Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SysKey Detection and Removal


  • Please log in to reply
10 replies to this topic

#1 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:04:44 PM

Posted 16 May 2016 - 08:55 PM

so I see it a lot that people get taken over remotely and reboot their computer not knowing they have a syskey enabled on their PC before doing so.

 

so my question is, is there a program out there that can be run to either detect if a syskey is enabled when logged into said device before reboot and disable the syskey or simply show if a syskey is enabled to warn someone before rebooting their pc

 

from what ive read online everything recommended a boot cd to remove the syskey after the fact of a system reboot but not before the fact of a reboot when windows is currently loaded up

 

could one just do up a .bat to check the registry to see if syskey is enabled? im new to this whole syskey thing but I do know multiple scammers claiming to be M$ as well as other companies use this method to scare customers into paying for their "support"



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:44 PM

Posted 17 May 2016 - 10:53 AM

A scanner/bat file is all well and good, but most people who fall for this are users who are not very computer literate and would have no idea about this, or know to download it. Education is probably more effective as then they will know not to fall for this and similar scams.

 

It's not a bad idea, but I'm not sure it would stop this crap or really make an impact. Usually users are lucky and you can restore.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 TheTripleDeuce

TheTripleDeuce
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:04:44 PM

Posted 17 May 2016 - 02:01 PM

i do a lot of work remotely for people so even if there is anything I could run to see if there is indeed a syskey and/or remove it would be great, especially something run before windows reboots so we could even back up before the reboot to avoid as much data loss as possible

 

I see so many people have to completely reformat their pc's inorder to get up and running as they also don't typically know well enough to back up files


Edited by TheTripleDeuce, 17 May 2016 - 02:29 PM.


#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:44 AM

Posted 18 May 2016 - 01:23 AM

Mate you can always use a boot disk to get into the windows files (C:\Windows\System32\config\RegBack) and then replace / restore from that regbackup to C:\Windows\System32\config\ the sam file.

I have done this many times after a scammer over the p[hone used syskey on the victim.



#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:44 AM

Posted 19 May 2016 - 07:28 PM

Mate you can always use a boot disk to get into the windows files (C:\Windows\System32\config\RegBack) and then replace / restore from that regbackup to C:\Windows\System32\config\ the sam file.
I have done this many times after a scammer over the p[hone used syskey on the victim.


Verbosely to JohnnyJammer post.

http://triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-locked-after-scam-call-syskey/5933abb9-4f1b-46cf-bc6a-f81ed33c0a85?auth=1
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 TheTripleDeuce

TheTripleDeuce
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:04:44 PM

Posted 07 August 2016 - 12:55 PM

 

Mate you can always use a boot disk to get into the windows files (C:\Windows\System32\config\RegBack) and then replace / restore from that regbackup to C:\Windows\System32\config\ the sam file.
I have done this many times after a scammer over the p[hone used syskey on the victim.


Verbosely to JohnnyJammer post.

http://triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-locked-after-scam-call-syskey/5933abb9-4f1b-46cf-bc6a-f81ed33c0a85?auth=1

 

most of the support I do is remote thought so im not able to use a bootdisk and most of my customers aren't computer literate, so a bat or something to run before a reboot takes place would be ideal



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 PM

Posted 07 August 2016 - 04:46 PM

If the computer you want to check has no SSD for the OS, then you can check if there is a prefetch file for the syskey command.

If there is a prefetch file for syskey, then the syskey command has been executed recently.

 

Prefetch files are located in %SystemRoot%\Prefetch

http://www.forensicswiki.org/wiki/Prefetch


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:44 AM

Posted 09 August 2016 - 04:19 PM

most of the support I do is remote thought so im not able to use a bootdisk and most of my customers aren't computer literate, so a bat or something to run before a reboot takes place would be ideal

Yes, Prefetch files, mostly used for nefarious application.
FORENSIC EXAMINATION AND ANALYSIS OF THE PREFETCH FILES ON THE BANKING TROJAN MALWARE INCIDENTS. http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1132&context=adf

Look into the Prefetch file, or consider, creating a remote access boot disk CD (or USB thumb drive) that you can send your customers. Customers boot from this CD and it connects to a specially configured remote access PC at your workshop.

Network Bootdisk.

https://www.raymond.cc/blog/universal-tcpip-network-bootdisk-for-microsoft-network-in-floppy-and-boot-cd/
https://support.symantec.com/en_US/article.TECH109610.html
http://www.netbootdisk.com/about.htm

Edited by Crazy Cat, 10 August 2016 - 12:26 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 Ethan_PCG

Ethan_PCG

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:08:44 PM

Posted 15 August 2016 - 02:56 PM

If someone does but a Syskey on your computer I would suggest you use a keylogger. If you let someone connect remotely and you use a keylogger then you will be able to see every key they are pressing, so if they try to put a Syskey on your computer you will be able to guess the password. 

 

In my opinion, I don't see why you would need to let someone connect remotely to your machine.. Just use Bleeping Computer for help  B)


"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone."
- Bjarne Stroustrup
 
 
 

#10 evelchihuahua

evelchihuahua

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 28 October 2016 - 01:22 AM

I also am having this problem, I tried the link to triple computers you posted. I burned the cd, loaded it and everything seemed fine until it asked for the path to the registry. windows/system32/config did not work. Any suggestions? When I looked from a DOS prompt the path was X:\Windows\System32\config. When I typed that it did not work, nor did it work when I omitted the drive letter. HELP please



#11 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:44 AM

Posted 31 October 2016 - 11:43 PM

I also am having this problem, I tried the link to triple computers you posted. I burned the cd, loaded it and everything seemed fine until it asked for the path to the registry. windows/system32/config did not work. Any suggestions? When I looked from a DOS prompt the path was X:\Windows\System32\config. When I typed that it did not work, nor did it work when I omitted the drive letter. HELP please


At the DOS prompt, %SYSTEMROOT%\system32\config

Usually, %SYSTEMROOT%\system32\config = C:\Windows\System32\config
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users