Windows 7 Locked after scam call - SYSKEY

Question

I have had a couple for customers fall for the "This is So and So from Windows 7 Tech support, we have detected malicious software on you PC. The customers have given the scamers access to the PC and its now locked with What looks like the XP Syskey lock screen. There are reports the Password are 123 or 1234 or abcd. But that all failed. If you have this problem:

THIS IS FOR WINDOWS 7 ONLY, MAY WORK ON OTHER OS!!!!

I have repaired the syskey issue when created by scam call from “Windows 7 Tech Support” in windows 7. I repaired customers computers (1 32-bit and 1 64-bit) successfully, To remove following the steps below:

1.     Boot from windows 7 install cd.

2.     When the Install Windows page appears, click Repair your computer to access system recovery options.

3.     Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)

4.     Open Command Prompt from the options list.

5.     Open Regedit (Type regedit into the command prompt). Regedit will open.

6.     Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change 'SecureBoot' value to 0.

7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000

8.     Reboot and Login

This has worked for me on two machines. After reboot I ran Super-anti Spyware, Ad-Aware and Hitman Pro to confirm, found 68 items on Super-Anti Spyware, 5 more on ad aware and no further detection's on Hitman Pro. The PC now runs fine with not Lockouts or Passwords.

Hope this helps everyone with this problem.

MICROSOFT / WINDOWS 7 SUPPORT WILL NEVER RING YOU UNLESS YOU HAVE REQUESTED THEM TO DO SO!!!!!!!!!!!!!!!!

Answer 1

Known recent actions of Scammer/Blackmailer ->

-Initiated contact of victim with a 'Browser HiJack'  

-Identified themselves as a Microsoft Representative.

-Victim's Credit card was immediate compromised and suspicious additional charges were caught, and cc was canceled by cc fraud department(these charges were reversed by the fraud department).

-Scammed/scared victim into paying for unnecessary services (twice) ($600 per cc fraud department, cc fraud department credited victim, after being informed of timeline of scam.)

-A respected Antivirus companies software was installed, as one of the methods, to maintain continued remote access by the scammer.

Scammers (granted suspicious remote access) have been found to use a combination of legitimate tools and hacker tools (RATS) to maintain a direct connection to your device and/or con you with ...   Scans will not necessarily remove or find their compromises;  to the safety, security, and stability of your computer.

"I hunt down these people "-> consider using a cheap Win10 device, that is easy to Clean Install...The Scammers know if you are using a virtual machine, and unfortunately you don't get to see the continuing scam, as they extort money from those unsuspecting....

Answer 2

I have the scammer's phone number.  One of my user was looking for Linkedin support and got this number and call and got syskey locked.  I've called them back with that number and just bogus at them to figured out where and who they are.   I wonder who can pin pointed where they are or bring in law enforcement on them?   someone please?

Answer 3

You need to assertain a monetary value on data lost contact you're state attorney generals office chances are it's out of country and would require a federal subpoena to trace and locate the offenders.

If by some chance they are in the US and using a spoofed number depending if their in you're state you can take them to court there but if their out of state you need the state attorney generals office still.

I found this out when a company scammed me from Kansas I was in PA at the time needless to say it turned class action and they had to pay a heck of a lot in  reparations which would be the case here also.

Edit

I also forgot to mention even though they are using a bogus number it can still be traced.

Answer 4

The F value on my computer is binary. Where do i enter in "0000"?