Posts Tagged ‘Microsoft Phone Scam’

Microsoft Phone Scam – the saga continues

Wednesday, November 12th, 2014

On our facebook page (facebook.com/ezylinkit) I recently posted on the Telstra and Microsoft scam that continues unabated – where people get a random call from someone pretending to be from Microsoft (or Telstra as has also been the case here in AU) and they get the user to give them remote access into their PC, at which point they open up some logs and prove that there is an issue (with bogus claims over what is in the logs). From there they install a pile of junk software, including often remote access and keylogging software, charge the customer AND also take money from their accounts. All very insidious.
We had a recent customer repair that had a new item they had thrown in. The dodgy brothers had setup a Windows Startup Password on the PC, so when it was rebooted it came up asking for a boot password to get into windows – which comes up BEFORE the normal windows login.
startup passwordSo I did some hunting on the net, and there was many comments about doing a restore of your registry, or going back to a last good system state, or recovering the last backed up registry. Yes these would all work – but we are dealing with morons here! So how about try some stupidly simple passwords first. password, admin, loser (ok thats one is not likely), abc, 12345, 1234, 123… BINGO it was 123. Yes they are that sad. I found some other reports on the web about some people who guessed numbers and so it seems that this is what they do. And since they have to change shifts between morons for the 24/7 scam Im sure they need to keep it simple.
So what is the “Startup Password” ? In simple terms it is a way to protect your registry account file so that it cant be hacked. It is a not often used feature so I thought Id list how it is used (and how to remove the password – since now that I was in to windows the customer of course doesn’t want to see that every boot !)
From within windows you access the Startup Password feature via “syskey”. Just run that from any command prompt or run box. Its actually called the SAM Lock Tool. When you run it you can encrypt your SAM (part of the registry), and set a password to it. So lets get in and reverse the damage ! Note you cant unencrypt the SAM, but you can remove the password requirement on boot.

Step1.
Click Update within syskey

syskey2
Step2.
Click OK. This will then ask you for the old password (123 in my case) and a new one (leave it blank)
syskey3
Step3
. Reboot the computer. At the Windows Startup Password screen, just hit enter to get past it. Then back in windows run syskey again, go to Update, then click on the bottom option for System Generated Password
syskey4
Choose Store “Startup Key Locally” then choose OK. This will then save the (blank) password to the system, and no longer show up a password box on boot. Tick one for the good guys. Now to just meet one of these scammers in a dark alley with a baseball bat…

James Joyce CCIE MCSE