1.    3 Weeks Ago #1
    Join Date : Oct 2017
    Posts : 3
    10

    client had syskey installed on computer


    Hey, new guy here. Tom is my name.

    I have a client who's computer was hacked by a scammer, she allowed them access and then set a syskey on the computer. After she paid them they told her the password. They came back several times and extorted money from her. I've removed everything so they can't access the computer, but the syskey is still there.
    Questions:
    1) The data....is it encrypted through syskey? Or can it be copied to use on another computer or after a re-install of the OS (win10)?
    2) Can I remove the syskey, beings we know the password and un-encrypt things? (I'm thinking NOT)
    3) Being we have access and I have disabled all outside access, are we good to go as is? (again I'm thinking not as Win10 won't let me install the latest updates)

    Thank you in advance for the help.
      My ComputerSystem Spec
  2.    3 Weeks Ago #2
    Join Date : Oct 2013
    NW Florida
    Posts : 9,442
    Windows 10 Enterprise and Pro/Windows 7 Enterprise/Linux Mint

    What little I know, or think I know, about Syskey is, it is a registry feature of Windows for many years. It was originally designed for enterprise companies to restrict users from certain areas. If you have a system image of before someone installs the syskey, you can defeat it. If you have a registry backup from before syyskey was set, it can be restored. Windows keeps a backup of the registry. If you have not booted into Windows/ tried to boot into windows once it is realized that a syskey has been set, the backup registry can be restored. Once it is booted into, the syskey is usually a part of the backup registry.

    I would make sure we are dealing with a syskey and not something else. Even with a syskey installed, you should be able to boot into a rescue CD/USB and still have access to user files. Unless they have installed something else which gives them access to the machine, I wouldn't worry about them resetting it. I would recommend a good clean install to make certain. I know if it was my machine that would be the first thing I would do.

    The Registry Backup is located at C:\Windows\System32\config\RegBack and contains folders Default, SAM, Security, Software and System.

    Another option, while not foolproof, would be for you to set a syskey password. While a big pain, it would prevent others from setting one, in most cases.
      My ComputersSystem Spec
  3.    3 Weeks Ago #3
    Join Date : Oct 2013
    Posts : 25,172
    64-bit Windows 10 Pro build 17040

    Hello teebee, and welcome to Ten Forums.

    In addition, here's some more information about the Syskey feature if this what is being used. It includes how to remove it using the password.

    SysKey - Set Startup Password to Lock or Unlock Windows - Windows 7 Help Forums

    SysKey - Create USB Key to Lock or Unlock Windows - Windows 7 Help Forums
      My ComputersSystem Spec
  4.    3 Weeks Ago #4
    Join Date : Dec 2015
    Posts : 5,841
    Windows10

    The real issue is what else has been compromised. Advise your client, as an urgent prioriy, to change all online passwords (bank, amazon, paypal, ebay etc), and examine accounts for suspicious behavior.

    Your client may think that is overkill, but ask her if she can afford to take the risk.

    I also strongly advise clean installing from scratch, for same reasons.

    No amount of use of tools like malware removal can give you 100% certainty all is right.

    As you are undoubtedly a man of integrity, do you believe doing anything other than a complete reinstall is in your client's interests.

    You will (imo) provide a much better service if you help her backup valuable data, clean install and assist in reinstalling stuff if necessary. Do that and clients will always come back.
      My ComputerSystem Spec
  5.    3 Weeks Ago #5
    Join Date : Oct 2017
    Posts : 3
    10
    Thread Starter

    Quote Originally Posted by cereberus View Post
    The real issue is what else has been compromised. Advise your client, as an urgent prioriy, to change all online passwords (bank, amazon, paypal, ebay etc), and examine accounts for suspicious behavior.
    She has done all those things. The banks, paypal are all working with her already.
    Your client may think that is overkill, but ask her if she can afford to take the risk.
    I also strongly advise clean installing from scratch, for same reasons.
    That's exactly what I was thinking too.No amount of use of tools like malware removal can give you 100% certainty all is right.
    You are hitting that nail directly on the head.As you are undoubtedly a man of integrity, do you believe doing anything other than a complete reinstall is in your client's interests.
    NO, I just wanted to hear this from someone else.You will (imo) provide a much better service if you help her backup valuable data, clean install and assist in reinstalling stuff if necessary. Do that and clients will always come back.
    That is going to be my plan as of right now. My concern is, will the data be clean? I've run scans (malware, viruses were detected and removed/quarantined). I would hate to do a clean install and then re-introduce something from backed up data.
    Thank you so much for verifying what, I guess, I already knew.
      My ComputerSystem Spec
  6.    3 Weeks Ago #6
    Join Date : Dec 2015
    Posts : 5,841
    Windows10

    Quote Originally Posted by teebee View Post
    Thank you so much for verifying what, I guess, I already knew.
    Data is usually ok. It is exe files etc that get infected. Infections of videos, photos etc is rare,word docs and excel etc less so.

    For most, it is photos that are the primary concern. You can scan data with a high degree of confidence.
      My ComputerSystem Spec
  7.    3 Weeks Ago #7
    Join Date : Oct 2017
    Posts : 3
    10
    Thread Starter

    While copying her 'documents' file, I got a "Your infected" warning, while moving through the docs. A file with no real name ("file") or extension set it off. I shredded that file then proceeded to fine-tooth-comb all the copied files. Anything that looked suspect was shredded. I then did a clean install of Win10. I then Installed Malwarebytes, CCleaner and AVG, ran thorough scans before I copied her data back to the clean install. Then again once the data had been copied. I believe that we are clean and nearly back again to where she was before this all happened.

    Thank you all once again, for proving to me that my gut was telling me the right things to do.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved inquiry on the SYSKEY feature
ive never bothered to study about syskey until recently.. is it better to save the program onto flash drive? my pc was hijacked last year where a malicious program took control over it..so thats what got me thinking..:shock:
AntiVirus, Firewalls and System Security
Scammer locked PC with Syskey startup password
My older, non-computer savvy Dad was just taken by the oldest trick in the book. Hoping someone can help out. System: Toshiba Laptop. Windows 10 Home. Scammer from "AOL" calls my dad and says his computer is corrupted. My Dad (sadly) gave...
General Support
Solved Moving installed Win 10 to different computer?
I have two computers that both got free upgrades from 7 Ultimate to 10 Pro. Would it work to swap the hard drive from one to the other, then update drivers as needed? I've done that countless times with Windows 3.0 through XP. Haven't tried it...
Installation and Upgrade
Installed Win 7 on Mac. Can I get free Win 10 for an upgraded computer
Hello, I installed Windows 7 Professional 64bit on the Windows partition of a Macbook Pro via Bootcamp. I am selling that computer and going to erase that Windows partition. I know that Win 7 can be upgraded to Win10 for free. Can I use this...
General Support
Can't connect to the internet at all after I installed a VPN client
The client is called viscosity. It worked just fine for a few hours but everything went south as soon as I disconnected from it. After that I couldn't connect to the internet at all with or without a VPN. I tried uninstalling all my network adapters...
Network and Sharing
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 18:10.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums