Windows 10 user account hijacked

[j3trooper]

I have just rebooted my windows 10 desktop to find that my user account has been hijacked, The screen now displays a picture of a dog and the user name Luisa Mendoza. I have tried starting in safe mode, command prompt, restoring the system but every option leads back to me having to type in a password for this person who is now the only user account holder.

I can remove the SSD C Drive from my desktop and install it into my laptop to try to delete the hijackers details but I do not know where these details are stored in Windows.

Can anyone help me with this problem as I cannot now use my desktop. I want to try all avenues before having to re-install windows which will be my last resort.
Many thanks
j3trooper

 

[Regedit32]

Welcome to the Forum j3trooper.

You may want to read this from Microsoft to start with.

https://support.microsoft.com/en-us/help/10494/microsoft-account-get-back-compromised-account

 

[j3trooper]

Thanks but I did read that earlier. The problem is that I cannot even log into my desktop. I have downloaded and tried Hirens boot CD loaded onto a USB stick which I understood to be able to clear passwords. I managed to get it to boot from the USB and then using a boot manager and password utility I could see the hijacker, Luisa Mendoza, linked to my name on the DOS screen display. I cleared the password and rebooted but that had no effect.
I cannot now change to boot order in order to boot from the USB or CD so I am convinced that the bios is infected.
I have just removed the motherboard battery and will leave it out for a few hours in the hope that the bios settings are returned to default and that I can actually log on but I am really clutching at straws.
I can't even reinstall windows until I can get it to boot up from a CD and even then if the bios is infected I would still be back to square one.
I am now looking into how to flash the bios but I have no details of the motherboard other than what I can read from it being in situ.
Altogether a right pain and I have already wasted all day on it to no avail.

 

[Comp Cmndo]

Restart computer
One of the "F" keys will let you select the boot menu without entering BIOS.
It's a one time thing & is not saved anywhere.
See list here: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive
Create bootable USB key with rufus.

 

[j3trooper]

Thanks for your reply. Will the bootable key that I make with Rufus bypass the windows password log-on screen.
Everything I have tried so far has failed to either blank the password or get me past the windows log on screen to get to my desktop.
Have you any advice in how to flash the bios because although I can now get to boot off a cd or USB flash disc I cannot install the latest bios from the Gigabyte website as the usb is not recognised due I am sure to the bios being compromised by the hacker.

 

[Clintlgm]

Flashing the BIOS would not help you with windows users and passwords. If your BIOS is password protected it very unlikely that it is infected. Someone would have to have live access to your computer. Unless you can activate the Administrator for your current version of windows you'll have to use Diskpart to Clean your disk/SSD and then clean install. Search the Articles part of the forum there is a tutorial on how to activate the Administrator account there.
DO NOT put you SSD/Hard drive in any other machine you'll infect it or them also
Be sure to run some serious Virus/malware software on all your other drives or computers that may be connected to your computer. Insure nothing else is infected before you clean install.
You can log onto your MS Account on any other device and either change your password or recover your account as instructed in the first reply.
Anti Virus and Malware software and strong passwords will prevent this

 

[j3trooper]

Thanks for your reply. My Bios was not password protected as it had never crossed my mind to do so. No-one has had access to my computer, there is only myself and my wife at home. I only suspected that the Bios may have been compromised because when I tried one of the many utilities on Hirens boot CD I thought it flashed on the screen in DOS that there was a dummy Bios installed or words to that effect. When I ran the same programme a little later it said the Bios seemed ok.
I will search for the articles on how to activate Administrator rights and also try Diskpart. I can see me installing a fresh copy of Windows but i had Windows 7 and upgraded to Windows 10 when Microsoft were updating for free.
If I do so I'll probably end up with Win 7 64 bit again.

 

[Clintlgm]

When you upgraded to 10 and it activated. MS Servers have your hardware listed you should be able to install 10 directly insure you download the correct version Pro Home Enterprise? USE MCT to create your USB bootable install Rufus not needed.
Do insure all your other devices are clear of any Virus or Malware go buy a new 8GB USB thumb drive go to a computer that you know is not infected to create your install USB from MS MCT.
If your MS Account is compromised you should assume all devices that use that Account are compromised

 

[BigFeet]

You wouldn't happen to sign in to your computer with your Microsoft account? If so, that's probably what was hijacked. If someone got access to your Microsoft (outlook.com) account, it's easy enough for them to change the username and password. If Windows 10 is linked to that account, that's what will appear on your PC.

