Please help identify this Windows 7 login security

Hi everyone! My first post here.

Like the title said, I'm trying to identify what type of Windows 7 security login was involuntarily placed on a family's PC. I've posted this question on another forum, but they all refused to help because they think I was trying to hack into someone's PC.

Here's the long story...

My uncle got a call from some guy with India accent claiming to work for Microsoft. He said that my uncle's PC has viruses and registry errors. He said he needed to scan my uncles PC to see the extent of the problem, so emailed a link and instructed my uncle to download program from that website. After downloading this system scanner software, he basically took over my uncles PC (like Win remote assistance) and started scanning the PC. According to my uncle, after downloading this program, he saw his mouse cursor moved around the screen, opened the Control Panel and adjusted some settings. What settings it was, he doesn't recall. Again, this sure sounded like Windows Remote Assistance. Now all of this is happening while my uncle was on the phone with this guy. fter he was done scanning, he inform my uncle that the PC has so and so amount of virus and errors. He wanted $200 to remove the virus and fix the registry. My uncle refused, so the guy told him that the PC will be locked with a password until he is willing to pay. My uncle refused because he thought the price is outrageous and he didn't feel comfortable giving someone his CC over the phone. So this guy told my uncle that the PC will be locked with a password and he will only get the password if he pays. He even gave a toll free(800) for my uncle to call back if he changes his mind.

When you boot up the PC, you will get a message "This computer is configured to required a password in order to start up. Please enter the startup password below". As you can see, this isn't the usual Windows login screen.

This is what the login message looks like:


Since we do not have the password, we click on "Restart". After the PC restarts, we get an Window Error Recovery" message


What I've done so far:
I tried running Windows Repair with the recovery disc, but it found nothing wrong. I tried do a system restore to an earlier date, but the message still pops up asking for a password. I've googled this problem and I got "It's a bios password issue", I reset the password in the bios and nothing. Someone mentioned it's a "lsass.exe issue", try running the recovery disc, which I did but it didn't work.

After fiddling with this for nearly 3 days, I decided to reformat and do a clean installation. I pull the hard drive from the PC and placed it in a external hd docking station. I was able to access this hard drive and see all the folders and files. I was surprised that it didn't ask for a password. I decide to run Malwarebytes and scan this hd, but it found nothing. Now I'm backing up all of my uncles files and will proceed to reformat.

This is the contents of the Windows folder on my uncle's hd:


I would rate my PC skills a 4 out of 5. I probably do 10 viruses, malware, etc removal from people's PC every month. I've also done Windows password recovery several times, but I have never encounter something like this before.

QUESTIONS:
What type of Windows security is this?
Where in Windows would you go to implement/manage this type of security?
Is it a third party program?

Thanks in advance!

Golden said:

It sounds like some type of ransom-ware was installed to the system - since you are going to format and re install Windows, this will remove the ransom-ware so you wont have further problems.

Regards,
Golden

So this isn't something that was built-in to Windows, but a third party software?

Can you remove this "ransom-ware" without reformat?

I just noticed something on this hard drive Program Files folder called Uniblue...It seems suspicious. I'm going to look into it.

Dwarf said:

Hi Jimmy,

I'm sorry, but your uncle has been scammed. There is no way on this Earth that anyone can ring someone up and claim that they have PC virus/registry problems. How did they get your uncle's phone number in the first place? I would consider having it changed because once one scammer has got hold of it and it has been verified as an active line (by your uncle answering it in the first place), the chances are this won't be the last call of this type that your uncle receives.

I'm pleased that your uncle had the sense not to pay up, and a full reformat is probably the easiest remedy for this.

I totally agree with you. When I was called over to his house to check on this PC, I was just dumbfoundead the entire way over there as to how they know his phone numbers. I interrogated him like the FBI. Did he get any weird emails? Filled out any online questionnaires? Visit any weird website? See any strange pop-ups? He answered NO to everything. I told him to keep an eye out for his identity with the credit bureau from now on.

As for him not paying, he told me he might of paid if it were $20. He's a 67 yrs old who calls me everyday when he needs to print something. So when a guy from Microsoft calls and tells him that his Windows has been sending error messages to Microsoft headquarters, he believed him. How many seniors could fall or have fallen for this? Unbelievable!

Dwarf said:

It is possible, but will probably require specialist advice and will depend on the type and variant of ransom-ware that has been installed. In addition, there is no telling what other damage has been done. If you wish, I can ask one of our malware specialists to take a look. Please carry out her instructions and report back with any information that she asks for.

Yes, please have Jaycee contact me. I have not formatted the drive yet, as I now have access to it by way of the external docking station. I'm interested to know how to resolve this if I ever encounter it again.

Thanks