New Spin on SYSKEY?

[MudRock]

Well, I did some searching here, and can't find information on this. So I figured I'd post. I'm sure I'll find an easy way to remove it.

So I have one of my regular customers who just can't help falling for scams. Call from 800 number. Lets them on. Promptly puts a lock on their system "Claiming" that they have to lock out the system so that their computer can't harm anyone else until they pay for it to be fixed. Client still on Windows 7, so I was guessing SYSKEY.

Get it here, boot it up, and I get this:

As soon as you move the mouse, press a key, anything, comes up like this:

Mouse is confined to the area of the dialog box. You can Control-Alt-Delete, but mouse confines won't let you get to Task Manager. Control-Shift-Esc, it instantly closes it. All combinations are promptly thwarted.

Clearly a hand-written application. Very crafty. Even runs in Safe Mode.

Any ideas for a quick fix?

 

[Sky-Knight]

There is no "fix" for a machine that's been manipulated by a known bad actor...

The only way to trust the machine going forward is a nuke and pave.

 

[Porthos]

Boot with a PE disk, Fabs and nuke it. The client "might" get the message not to fall for these.

 

[MudRock]

Program called "Lock My PC 4" found in the Program Files folder. Going to bundle it up.

https://fspro.net/lock-pc/

Edit: Software writer sees its being abused. Releases universal unlock system.

https://fspro.net/_service/lmpc-passrec/

That said, this client, I have installed nightlies. I just roll him back when it happens now. He doesn't learn.

 

[Sky-Knight]

And the Internet is forever... https://web.archive.org/web/20190221010909/https://fspro.net/lock-pc/

Though good on them for trying to fix it I guess.

 

[MudRock]

And the Internet is forever... https://web.archive.org/web/20190221010909/https://fspro.net/lock-pc/

Though good on them for trying to fix it I guess.

Serious though; Why the DEVIL would you even have to write that kind of software other than scamming?

 

[Porthos]

That said, this client, I have installed nightlies. I just roll him back when it happens now. He doesn't learn.

At least you /they have a backup to restore. Most do not and get the nuke.

 

[Markverhyden]

Does look like syskey. The thread below has a number of interesting links. But, as mentioned, time for data recovery, nuke and pave.

https://www.technibble.com/forums/threads/remove-windows-7-start-up-password.62134/

 

[MDD1963]

Hard to imagine folks falling for the cold call scam about 'errors from the central server', and the classic 'expired WIndows license', but....yet they still happen.....daily!

Charge $200 to restore, tell him/her that that fee will be standard every time he/she lets someone remote into the system and lock it? (You'd think the HIndi accent might sound an internal warning of some type)

 

[MudRock]

Does look like syskey. The thread below has a number of interesting links. But, as mentioned, time for data recovery, nuke and pave.

This is actually a 'commercial program' to do it...

 

[Markverhyden]

This is actually a 'commercial program' to do it...

Yes. But AliceKlaar had made a post which had a solution that I think was not commercial. It as deleted but @Larry Sabo posted a link where Alice had made commentary somewhere else.

 

[Larry Sabo]

@Markverhyden, I don't recall that but will look for it. Not sure if it was to this article or not but it may be helpful nevertheless. Alice made reference to Passcape but it's not free. The license for business use is $345 but the license for personal use is more affordable. It would have to be purchased on behalf of the user I assume.

Edit to add: I had a case last month where the user was scammed and had Syskey password set. I didn't even realize that until after installing two Windows updates (the last of which I cancelled because it was stalled), followed by WSUS update and a restart. When I restarted the PC the Syskey password request popped up, much to my surprise. I don't recall whether I did a forced restart or not but I think so; either I or the system ran start-up repair and Syskey was gone upon restart. Really surprised! This was a Windows 7 PC.

Also, this post by Alice mentions some issues she encountered with Passcape nuking access to EFS files and other things. That was 4 years ago; perhaps the process or program has improved since then.

 

[Markverhyden]

@Markverhyden, I don't recall that but will look for it. Not sure if it was to this article or not but it may be helpful nevertheless. Alice made reference to Passcape but it's not free. The license for business use is $345 but the license for personal use is more affordable. It would have to be purchased on behalf of the user I assume.

Edit to add: I had a case last month where the user was scammed and had Syskey password set. I didn't even realize that until after installing two Windows updates (the last of which I cancelled because it was stalled), followed by WSUS update and a restart. When I restarted the PC the Syskey password request popped up, much to my surprise. I don't recall whether I did a forced restart or not but I think so; either I or the system ran start-up repair and Syskey was gone upon restart. Really surprised! This was a Windows 7 PC.

Also, this post by Alice mentions some issues she encountered with Passcape nuking access to EFS files and other things. That was 4 years ago; perhaps the process or program has improved since then.

@Larry Sabo I was referring to your reply on page 2 of the link above. As far as software I guess there wasn't anything free then.

 

[Galdorf]

Speaking of syskey i remove it from all my customers machines and install a modified version that makes the scammer jump through hoops trying to syskey the system lol.