 

[j3trooper]

I have just tried to format the hard drive (250gb SSD & after disconnecting my other hard drives) using two of the utilities on Hirens CD. I cannot now even format the drive. I am now reluctant to put the hard drive into my laptop to format it in case my laptop gets also infected.
I have been advised by a colleague to buy a USB lead to connect to my hard drive and format it as an external hard drive rather than through windows explorer as I would do if I put it in my laptop.
Is this the best way forward to format the hard drive in these circumstances?

 

[j3trooper]

As per the previous recommendation I have changed my password on my hotmail account and also have run Trend online scan on my laptop. If I do get this lead as recommended by a colleague then I would run Trend online scan again with them each connected to my laptop to scan them as external drives. Then install a fresh windows from MS MCT on a clean USB stick. But first I need to format the hard drive?

 

[Clintlgm]

If I remember right during, You would boot your USB UEFI, Some F key on your computer will open a boot menu there you select UEFI USB. on my computers some the Esc will bring it up others F8 you'll have to check for your own computer what key sequence on boot up will bring up this boot menu
After putting in your language hit the Shift + F10 that should bring up Command window
type in
Diskpart
List Disk
select disk---- you should only have one disk/ssd installed, the one you want to install on
Clean ---- wipes disk completely to RAW contrition as it came from the factory
convert GPT
Exit
Continue the install

 

[j3trooper]

Thanks for that. I have sent away for that lead and will now be away for the next week so hopefully I can get this done on my return. I will update you when I have done so or sooner if I run into more problems.

 

[Comp Cmndo]

Thanks for your reply. Will the bootable key that I make with Rufus bypass the windows password log-on screen.
Everything I have tried so far has failed to either blank the password or get me past the windows log on screen to get to my desktop.
Have you any advice in how to flash the bios because although I can now get to boot off a cd or USB flash disc I cannot install the latest bios from the Gigabyte website as the usb is not recognised due I am sure to the bios being compromised by the hacker.

Bootable key does not get to the point where you need a windows password log-on screen.
It boots from the key and not from the hard drive.
It will allow you to delete all partitions & reinstall Windows.
It will overwrite your old Windows.

Your BIOS is not infected. No not reflash it.

I have just tried to format the hard drive (250gb SSD & after disconnecting my other hard drives) using two of the utilities on Hirens CD. I cannot now even format the drive. I am now reluctant to put the hard drive into my laptop to format it in case my laptop gets also infected.
I have been advised by a colleague to buy a USB lead to connect to my hard drive and format it as an external hard drive rather than through windows explorer as I would do if I put it in my laptop.
Is this the best way forward to format the hard drive in these circumstances?

The Windows USB drive will do everything you need. Forget Hirens CD.
If you wish to follow colleague's advice, that's your choice.
I've instructed you what to do, if you don't wish to follow, that's also your choice.

 

[j3trooper]

"The Windows USB drive will do everything you need. Forget Hirens CD.
If you wish to follow colleague's advice, that's your choice.
I've instructed you what to do, if you don't wish to follow, that's also your choice"

Thanks for your advice but it does not work in my case as I cannot change the boot order from the hard drive, the system will not let me. I can enter the bios and change the boot order but whatever order I select is not displayed when I boot up the computer and press F12. The first boot is always the hard drive. I can use the up and down arrows to select the usb for example but whenever I press enter to select that choice and then use the arrows again to move it up in the boot order the computer just automatically boots up from the Hard drive as soon as I press Enter.
I did buy a lead as suggested by my colleague and when I removed the hard drive from my desktop and connected it to my laptop with the lead the hard drive was not shown in Windows Explorer. I then went into system administration where the Hard drive was shown as being unallocated. I had to create then create a new volume in order for the hard drive to be recognised. I then scanned the hard drive using Windows Defender and two hack tools were displayed (one for Windows and one for Office) as medium threats and two similar threats were shown in the history as being allowed. I deleted all of these threats and then installed Sophos antivirus home version on my laptop and scanned my laptop and the connected hard drive again. No further threats were found.
I then re-connected the hard drive back into my Desktop and inserted the usb stick (that I had previously formatted and downloaded a windows 10 installation from MS MCT).
I was suspicious that whatever had infected my desktop was still active as the same low re windows logo was displayed and then the screen very briefly flashed before the startup of the windows installation was displayed.
I continued to install windows 10 home (no product key) and let that install, but when the desktop rebooted after completing the installation it just did exactly the same as it had done before lead me back to installing Windows again.
The fact that I cannot get it to boot up from anything other than the hard drive still leads me to think that the Bios has been hacked. Any further suggestions or advice that will allow me to change the boot order would be very welcome as I am now at a loss as what to do.

