Ammyy phishing scam - can't access my computer now

Two days ago, my wife, not being technically skeptical enough, allowed our computer to be remotely taken over by one of those phone phishing scams a couple days ago. While this is a common and well-documented scam, it is our first experience with it. They use legit remote access software from Ammyy to offer (and in our case, access) to work on your computer remotely. But Ammyy isn't any part of the scam.

 

I have read a number of the posts here about this scam, but haven't found one with my issue, which is I now can't get into my computer.

 

Will make a long story short - some guy cold-called our house, asked my wife if we have been having computer problems and have an older maching, both of which are accurate in our case. After pointing out all the "problems" as recorded in the Event Viewer, my wife allowed him to take remote control of our computer. Once he did the "free scan" and removed the some initial "problems", he offered to do make us a 'premium customer' for $80. At that point, she ended the call. But not before, of course, some damage had been done. Clearly thru the remote access he planted some malware that I can't get by, and I'm wondering/hoping the damage may have ended there.

 

Specific questions:

1. When I start the computer, it won't let me in without a special admin password. (the Dell logo shows, followed by the XP logo, then the bogus login window). This is something they planted and we don't have a 'password' for. I have tried starting in Safe Mode and Last Known Good Config, neither of which work -- I still get the log in screen. Any ideas on how I can get past this? If I  boot from the OS disk that Dell sent with the computer, will that work? Haven't done this before -- anything special to know?

2. Can other computers that access our wifi be impacted? We havene't seen evidence of this yet.

3. My wife didn't provide any credit card info, so am wondering just how much they can get. No online banking is done thru this machine, tho my wife receives email from her mom's bank, as we handle some of her basic financial dealings. As I type, they are both at Wells Fargo now changing accounts. However, I haven't taken any action yet thru our bank. Haven't seen any issues yet and been watching closely. So am wondering just what can be done by these bad guys. My wife does some Amazon online purchasing, but again, acct numbers and such are usually "x'd" out except for last few numbers, and that is always on the Amazon (or other merchant) side. Am wondering if all they were looking for was to try and get credit card info for use.

4. The malware they planted could be a botnet and they are using it to plant similar bad stuff on computers thru an email contact list. any way of knowing?

5. Once I get in, I am going to scan with MalwareBytes and Microsoft Security Essentials. Any other suggestions?

 

Question Info


Last updated July 8, 2019 Views 13,951 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

It is unlikely that they infected your PC. They remoted to your PC to demonstrate that your PC had problems and to convince you to fall for their scam to collect money for their service.

What has likely happened is that your user account is no longer an automatic login without a password, hence the login prompt. The problem, of course, is that you don't know the password for the account as you had never set one up.

I'm moving your question to the system repair and recovery topic, though, as I am quite certain that the PC was not infected by the cold call scammer.

-steve

^_^
Windows Insider MVP (Security), Moderator Microsoft Community

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thanks, Steve,  for moving it and your perspective. I hope what you suggest is the case. I have just been digging around trying to find the boot disk to try and boot up from a CD. I found the ‘reinstallation CD for XP’ – is that it I presume?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Dell Dimension 3000, Firefox, WinXP Pro/Sp3, 360 TSE by Qiho, MBAM

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Why don't you see if you can restore your computer to two (or three) days ago prior to the incident.

If you can't login, see if you can boot in Safe Mode with Command Prompt and if you can get to a Command Prompt, you can run your XP System Restore from there by entering this command:

%SystemRoot%\system32\restore\rstrui.exe

Choose a date prior to the incident and keep your fingers and toes crossed.

If you start messing around with any CDs that came with your system or any kind of System Recovery (which is not the same as an XP System Restore), you may wish you hadn't since that would put you back to an as shipped from the factory condition and you'll wipe out all your stuff unless you back it up first.

Same if you use a reinstallation CD (whatever that is)...  if you happen to find a genuine bootable XP installation CD and it is not the same Service Pack as your installed unspecified Service Pack, you will not be doing any XP Repair Install.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thanks for suggestion. I tried the safe mode with command, but was STILL hit with the Windows XP Startup Password: this computer is configured to require a password in order to start up. Please enter the Startup Password below." message. ARRGGHH!

Is the above MVP correct in saying with the remote access by the scammer, that created a scenario where the systgem is asking for this password which i never set up, always having an auto log in, so I am in a catch 22? Can't log in since I don't have a password, don't have a password so I can't log in ...

 

and is this log in prompt a legit system prompt, or something having to do with the malware and just 'looks' legit?

 

BTW - my XP is running SP3. It shows I am running build 2600.xpsp_sp3_gdr.120821-1629:servicce pack 3.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

That doesn't sound like the XP password prompt.

I wish I could get this affliction so I could figure out how to deal with it.  Poked around on the Internet a bit and found nothing good (but it is popular).

