computer locked by fake(extortion) company

[Kaizen]

Customer of ours had a company logon to the system and lock their computer. all of the normal password removal techniques we have used have not worked. I kind of think they changed something in the registry to prevent changes. things we have tried

1. re ran offline registry editor to blank the password. it said the password was alreadt blank but we re blanked it anyways. this did not help, once in windows it still says it is password protected

2. system restore, no restore points available

3. when we created a second admin account to remove it we got an error, "windows cannot remove the password"

4. no different luck using control userpassword2 to remove it

I was hoping that there was a common trick these people used to quickly lock passwords.

Any thoughts would be appreciated.

 

[Xander]

If the password resets upon logon, it sounds like it's infected, not just locked.

 

[MichaelBits]

They most likely activated the syskey start up password.
Does it request the password before the user logon? If so, that's what it is.

Restore is best option for this... as you don't have one, it will be difficult.

You may want to google syskey and read up on it.

You can try using a simple password like 123456 to see if it unlocks, they usually use something simple.

 

[AlexCa]

Active Password Changer never failed me... but considering what you've done already, i would try something like kaspersky rescue disc before.

 

[YeOldeStonecat]

Not knowing how the "extortion techs" loaded their changes...perhaps in the registry? Can you slave the drive and do a manual restore of the HIVE from the regback folder?

 

[JustInspired]

The last syskey locked one we had in here had a password of '12345'

 

[Kaizen]

One bit of info I left out, I did so because I could not thing of what it was called. The computer was locked with a syskey password. We removed that using a live password reset disc. After that we still had the issue with the Windows user account password being unchangeable.

 

[atlanticjim]

I have never run into this but it does sound like a virus is creating a password on boot, that would explain the failure when changing the SAM.
Have you tried an offline virus scanner such as DrWEB or Kaspersky live disk?
Even an offline MBAM or MBAR scan might help. I would throw everything at it .. or perhaps nuke and pave

 

[jbradt]

I just had a machine walk in the door with this same problem. After a little google-fu, I found this: http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

Under the "remove syskey" section, there is an old version of a pw reset tool that has a syskey utility. It worked for me.