 

[j3trooper]

One other thing is that when I created a new volume (after connecting the 'infected' hard drive to my laptop) the volume capacity was only 232.88gb yet the same 250gb SSD drive in my laptop has a volume capacity of 237.55gb
There is no partition in the new volume. Could the discrepancy in the reduced capacity of the 'infected' hard drive be a hidden partition and if so how do I completely format the 'infected' hard drive?
Thanks for your help

 

[j3trooper]

Update. I managed to install a clean copy of windows by going into the Bios to load a safe Bios setting.
But the hi-jackers account (Luisa Mendoza) is still displayed as an option to sign in. This person is also named as an administrator. I was dubious having got rid of the rootkit virus's (windows and office rootkit) that was detected and removed when I originally scanned the hard drive as the display briefly flashed prior to starting to install windows.
Even more at a loss as what to do next without seeking professional help.

 

[Trouble]

so how do I completely format the 'infected' hard drive?

Boot from the installation media and on the first screen hold down the shift key and strike the F10 key on your keyboard.
That should produce a command prompt window.
In the command prompt window type
diskpart
and hit enter.
Then follow steps #4 through #7 here
http://knowledge.seagate.com/articles/en_US/FAQ/005929en?language=en_US
Read and take note that there is no going back after the "clean" command is issued against a particular disk.
You should then be able to perform a custom clean install to the unallocated space on the drive that you just cleaned.

I managed to install a clean copy of windows by going into the Bios to load a safe Bios setting.
But the hi-jackers account (Luisa Mendoza) is still displayed as an option to sign in
This person is also named as an administrator

Sorry but something is just not adding up here.
A custom clean install of Windows 10 should have only produced a single (enabled) user account.
That account being the one that you configured during the installation (Microsoft or Local) and should be the only "Administrator" account on the clean install that is "Active" and "Enabled".
I'm not sure how the "Luisa Mendoza" account keeps showing up.
Are you familiar with that name?
Have you ever used it in conjunction with an email account or account alias or with a copy of Office 365 or any other such account based program where that name may have been "linked" or otherwise associated with the account your are currently using.

 

[Clintlgm]

One other thing is that when I created a new volume (after connecting the 'infected' hard drive to my laptop) the volume capacity was only 232.88gb yet the same 250gb SSD drive in my laptop has a volume capacity of 237.55gb
There is no partition in the new volume. Could the discrepancy in the reduced capacity of the 'infected' hard drive be a hidden partition and if so how do I completely format the 'infected' hard drive?
Thanks for your help

You would use disk part and use the clean tool.

 

[kd833]

Sorry but something is just not adding up here.
A custom clean install of Windows 10 should have only produced a single (enabled) user account.
That account being the one that you configured during the installation (Microsoft or Local) and should be the only "Administrator" account on the clean install that is "Active" and "Enabled".
I'm not sure how the "Luisa Mendoza" account keeps showing up.
Are you familiar with that name?
Have you ever used it in conjunction with an email account or account alias or with a copy of Office 365 or any other such account based program where that name may have been "linked" or otherwise associated with the account your are currently using.

I agree. Very fishy! A clean install means you are creating a new account. Why not do the clean install again and when you're prompted to generate an account. Create a "local account". One not linked to any Microsoft account you're using. Secondly, you should get rid of your present Microsoft account and generate a new one. Sure changing the password was a good thing but there seems to more things going on with that account. So submit it for cancellation and Microsoft will remove it after 30 days.