Windows 7 Locked after scam call - SYSKEY

Question

I have had a couple for customers fall for the "This is So and So from Windows 7 Tech support, we have detected malicious software on you PC. The customers have given the scamers access to the PC and its now locked with What looks like the XP Syskey lock screen. There are reports the Password are 123 or 1234 or abcd. But that all failed. If you have this problem:

THIS IS FOR WINDOWS 7 ONLY, MAY WORK ON OTHER OS!!!!

I have repaired the syskey issue when created by scam call from “Windows 7 Tech Support” in windows 7. I repaired customers computers (1 32-bit and 1 64-bit) successfully, To remove following the steps below:

1.     Boot from windows 7 install cd.

2.     When the Install Windows page appears, click Repair your computer to access system recovery options.

3.     Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)

4.     Open Command Prompt from the options list.

5.     Open Regedit (Type regedit into the command prompt). Regedit will open.

6.     Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change 'SecureBoot' value to 0.

7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000

8.     Reboot and Login

This has worked for me on two machines. After reboot I ran Super-anti Spyware, Ad-Aware and Hitman Pro to confirm, found 68 items on Super-Anti Spyware, 5 more on ad aware and no further detection's on Hitman Pro. The PC now runs fine with not Lockouts or Passwords.

Hope this helps everyone with this problem.

MICROSOFT / WINDOWS 7 SUPPORT WILL NEVER RING YOU UNLESS YOU HAVE REQUESTED THEM TO DO SO!!!!!!!!!!!!!!!!

Answer 1

Hi Josh,

I own a computer repair and tech support company here in the US and see the "Microsoft Scam" all the time.  Many of the scammers are, as you state,  now using a syskey lock-out and holding the computer for ransom in order to provide the password.  My question to you is this:  what if they have deleted all the restore points?  Last week I had two that came in with syskey and did a simple disc boot, CMD and ran "rstrui.exe" and bam restored and syskey gone.  However, I have had other machines in the shop and when you run the restore it says "no restore points are available."  Any thoughts?  Thanks for your reply.

Answer 2

Replace the registry with the copy stored in the RegBack folder if you cannot find a restore point.

Answer 3

I have no restore points as I myself disabled system restore. Is there a way to remove/reset the syskey on Windows 7? I know many things can be done with booting with linux, is there a way to remove the syskey on a Win 7 from Linux?