A Rising Menace
A trend in the past couple of years has been for scammers to contact computer owners directly via telephone in the United Kingdom, in an effort to convince them that there is a problem with their PC and that they’ll need to pay to have it fixed. In general, these people cannot fix anything, and instead they merely charge exorbitant fees for absolutely nothing. In other words, they scam you.
The call generally goes something like this:
A foreigner with a thick accent identifies themselves as a Talk Talk, BT, or Microsoft Engineer (I have not come across one for Virgin or Sky but be aware as this could happen).
The person informs you that you have a number of critical problems with your PC ,or your router is being hacked and that you will need to have it fixed.
To convince you, they then offer to connect remotely and pull up your Event Log (eventvwr.msc). Then they filter for Warnings, Errors, and Critical events and use that, as evidence that your PC will soon fail to work correctly, if you do not pay them to correct it.
The astute among you, have probably already sensed that something here is seriously wrong, and it’s not your PC. It’s the fact that someone is calling you to tell you there is a problem. No one will ever do that. The only way they could possibly know this is by hacking or guessing.
In this case, it’s mere guesswork, and it’s not correct most of the time. The Event Log is supposed to log warnings and errors, and even on the healthiest of PCs there are plenty of Error Events that can be safely ignored, as they often don’t amount to anything. The important thing to remember is to never trust someone who calls you about a problem with your PC, and never, EVER let them connect remotely to your PC.
If you do make the mistake of letting them connect, but then you happen to get cold feet and refuse to pay the £180+ they request via credit card, the next thing that happens isn’t pretty. This scammer proceeds to actually follow through on their promise of the PC “not working” if you don’t agree to have them fix it, and so in a few quick steps, behind the user’s back, they have enacted what is known as SysKey encryption on the SAM registry hive.
SysKey encryption is a little-known feature of Windows which allows administrators to lock out access so that the PC cannot be accessed without knowing the proper credentials. The problem is, unlike other scams, there is no way around the problem, you can’t simply remove the password, as the actual SAM hive has been encrypted entirely by the process. If your Windows installation has had SysKey activated, you’ll see the following message:
This computer is configured to require a password in order to start up. Please enter the Startup Password below.
The ONLY solution is to find a clean copy of the registry hives from before this occurred. This scammer knew this, however, and as such, took an extra step to block any repair or recovery attempts they have: deleted all System Restore points on the machine, which normally house backup copies of the registry hives.