Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sneaky trick by tech support scammers.


  • Please log in to reply
17 replies to this topic

#1 Sarah_Anderson

Sarah_Anderson

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 09 October 2012 - 07:28 PM

I had not seen a syskey password in years until I read this topic about a week ago. But, since reading that topic, I have now seen two more.

A friend of mine runs a small computer repair shop. He is (mostly) self taught and he is fine with doing things like backing up data using a BartPE boot disk and formatting/reinstalling etc. He can also do things like replacing cards and installing drivers, and slaving/swapping hard drives etc. But (and he will admit this himself) he is not quite up to speed with the latest malware or anything else that he thinks is complicated or registry related. When I once asked him how much he knew about the registry, his exact words were: "Oh, I never go in there." He seems to make a decent enough living though. Obviously you can fix virtually all non-hardware related problems with a format and reinstall. And if his customers are happy with that, then the best of luck to him I suppose. :)

Anyway, he recently had two computers brought to him with syskey passwords. One was XP and the other was Windows 7. Similar to the topic I referenced above, both passwords were set by disgruntled bogus tech support scammers when the victims refused to give them their credit card details.

My friend (always being happy to format!) offered to backup their data, format, then reinstall Windows. The XP victim was fine with this option, but the Windows 7 victim wanted to avoid this option if at all possible. Apparently, the reason for this was that he had some kind of game installed that he had been playing for ages, and formatting would mean that he would have to start the game from the beginning again. (These youngsters and their games. LOL. :wacko:)

It was at this stage that my friend gave me a call and asked if there was anything I could do.

When I arrived at his workshop, I asked him if he had already formatted the XP machine. He told me he hadn't started working on it yet, so I asked him to leave it alone and I would show him how to fix it without having to format the darned thing. I then started showing him how to use his BartPE boot disk to do a manual registry restore to a point before the syskey utility was run. (I thought it would be better to do a full manual registry restore, rather than to just try replacing the encrypted SAM hive.) However, when I looked in the System Volume Information folder there were no restore points in it, so I couldn't restore a recent copy of the registry.

I then decided to have a look at the Windows 7 machine. And, sure enough, there were no restore points available on that machine either.

So it looks like these bogus tech support scammers are turning off System Restore as part of their fictional 'repair' process, in order to make it more difficult to get past the syskey password they will set if the victim refuses to pay. What disgusting creatures these people are!

But there are ways of removing a syskey password without having to do a registry restore. The FREE utility 'Offline Windows Password & Registry Editor' will automatically remove a syskey password on Windows XP without having to do a registry restore. But it will not work on Vista or windows 7. (Using it on Vista or windows 7 will cause a continuous reboot loop.)

I do have a different disk that will automatically remove a syskey password on Windows XP, Vista and Windows 7 without having to do a registry restore. But it is not a free utility and I doubt that very many people outside of the 'techie' community would have access to this particular disk.

In the end, to save my friend the effort of his usual backup/format/reinstall routine, I just removed the syskey passwords on both the XP and Windows 7 machines for him. So everyone was happy, apart from the bogus tech support scammers who didn't get paid any money for their pathetic efforts. :)

I strongly recommend that everyone should backup their registry on a daily basis. Having System Restore points is always a good idea, but I would also backup the registry with a third party utility in case malware (or some bogus tech support scammer) decides to delete all the System Restore points on your machine.

If you have recent registry backups, and something nasty happens, the experts on this forum will be able to do a marvelous job of helping you. But if you don't have recent registry backups, in some cases it may cripple the ability of the experts here to help you. (For example, if someone's machine got syskey passworded by a bogus tech support scammer, and they didn't have any registry backups, the experts here would not be able to use the disk that I have to help you fix the problem - unless you actually purchased the disk yourself. The experts here are constrained by restrictive EULA and copyright agreements etc. But if you did have recent registry backups, the experts here would be able to guide you through a manual registry restore using free utilities which are not constrained by restrictive EULA and copyright agreements etc.)

Also, if possible, I would recommend that everyone images their whole system regularly and stores the disk image(s) on a removable drive which you only connect to your machine when you want to create or restore an image. And, if your Windows installation becomes infected, use a boot disk to restore a clean image. Don't try to run an image restore utility (which will attempt to restore your computer on reboot) from an infected Windows installation.

There is malware around now (called 'ransomware') that can encrypt your files and demand that you pay money to the malware author to decrypt them. Some of this malware uses AES encryption, which is basically impossible to decrypt unless you have the password. And the only way to get the password is to pay the 'ransom' to the malware author. However, if your system and all your data is backed up as disk image(s), you can just restore from your system/data image(s). Then the malware will be gone and all your data will be back again.

