First off let me Thank all of Bleeping Computers admins and moderators (and helpful users) for providing an invaluable service. I am a self taught computer enthusiast with about 25 years of the aforementioned experience, and have been visiting this site to seek out answers to past issues I have encountered for many years now. It has been sites like this (along with trial and error) that I accredit to my computer knowledge to date.That said, on to my question which I am having difficulty finding an answer to.
I have an friend (we'll call him BOB) who caved into the ever growing Microsoft Scam last night (Zeus) and upon calling the number provided allowed the scammer to take control of his laptop, ultimately creating a Syskey password. Once this took place Bob realized he was probably being scammed and told the scammer that he wanted his buddy (me) to take it from there.
Now I have seen this scam many times to varying degrees....some very easy to rectify with just a clean up of the start up files and a quick MBAM scan, and others where the scammer went so far as to encrypt the files rendering them (and the computer) pretty much useless and we had to resort to reformatting and reloading the OS. In this case a file encryption does not appear to have taken place, but as the thread title mentions, a Syskey Password was put in place. Here's the thing that I find odd though...the scammer actually gave Bob the Syskey password and we are able to enter it and gain access to his use account and can view all of his files, etc.
As such I was hoping to just do a system restore, but when I try and do so it get a message stating that I need to be logged in with an Administrators Account. Well Bob's account is the only one on said laptop and he IS an administrator. So, unless someone can shed some light on this anomaly I am leaning towards just removing the Syskey Password.
With that being said I am thinking, because I actually have the Syskey Password I should be able to remove it. Is my assumption correct? If so I would further assume that once accomplished I could run another MBAM scan (I've run one scan already in Safemode, installing it from a flash drive and not connecting to the web, and all it found was 300+ PUPS, all Mindspark). I also ran Revo Uninstaller and removed Teamviewer and Citrix Online Launcher, as well as Intel Technology Access, all which appeared to be installed last night.
I am able to access the Syskey Tool but thought it better to come here and ask for some advice first before altering anything there or in the registry.
Any advice is both welcome and appreciated.
Edited by Chris Cosgrove, 31 March 2017 - 12:28 PM.
Moved from Win 10 Support to Ransomware etc.