Windows 10 user account hijacked

[j3trooper]

" Why not do the clean install again and when you're prompted to generate an account. Create a "local account". One not linked to any Microsoft account you're using. Secondly, you should get rid of your present Microsoft account and generate a new one. Sure changing the password was a good thing but there seems to more things going on with that account. So submit it for cancellation and Microsoft will remove it after 30 days.Hi and thanks again for your replies."

Thanks once again for your replies. The above is exactly what I did the second time around. I have contacted Microsoft and they have cancelled my account which does take 30 days as you said. I then reinstalled windows again and this time it seemed all good. Even though I didn't have a key as I had upgraded to Windows 10 from Windows 7, once Windows was installed it recognised the system and authenticated the installation.
The same could not be said for Office 2010 which my son had installed several years ago using his workplace licence. Eventually managed to convince Microsoft that it was a genuine and they gave me a new key to install a fresh copy but it is only valid for 24 hrs. I then installed Office and reconnected my other hard drives and I thought everything was going smoothly. The PC booted up several times and I was able to log on as an Administrator and with no other accounts shown.
By this time it was later in the evening and I shut down the PC. This morning when I tried to boot it up it would not boot up to the log on screen. I tried several times, going into the Bios for a safe loadup setting, but it just stuck on the Windows logo and the slowly spinning circle. Then it went into recovery mode but that didn't help.
I then disconnected the power cable and cleared the Bios on the motherboard and loaded up optimised settings but it still would boot up but I did get an error message "Inaccessible Boot Device"
I then removed the hard drive and connected it to my laptop with the USB cable and scanned both the 500mb recovery partition and the 232gb windows partition and no threats were found.
I am now going to contact Microsoft support to get their advice before reinstalling windows for the third time hopfully using the option to keep my existing files so that I won't have to go through all the hassle of installing Office again.
Any other advice would be much appreciated before I throw it out of the window!!

 

[j3trooper]

Couldn't get through to Microsoft support easily so I tried using Diskpart. I followed your instructions with the 'infected' SSD drive still in my Desktop and disconnected my other Hard drives power cables and also the internet cable as a precaution. I got as far as Clean but then had an error message (which I photographed ) and which read:-
Virtual Disk Service error:
Clean is not allowed on the disk containing the current boot, system, pagefile. crashdump or hibernation volume.

So I then connected the 'infected' SSD to my laptop using the USB cable and successfully used diskpart to clean the SSD hard drive. I then reconnected the cleaned SSD drive back into my desktop to reinstall windows.
Now what makes me suspect that the rootkit virus is still present is that with only the cleaned hard drive and the MS MCT USB flash drive connected when I power up the desktop it goes through the boot up procedure and then displays Loading Operating System followed by the Windows logo for a few seconds, then the white rotating circular dots appear below the Windows logo then there is a brief flash across the display and then the first page of the Windows installation procedure appears.
I wouldn't expect to see the windows logo appear or a brief flash when installing a copy of windows onto a cleaned hard drive.
Also before I cleaned the hard drive with Diskpart and was attempting to boot up after installing windows I tried this time disconnecting the internet cable. After the Windows logo and the white circular dots whirring around for 5-10 minutes it went into recovery mode (which it had done previously but always with the internet cable connected. I then had the following message displayed (which I photographed)

Why did my PC restart?
There's a problemthat's keeping us from getting your PC ready to use. but we think an update will help get things working again.
Here's how to get the update:
1. Make sure your PC is plugged in
2.If this PC uses Wi-Fi, select next to follow instructions to connect to a Wi-Fi network
3.If this PC does not use Wi-Fi insert a network cable to connect to a wired system and select Next
4. Once you are connected select Next, and the update will be installed.

I was suspicious that the above message was not a genuine MS message so powered down the PC.

 

[kd833]

1. Do a clean install
2. Create a new local account
3. Connect the PC to the Internet so it can receives its digital license
4. Disconnect from the Internet
5. Do not install any applications
6. Shutdown the PC
7. Get a cup of coffee and take two aspirin go to bed
8. In the morning boot the PC

Results?

1. Start installing your applications one at a time and reboot after each one
2. If your PC fails to boot after an installation, you'll know where the problem lies
3. It could also be a Microsoft update/patch that is breaking your PC

 

[Trouble]

I followed your instructions with the 'infected' SSD drive still in my Desktop and disconnected my other Hard drives power cables and also the internet cable as a precaution. I got as far as Clean but then had an error message (which I photographed ) and which read:-
Virtual Disk Service error:
Clean is not allowed on the disk containing the current boot, system, pagefile. crashdump or hibernation volume.