To be quite honest, with the way modern malware is heading, if you don't have full disk image backups stored on a removable drive which you only connect to your machine when you want to create or restore an image - then I think you are running a definite risk of losing all your data.

There are some excellent antivirus/antimalware products available. I use NOD32 in conjunction with MBAM realtime protection. But none of these products are infallible. One single undetected bit of malware could encrypt all your data and leave you in a very bad position.

So, to be as safe as possible:

1. Use good antivirus/antimalware protection. I would recommend MBAM realtime protection in conjunction with one good antivirus program. One resident antivirus program is quite sufficient. Running more than one resident antivirus program is likely to do more harm than good because they may interfere with each other. However, MBAM has been designed specifically to run in conjunction with any resident antivirus program, so you do not need to worry about MBAM and your resident antivirus program interfering with each other.
2. Most people access the Internet through a NAT router these days, and Windows does have its own built in firewall. So third party software firewalls are not really as necessary as they once were. But, if you do want to use a third party software firewall, make sure you learn how to use it properly. Third party software firewalls generally ask you questions about what connections you want to 'allow' or 'not allow'. And if you're not sure how to answer these questions, it's probably better to just rely on your NAT router (which acts as a kind of hardware firewall) and the built in Windows firewall.
3. Keep Windows up to date.
4. Use Secunia to keep other vulnerable programs up to date.
6. Backup your registry (and preferably your whole system as well) as frequently as possible. (Using third party utilities.)

Apart from whether or not to use a third party software firewall, which is more a matter of personal choice than anything else, all the above steps are very important. However, if a disaster does happen, step number 6 is the one that will save you. Because, with good backups, you are basically bulletproof. :thumbup2:

Stay safe everyone. :)

BC AdBot (Login to Remove)

 


#2 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 10 October 2012 - 02:42 AM

That is a very good advice :) Thanks for taking time to write it all. I myself use some of the tools you mentioned in the article.

But how do you know the scammer did not make any changes other than the SysKey trick? How can you be sure?

#3 Sarah_Anderson

Sarah_Anderson
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 11 October 2012 - 02:43 PM

But how do you know the scammer did not make any changes other than the SysKey trick? How can you be sure?

That's a very good question.

In my previous post I said that I just removed the syskey passwords for my friend. But, for the sake of completeness, I should also have mentioned what else I did. So I will do that now.

I did the usual quick malware checks on both machines - generate DDS logs, TDSSKiller, aswMBR, MBAM quick scan, AdwCleaner. But I must admit that I wasn't prepared to wait around for hours to see the results of full virus scans. My friend knows how to do that, so I told him to run full virus scans on both computers before returning them to the customers.

Anyway, from what I found, I suspect that these particular scammers are not trying to deliberately infect their victims' computers with anything nasty. There was no terrible malware on either machine. Just a few PUPs and some adware sponsored toolbars, which I think were totally unrelated to the recent scammer activity.

But I did find a few things. System Restore was turned off on both machines. And both machines had very recent installations of LogMeIn and Wise Registry Cleaner 7.

So I suspect the scammers work like this:

1. Get the victim to install LogMeIn so the scammer can remotely control their computer.
2. Use Wise Registry Cleaner 7 to find hundreds of completely harmless registry 'errors' on the victim's computer.
3. Convince the victim that these completely harmless registry 'errors' mean that their computer is in a terrible state.
4. Fix all the completely harmless registry 'errors' and then ask the victim to pay for this service with their credit card.
5. If the victim refuses to hand over their credit card details, set a syskey password to lock the victim out of their computer. (I suppose they may also give contact details so the victim can pay to get the syskey password, but I'm not sure about this.)

So, all I did was:

1. Turn System Restore back on.
2. Remove the PUPs and adware sponsored toolbars.
3. Remove the LogMeIn and Wise Registry Cleaner 7 software.
4. Set a new restore point and removed the previous restore point that System Restore set when I turned it back on.

Job done. :)

Edited by Sarah_Anderson, 11 October 2012 - 02:50 PM.


#4 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 11 October 2012 - 06:40 PM

Those steps were taken very wisely :-) You are very good at this. You should join the malware team on BleepingComputer :)

#5 eric512

eric512

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 25 November 2012 - 12:50 PM

I have a customers XP machine in the same state. The one problem with this machine is that it appears the hackers have replaced some other .exe files as well and have shot themselves (and the XP machine) in the foot. Even if I could recover the SYSKEY password, the machine won't allow the password to be entered. The system displays the prompt for the syskey password, but hangs at that screen in both regular boot and SAFE mode. The keyboard and mouse are inactive.

