Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Syskey Password After Zeus Scam


  • Please log in to reply
10 replies to this topic

#1 McHarley94

McHarley94

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 11:51 AM

Hey All,

 

First off let me Thank all of Bleeping Computers admins and moderators (and helpful users) for providing an invaluable service. I am a self taught computer enthusiast with about 25 years of the aforementioned experience, and have been visiting this site to seek out answers to past issues I have encountered for many years now. It has been sites like this (along with trial and error) that I accredit to my computer knowledge to date.That said, on to my question which I am having difficulty finding an answer to.

 

I have an friend (we'll call him BOB) who caved into the ever growing Microsoft Scam last night (Zeus) and upon calling the number provided allowed the scammer to take control of his laptop, ultimately creating a Syskey password. Once this took place Bob realized he was probably being scammed and told the scammer that he wanted his buddy (me) to take it from there.

 

Now I have seen this scam many times to varying degrees....some very easy to rectify with just a clean up of the start up files and a quick MBAM scan, and others where the scammer went so far as to encrypt the files rendering them (and the computer) pretty much useless and we had to resort to reformatting and reloading the OS. In this case a file encryption does not appear to have taken place, but as the thread title mentions, a Syskey Password was put in place. Here's the thing that I find odd though...the scammer actually gave Bob the Syskey password and we are able to enter it and gain access to his use account and can view all of his files, etc.

 

As such I was hoping to just do a system restore, but when I try and do so it get a message stating that I need to be logged in with an Administrators Account. Well Bob's account is the only one on said laptop and he IS an administrator. So, unless someone can shed some light on this anomaly I am leaning towards just removing the Syskey Password.

 

With that being said I am thinking, because I actually have the Syskey Password I should be able to remove it. Is my assumption correct? If so I would further assume that once accomplished I could run another MBAM scan (I've run one scan already in Safemode, installing it from a flash drive and not connecting to the web, and all it found was 300+ PUPS, all Mindspark). I also ran Revo Uninstaller and removed Teamviewer and Citrix Online Launcher, as well as Intel Technology Access, all which appeared to be installed last night.

 

I am able to access the Syskey Tool but thought it better to come here and ask for some advice first before altering anything there or in the registry.

 

Any advice is both welcome and appreciated.

 

Kindly, Mark 


Edited by Chris Cosgrove, 31 March 2017 - 12:28 PM.
Moved from Win 10 Support to Ransomware etc.


BC AdBot (Login to Remove)

 


#2 McHarley94

McHarley94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 12:44 PM

TY, Chris, for moving my thread. It dawned on me while I was AFK that I likely posted it in the wrong area  :nono:

 

Just to verify in case it helps...the laptop in question is running Windows 10 Home 64 Bit


Edited by McHarley94, 31 March 2017 - 12:45 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 PM

Posted 31 March 2017 - 02:37 PM

Does the password box look like this?

syskey.png

If so, see these related topics for suggestions:Windows 8/8.1 users can refer to the instructions (methods 4-6 or Shift+F8) in How To Access Advanced Startup Options in Windows 8 or 8.1

Windows 10 users can refer to the instructions from Security Colleague Demonslay335 in this topic.

You can either boot the system to an external OS, or connect the drive to another computer, and use the trick with restoring the registry SAM from the REGBAK folder. We've done it successfully a dozen times on customer's machines.


If the password box looks like this, then see Encrypted Boot Ransomware Support Topic

bios-pass.jpg
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 McHarley94

McHarley94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 03:39 PM

TYVM for the effort put into your reply. To clarify, the login window I am experiencing is the same as the first pic you posted entitled "Startup Password".

 

And just to clarify, I did quite a bit of homework, previously having read through a couple of the sources you have provided above, as well as several others elsewhere before creating this thread here. Everything I am reading seem to address those who do not have access to the encrypted password and require a method to boot from an external source in an effort to alter the registry, or some similar more elaborate method. Unfortunately I am not finding anything pertaining to anyone who actually knows the password already and can access the SAM Lock Tool.

 

In my case I already know the encrypted password and I am able to access everything within the Users Account, including the SAM Lock Tool. As such I am inclined to just "Update" the Syskey password leaving the new password box (and confirmation password box) blank and reboot, followed by using the SAM Lock Tool again to create a System Generated Password, and choosing to Store Startup Key Locally. My thinking is that this will rectify the login requirement entirely, but before I follow through with this I was hoping to get a confirmation this will accomplish the job.

 

Prior to this I have virtually NO experience working with the Syskey Password, hence my reluctance to follow through with my assumptions. 