Boot from the installation media and on the first screen hold down the shift key and strike the F10 key on your keyboard.
That should produce a command prompt window.
In the command prompt window type
diskpart
and hit enter.

IF you would have "followed my instructions" and booted from the installation media, you wouldn't have received that error.

I wouldn't expect to see the windows logo appear or a brief flash when installing a copy of windows onto a cleaned hard drive.

Pretty sure that, that is normal.

 

[j3trooper]

1. Do a clean install
2. Create a new local account
3. Connect the PC to the Internet so it can receives its digital license
4. Disconnect from the Internet
5. Do not install any applications
6. Shutdown the PC
7. Get a cup of coffee and take two aspirin go to bed
8. In the morning boot the PC

Results?

1. Start installing your applications one at a time and reboot after each one
2. If your PC fails to boot after an installation, you'll know where the problem lies
3. It could also be a Microsoft update/patch that is breaking your PC

I'd already taken two aspirin
Finally got it working and it seems ok. I had a long chat with Microsoft support and reinstalled Windows again without the internet cable. Then I downloaded Defender offline and did a full scan which revealed no threats. Then when I booted up it did an automatic disk repair and rebooted ok. Then I reconnected the internet cable and connected each hard drive in turn and scanned those again with Defender offline, again no threats were shown. Then I installed Office 2010 again and when it rebooted it did another scan and repair which it took ages to reboot from even though it displayed the following message as being 100% complete
"Scanning and repairing drive(\\?\Volume(b4994826-0000-0000-0000-100000000000)): 100% complete
Don't really know what that was referring to but since it did that I have rebooted it several times and its booted up quickly without fault. I then installed Sophos antivirus and scanned the complete PC which again showed no threats.
Microsoft support said that if it gives further trouble then he suspects a corrupt Bios and has advised me to reflash the Bios without the proviso that it could completely fail if it does not reflash successfully.
So fingers crossed it will be ok., Thanks again for everyones input

 

[Clintlgm]

"Then when I booted up it did an automatic disk repair and rebooted ok" ???

have you tried a different Hard Drive/SSD? This sounds like a failing hard drive to me? Well SSD, there are so few failures that it's hard to diagnose. You might want to just try a different one.

Flashing the BIOS is not that big of a deal, properly done few failures happen. Download latest BIOS Extract to a Clean FAT 32 formatted USB Drive this is important extract directly to USB Thumb Drive Don't extract to hard drive then copy. Run the BIOS flash from with in the BIOS it self. Most BIOS Failure are from running windows based BIOS upgrades I don't know what your manufacture calls it but Asus has the EZFlash in the BIOS

 

[j3trooper]

Thanks again for your response. It did cross my mind that the SSD may be playing up but I thought that was unlikely due to the issues only arising after this rootkit virus was on my PC.
So far it has rebooted up quickly and with no further errors after the extended scan and repair.
I appreciate your advice on how to go about re-flashing the Bios. The Motherboard is a Gigabyte GA P55m UD2 which, after reading up on it, has a dual Bios. I understand the 2nd Bios will replace the main Bios if the main Bios becomes corrupted. Therefore the need to re-flash the Bios should not arise??
However there is a Q-Flash facility to simplify re-flashing the Bios if its needed.
Immediately after reinstalling Windows and Office I made a disk image using Macrium software so if I get further problems I think I will replace the SSD dive and hopefully use the Macrium backup CD to re-install windows and office. Failing that I will try re-flashing the Bios before buying a Mac!!

 

[j3trooper]

I'm not sure if I am being over cautious but on one of my data hard drives on my desktop there were 3 separate 1mb unallocated partitions. So I copied all my data onto another hard drive and attempted to format that drive. It would not format as it said another process was using that drive. I then restarted my desktop and tried to format it again and got the same error message. So I used Diskpart to clean the drive and then created a new simple volume but there is still 1mb of unallocated space.
How do I get rid of this 1mb unallocated space and make sure that the whole disk is clean before I move my data back to this drive?

 

[j3trooper]

IF you would have "followed my instructions" and booted from the installation media, you wouldn't have received that error.

Pretty sure that, that is normal.

I actually did follow your instructions and tried pressing shift and F10 when I booted from the USB (MS MCT) but that did not lead me into the command prompt.

 

[Trouble]

OK. I suppose it's possible that for some reason it didn't work for you, maybe keyboard input was not being accepted or interpreted properly. I've been using it since Windows XP and it has always worked for me.

All you have to do is press Shift+F10 when you reach the Installing Windows phase. This trick works with Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP.

SOURCE: http://windowsitpro.com/windows/open-command-prompt-window-while-installing-windows

 

[robert diiorio]

Has anyone checked the modem for infection. Diskpart will work best if the "all" switch is used (eg: "clean all" without quotes)