First, a confession: I didn't fall for the phone call scam, but I may have done something even more embarrassing. I had a problem with a Mozilla Firefox update, so I did a search for Firefox help, and I found a post for Mozilla tech support. I called the number, and cooperated with the person who answered by installing logmein. I watched his every move, none of which was suspicious, but apparently he installed the syskey using a command file or application on his computer. Since he didn't appear to know anything about Firefox, I believe I orchestrated my own downfall by calling the scammer myself.
After figuring out how to boot from a device other than my hard disk (see Can't boot from Windows install disk thread), I've unsuccessfully tried three main approaches to removing my syskey:
(1) I used the Offline Windows Password & Registry Editor tool. Unfortunately, as noted in the very good forum posting User Account Password forgotten, by Duncan1892, the chntpw interactive menu's Option 2 - Syskey status & change doesn't work at all on Vista.
(2) I downloaded and booted Ubuntu, then used it to edit my registry. First, I backed up the corrupted registry files. Simply setting SYSTEM\<various control sets>\Control\Lsa SecureBoot value to 0 doesn't work -- it causes an infinite reboot loop. Also setting SAM\SAM\Domains\Account F value to 0 still doesn't help -- still an infinite reboot loop. Note that in order to set the F value to 0 it was necessary to delete the value and re-create it as type 3.
(3) Again using Ubuntu, I looked at my Windows\System32\config\RegBack folder. Although I found copies of the five registry files (DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM), they were dated on the day that the scammer changed them. However, I also found copies directly in the Windows\System32\config folder, named default_previous, sam_previous, security_previous, software_previous, and system_previous, dated 9 days earlier. After backing up the corrupted registry files, I made copies of these and used them to replace the corrupted files. Note that this overwrote the registry files I had edited in approach #2. Using chntpw, I verified that the SYSTEM registry had a lot more control sets, and all the ones I checked had a SecureBoot value of 1, indicating that the syskey value is stored elsewhere in the registry. I assume this is what I would have seen if I had examined them before the hack.
I then tried booting from the hard drive, both in Safe Mode and regular Windows. As I hoped, the syskey prompt did not appear. However, after the initial boot phase (listing all the .sys files in Safe Mode, or watching the Windows animation in the regular boot), the screen went black. After about a minute, a working arrow cursor appears, but no other graphics. Except for the mouse cursor, all is black. And it stayed that way, even when I let it sit overnight.
The good news is that the syskey is gone. The bad news is that my Windows Vista still won't boot completely.