirus.
  • Sign in with the secured Microsoft account and enable strong authentication.

7. Strengthen ongoing protection

• Use strong, unique administrator passwords and avoid reusing passwords across devices.
• Keep Windows and all software fully updated.
• Be cautious with remote support offers; Microsoft does not make unsolicited support calls or ask for remote access unless a support case was initiated.
• If working remotely for an organization, notify the IT department that the device and account may be compromised so they can assist and apply corporate security policies.

8. If account recovery fails

• If the Microsoft account recovery form and standard steps fail and security info has been replaced, there may be no further supported method to recover that specific account.
• In that case, create a new Microsoft account on a clean device and follow all security best practices to avoid recurrence.

---

References:

• How to recover a hacked or compromised Microsoft account
• Windows logs on and logs off immediately
• Virus alert about the Win32/Conficker worm
• Top tips for working more securely from home
• My account got hacked. - Microsoft Q&A
• How do I send an email to Microsoft about my account being hacked and taken over by <removed> ? - Microsoft Q&A
• my microsoft account has been compromised - Microsoft Q&A
• Hacker set up continuous draft ransomware email - Microsoft Q&A
• why can't you block AnyTech365.com....they are a scam company posing as Microsoft supported, stealing information? - Microsoft Q&A