All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: can you identify this software used to attack a client?
PostPosted: January 16th, 2016, 20:51 
Offline

Joined: February 13th, 2010, 9:44
Posts: 208
Location: san diego, ca.
Recovered files for client. Looking to see what tools were used on this attack. attached is an image from what appears to be an older piece of software used to separate my client from his data. Does anyone recognize the program?


Attachments:
whatsoftware.JPG
whatsoftware.JPG [ 70.38 KiB | Viewed 11623 times ]
Top
 Profile  
 
 Post subject: Re: can you identify this software used to attack a client?
PostPosted: January 16th, 2016, 21:30 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
The scammer used a Microsoft tool called SysKey.

How to use the SysKey utility to secure the Windows Security Accounts Manager database:
https://support.microsoft.com/en-us/kb/310105

http://computernetworkingnotes.com/xp-t ... sword.html

Quote:
In this tutorial we will remove Syskey start up password and reset the administrator password. Syskey is the additional layer of security. An average user barely implement it. Scammers take advantage of this tool to scam. Scammers usually contact computer owner identifying himself as a member of Microsoft support team. They will informs you that your PC have number of critical problems, those need to be fix immediately or your system will fail to work properly. They will convince you to allow them to connect system remotely and fix the issues. If you do make the mistake of letting them connect, they will ask you to pay $$$ for fix. If you refuse to pay, they will enacted SysKey encryption on the SAM registry hive.

http://www.passcape.com/reset_syskey
http://www.oxid.it/ca_um/topics/syskey_decoder.htm
https://fixedit.itxpress.biz/2015/01/16 ... hone-scam/

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: can you identify this software used to attack a client?
PostPosted: January 17th, 2016, 15:41 
Offline

Joined: January 8th, 2008, 5:21
Posts: 925
Location: uk
I had one of these yesterday. There were no system restore points available but I managed to restore the registry manually from the backup located in the windows\system32\config folder to the date/time before the scammers got into the system. I have read some of those lowlifes even delete the backup in some cases. I presume in these particular cases the user data remains unencrypted as the Syskey utility is only used to lock the user out of the system?


Top
 Profile  
 
 Post subject: Re: can you identify this software used to attack a client?
PostPosted: January 18th, 2016, 0:59 
Offline

Joined: February 13th, 2010, 9:44
Posts: 208
Location: san diego, ca.
yes- only registry gets encrypted so data is fine. not so lucky on repair- backup registry method did not restore a working system. going to try and find deleted system restore points but given the evidence of a wipe program added to this system i suspect the worse. easier to reinstall.


Top
 Profile  
 
 Post subject: Re: can you identify this software used to attack a client?
PostPosted: January 18th, 2016, 10:03 
Offline

Joined: February 13th, 2010, 9:44
Posts: 208
Location: san diego, ca.
System repaired- user error on my part: should only have selected backup reg files by latest mod date- they were intact. 100% recovery data (it was not encrypted) and computer un-hijacked.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group