 

Thoughts?  Thank You!


Edited by McHarley94, 31 March 2017 - 03:43 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 PM

Posted 31 March 2017 - 03:44 PM

Since I never tried the procedure you are describing, I can't confirm if it will work. Perhaps Demonslay335 or someone else will read this topic and reply with their thoughts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:54 PM

Posted 31 March 2017 - 04:21 PM

So you actually have the SysKey password? Did you guess it? In the past, I was able to guess some when they were just "1234" or something absolutely ridiculous like that, but they started using truly random garbage later, so we just resorted to restoring the registry each time to not bother with the guessing game.

 

I usually just remove it outright. The bootable Lazesoft Recovery Suite has a SysKey remover tool, but I've only had it work maybe once or twice for me. We usually boot to an external OS such as MiniXP or something, and follow the instructions in this article to copy the hive files from %SYSTEMROOT%\system32\config\RegBack in to %SYSTEMROOT%\system32\config. Works like a charm each time, you just have to be aware that you are reverting the whole registry, so sometimes there's little goofy things such as newly installed programs not being registered with Windows (don't show in Uninstall Programs).

 

Worst-case, if the SysKey cannot be removed somehow (RegBack was wiped by the scammers), then we've had to resort to backing up data and reloading the system in interest of time. I've not tried to actually brute-force the SAM encryption or anything like that, but I know there are methods out there to do so.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 McHarley94

McHarley94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 04:35 PM

Hey Demonslay335,

 

No, actually the hacker provided "Bob" with the password, which was apuwa with some numbers that followed so I'm guessing it is his name and birth date? He must be new on the job, eh?  LOL Lucky for Bob  :wink:

 

I think what I am going to try is to create a Syskey password on one of my systems on the bench and then try my method and see if it works, and if so then I'll risk doing so on Bob's laptop as well. I'll let you know the results so you can suggest it in the future if you are so inclined.

 

And if it does NOT work then I will go about it using a method that you and/or quietman7 suggests.

 

I shall return 



#8 McHarley94

McHarley94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 06:01 PM

  1. OK, using a Windows 7 system I had on my bench I created a System Password using the SAM Lock Tool (syskey), followed by a reboot.
  2. Upon reboot, just as would be required after a Zeus Scammer hacked a Windows system, I was asked to enter a password in order to login.
  3. Once logged in I reopened the SAM Lock Tool and changed the password, but this time I left both password entries blank. Upon clicking OK I was then asked to enter the previous password to confirm, and then followed up by rebooting the computer.
  4. Upon reboot I was again asked to enter a password, (which I now left blank). Once logged in I again reopened the SAM Lock Tool, but this time I left the password boxes alone and instead ticked on the radio button next to 'System Generated Password' and confirmed that the radio button next to 'Store Startup Key Locally' was ticked as well and then clicked OK. I was again asked to enter my password to confirm (which I left blank), and I again followed up with a reboot.
  5. Upon reboot Windows booted without a required password and everything appears normal.

Seeing as my test run appeared to be a success I went ahead and did the same on Bob's Windows 10 computer, and everything went exactly as hoped, (short of being forced to use the TAB key to navigate the login box on step 4. For whatever reason the mouse would not work on this step), and I am now back to Bob's desktop without a required password to login.

 

Of course this will only work if one knows (or can figure out) the password the hacker created, but it appears to be the procedure to follow if one wants to change or remove a Windows System Login Password they created themselves (and remembers).

 

I will now proceed with scanning the system for any leftover critters and/or quarks and if I find any I will come back and post my findings.

 

Meanwhile I am going to bookmark this thread as a reference related to any future ransom scans I am certain to come across.

 

Thanks Guys  :thumbup2:


Edited by McHarley94, 31 March 2017 - 06:06 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 PM

Posted 31 March 2017 - 06:07 PM

You're welcome on behalf of the Bleeping Computer community.

BTW...I am moving this topic to a more appropriate forum since it really is not really to our typical ransomware support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:54 PM

Posted 31 March 2017 - 06:12 PM

Excellent, glad to see you got into it successfully. Good to know how to remove it if the password is known; that is extremely odd that they gave it to Bob, usually they hold that as "ransom" until he pays them.

 

Hopefully Bob learns his lesson, and never calls those numbers again. If he stumbles on any more, or if you find the site he was on, feel free to PM me the URL and I can see about getting them reported.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 McHarley94

McHarley94
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan USA
  • Local time:01:54 PM

Posted 31 March 2017 - 06:25 PM

Yeah, again my only guess is Apuwa is a new recruit  :oopsign:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users