I've attempted to reset or remove the SYSKEY setting, but found other SAM errors when I did. This machine will get a format to get the user back up and running, but I've saved a system image to play with later on.

Any suggestions would be helpful - at this point it purely educational. I've had at least half a dozen people call me with a report of the same telephone scam, but this is the first with a SYSKEY lockout.

#6 jfoust

jfoust

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 26 November 2012 - 10:04 PM

I do have a different disk that will automatically remove a syskey password on Windows XP, Vista and Windows 7 without having to do a registry restore. But it is not a free utility


And which tool was that?

#7 judyjht

judyjht

  • Members
  • 799 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Maine
  • Local time:09:21 PM

Posted 27 November 2012 - 01:31 PM

6. Backup your registry (and preferably your whole system as well) as frequently as possible. (Using third party utilities.)


So, can you give the steps to back this up daily??

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:21 AM

Posted 27 November 2012 - 04:53 PM

Those steps were taken very wisely :-) You are very good at this. You should join the malware team on BleepingComputer :)

Sarah_Anderson - Group: Malware Study Hall Sophomore - We already have a good Malware Removal trainee here.
Well on the way to understanding what is needed to one day join the full Malware Removal Team -

Good luck with your future training Sarah_Anderson :thumbup2:

#9 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 28 November 2012 - 03:20 AM

Sarah_Anderson - Group: Malware Study Hall Sophomore - We already have a good Malware Removal trainee here.
Well on the way to understanding what is needed to one day join the full Malware Removal Team -
Good luck with your future training Sarah_Anderson :thumbup2:


She joined later. So I must say that I inspired her to join.:lol:
I am sure she is going to become a very good force in the malware removal team :)

#10 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:21 PM

Posted 28 November 2012 - 03:21 AM

6. Backup your registry (and preferably your whole system as well) as frequently as possible. (Using third party utilities.)


So, can you give the steps to back this up daily??


You can use ERUNT to backup your registry every week or so. It works on XP, Vista and 7. No Windows 8 support yet.
http://www.larshederer.homepage.t-online.de/erunt/

Edited by Romeo29, 28 November 2012 - 03:21 AM.


#11 bailey2007player

bailey2007player

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Adelaide
  • Local time:11:51 AM

Posted 19 December 2012 - 09:57 AM


6. Backup your registry (and preferably your whole system as well) as frequently as possible. (Using third party utilities.)


So, can you give the steps to back this up daily??


You can use ERUNT to backup your registry every week or so. It works on XP, Vista and 7. No Windows 8 support yet.
http://www.larshederer.homepage.t-online.de/erunt/


You can export your registry as a backup every week, instead of uing ERUNT.

#12 judyjht

judyjht

  • Members
  • 799 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Maine
  • Local time:09:21 PM

Posted 19 December 2012 - 12:25 PM

Could you please tell me how to do it manually. I was thinking I would do it when I make my monthly image of my machine. I use XP Professional.

#13 malanr

malanr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, US
  • Local time:09:21 PM

Posted 30 September 2013 - 10:44 AM

Sarah_Anderson Said:  "I do have a different disk that will automatically remove a syskey password on Windows XP, Vista and Windows 7 without having to do a registry restore. But it is not a free utility and I doubt that very many people outside of the 'techie' community would have access to this particular disk."

 

Could you elaborate on what software you used?  It would be well worth the purchase if I knew what it was!  :)



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:21 PM

Posted 30 September 2013 - 11:35 AM

Welcome to BC malanr

 

You have replied to a topic almost a year old. Sarah_Anderson has not been active here since 11/14/2012.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 MCTBeerwah

MCTBeerwah

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 09 July 2014 - 12:04 AM

THIS IS FOR WINDOWS 7 ONLY, MAY WORK ON OTHER OS!!!!

 

I have repaired the syskey issue when created by scam call from “Windows 7 Tech Support” in windows 7. I repaired customers computers (1 32-bit and 1 64-bit) successfully, To remove following the steps below:

 

1.     Boot from windows 7 install cd.

2.     When the Install Windows page appears, click Repair your computer to access system recovery options.

3.     Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)

4.     Open Command Prompt from the options list.

5.     Open Regedit (Type regedit into the command prompt). Regedit will open.

6.     Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change 'SecureBoot' value to 0.

7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000

8.     Reboot and Login

This has worked for me on two machines. After reboot I ran Super-anti Spyware, Ad-Aware and Hitman Pro to confirm, found 68 items on Super-Anti Spyware, 5 more on ad aware and no further detections on Hitman Pro. The PC now runs fine with not Lockouts or Passwords.






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users