It sounds like you have some startup item that you need to somehow get rid of.  It is either a startup program and/or a Service that you need to find and get rid of it.

I don't think ammyy is malicious software, but somehow you need to stop it from loading up when you restart your system.

One thing you could do is make a Hiren's boot CD and boot on that into their Mini XP mode.

From there, you could use Autoruns to see if you can find this startup item and disable it.

You could also search your HDD for any executable file (xxxxx.exe) that starts with ammyy and rename it to something like ammyy.bad keeping track of what you do so you can undo it later if you need to.  If the file does not end in .exe, it will not launch.  If you find a ammyy folder, rename it (you can always undo these things later if things get worse).

Yo could use Hiren's to restore your registry to 2-3 days ago since the ammyy startup item would have to be in there somewhere.

Lot's of ideas that are hard to convey by typing and not having fixed this before.  It is too bad we can't talk about it, but that is the way things are here, but I have an email address in my profile.

Anywho, to make a Hiren's boot CD, do this:

I am going to recommend you use Hiren's boot CD (it will also go on a USB drive).

This is good for you because it has many more tools on it that on the XP Recovery Console CD, does not care about your Administrator passwords and you will not have to futz around in your BIOS if any afflicted system has SATA drives - Hiren's can deal with that.

You will have a whole bunch of cool tools that you don't have in the XP Recovery Console...  a registry editor, password resetter, and a desktop that looks like Windows XP so you will feel comfortable maneuvering.

You can also easily copy your personal data (documents, images, music.) to an external drive.

From a working system, first download Hiren's Boot CD from here (it is a substantial download but worth it):

http://www.hirensbootcd.org/download/    (look near the bottom of the page).

Unzip the Hiren's to some folder where you can find it.  There is a Hiren's.BootCD.15.1.iso in there that you are going to need next.

Use a new CD and this free and easy program to burn your ISO file and create your bootable CD:

http://www.imgburn.com/

When installing ImgBurn, DO NOT install the Ask toolbar.

Here are some instructions for ImgBurn:

http://forum.imgburn.com/index.php?showtopic=61

It would be a good idea to test your bootable CD on a computer that is working.

You may need to adjust the computer BIOS settings to use the CD ROM drive as the first boot device instead of the hard disk.  These adjustments are made before Windows tries to load.  If you miss it, you will have to reboot the system again.  You want the Mini XP mode.

Now I am about done for today, but get the Hiren's going so you can at least boot on something and maneuver.  The other folks may have some other ideas too.

Then you can start looking around with their tools and find anything that has to do with ammyy and get rid of it. 

I may have some more thoughts in dreamland...  but don't give up yet.


Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

http://support.dell.com/support/edocs/systems/pe440sc/en/HOM/HTML/jumpers.htm

this is where the password jumper is located in a Dell pc.

it might be in a different place on your pc, what is the make, model and model number?

Dell Dimension 3000, Firefox, WinXP Pro/Sp3, 360 TSE by Qiho, MBAM

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

thanks for all the detailed suggestions. Elder. I got frustrated by this effort earlier and had to step away for a few hours and do something else. I have been thinking i would probably just need to DBAN the whole thing, but you ideas have given me some hope of maybe salvaging before I do that step. However, you also suggest some things that are beyond my limited techie chops, such as using the Hirens to reset the registry. Unless the Hiren is fairly intuitive and straightforward to use.

 

Thanks again -- really appreciate your insight.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I burned the Hiren’s CD, and just burned the .iso file. The other things looked unnecessary: readme, an image burn program, etc. In my limited experience (just once before) having to burn something like this, I only needed the .iso file. That is the onle needed here, too, right?

 

 I re-ordered the boot sequence on my computer to have CD-ROM drive first. It whirred away  but none of the Hiren’s screen shots came up. Once again, only the blasted log in with admin password screen.

 

What did I do wrong?

 

You implied in your post you would be willing to talk. I just also emailed you with some times I could talk if you are still willing.

 

Thanks for your help.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I burned the Hiren’s CD, and just burned the .iso file. The other things looked unnecessary: readme, an image burn program, etc. In my limited experience (just once before) having to burn something like this, I only needed the .iso file. That is the onle needed here, too, right?

 

 I re-ordered the boot sequence on my computer to have CD-ROM drive first. It whirred away  but none of the Hiren’s screen shots came up. Once again, only the blasted log in with admin password screen.

 

What did I do wrong?


Make, model, and model number of PC? Perhaps you need extra guidance with regard to the system's BIOS?

Or did you not download and install ImgBurn? If not, DO IT and follow ElderL's instructions!!! There is a BIG difference between copying an .iso file to a CD and CREATING A BOOTABLE CD from an .iso file, using a program likel ImgBurn.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.