A friend of mine runs a small computer repair shop. He is (mostly) self taught and he is fine with doing things like backing up data using a BartPE boot disk and formatting/reinstalling etc. He can also do things like replacing cards and installing drivers, and slaving/swapping hard drives etc. But (and he will admit this himself) he is not quite up to speed with the latest malware or anything else that he thinks is complicated or registry related. When I once asked him how much he knew about the registry, his exact words were: "Oh, I never go in there." He seems to make a decent enough living though. Obviously you can fix virtually all non-hardware related problems with a format and reinstall. And if his customers are happy with that, then the best of luck to him I suppose. 
Anyway, he recently had two computers brought to him with syskey passwords. One was XP and the other was Windows 7. Similar to the topic I referenced above, both passwords were set by disgruntled bogus tech support scammers when the victims refused to give them their credit card details.
My friend (always being happy to format!) offered to backup their data, format, then reinstall Windows. The XP victim was fine with this option, but the Windows 7 victim wanted to avoid this option if at all possible. Apparently, the reason for this was that he had some kind of game installed that he had been playing for ages, and formatting would mean that he would have to start the game from the beginning again. (These youngsters and their games. LOL. 
)
It was at this stage that my friend gave me a call and asked if there was anything I could do.
When I arrived at his workshop, I asked him if he had already formatted the XP machine. He told me he hadn't started working on it yet, so I asked him to leave it alone and I would show him how to fix it without having to format the darned thing. I then started showing him how to use his BartPE boot disk to do a manual registry restore to a point before the syskey utility was run. (I thought it would be better to do a full manual registry restore, rather than to just try replacing the encrypted SAM hive.) However, when I looked in the System Volume Information folder there were no restore points in it, so I couldn't restore a recent copy of the registry.
I then decided to have a look at the Windows 7 machine. And, sure enough, there were no restore points available on that machine either.
So it looks like these bogus tech support scammers are turning off System Restore as part of their fictional 'repair' process, in order to make it more difficult to get past the syskey password they will set if the victim refuses to pay. What disgusting creatures these people are!
But there are ways of removing a syskey password without having to do a registry restore. The FREE utility 'Offline Windows Password & Registry Editor' will automatically remove a syskey password on Windows XP without having to do a registry restore. But it will not work on Vista or windows 7. (Using it on Vista or windows 7 will cause a continuous reboot loop.)
I do have a different disk that will automatically remove a syskey password on Windows XP, Vista and Windows 7 without having to do a registry restore. But it is not a free utility and I doubt that very many people outside of the 'techie' community would have access to this particular disk.
In the end, to save my friend the effort of his usual backup/format/reinstall routine, I just removed the syskey passwords on both the XP and Windows 7 machines for him. So everyone was happy, apart from the bogus tech support scammers who didn't get paid any money for their pathetic efforts.
I strongly recommend that everyone should backup their registry on a daily basis. Having System Restore points is always a good idea, but I would also backup the registry with a third party utility in case malware (or some bogus tech support scammer) decides to delete all the System Restore points on your machine.
If you have recent registry backups, and something nasty happens, the experts on this forum will be able to do a marvelous job of helping you. But if you don't have recent registry backups, in some cases it may cripple the ability of the experts here to help you. (For example, if someone's machine got syskey passworded by a bogus tech support scammer, and they didn't have any registry backups, the experts here would not be able to use the disk that I have to help you fix the problem - unless you actually purchased the disk yourself. The experts here are constrained by restrictive EULA and copyright agreements etc. But if you did have recent registry backups, the experts here would be able to guide you through a manual registry restore using free utilities which are not constrained by restrictive EULA and copyright agreements etc.)
Also, if possible, I would recommend that everyone images their whole system regularly and stores the disk image(s) on a removable drive which you only connect to your machine when you want to create or restore an image. And, if your Windows installation becomes infected, use a boot disk to restore a clean image. Don't try to run an image restore utility (which will attempt to restore your computer on reboot) from an infected Windows installation.
There is malware around now (called 'ransomware') that can encrypt your files and demand that you pay money to the malware author to decrypt them. Some of this malware uses AES encryption, which is basically impossible to decrypt unless you have the password. And the only way to get the password is to pay the 'ransom' to the malware author. However, if your system and all your data is backed up as disk image(s), you can just restore from your system/data image(s). Then the malware will be gone and all your data will be back again.
To be quite honest, with the way modern malware is heading, if you don't have full disk image backups stored on a removable drive which you only connect to your machine when you want to create or restore an image - then I think you are running a definite risk of losing all your data.
There are some excellent antivirus/antimalware products available. I use NOD32 in conjunction with MBAM realtime protection. But none of these products are infallible. One single undetected bit of malware could encrypt all your data and leave you in a very bad position.
So, to be as safe as possible:
1. Use good antivirus/antimalware protection. I would recommend MBAM realtime protection in conjunction with one good antivirus program. One resident antivirus program is quite sufficient. Running more than one resident antivirus program is likely to do more harm than good because they may interfere with each other. However, MBAM has been designed specifically to run in conjunction with any resident antivirus program, so you do not need to worry about MBAM and your resident antivirus program interfering with each other.
2. Most people access the Internet through a NAT router these days, and Windows does have its own built in firewall. So third party software firewalls are not really as necessary as they once were. But, if you do want to use a third party software firewall, make sure you learn how to use it properly. Third party software firewalls generally ask you questions about what connections you want to 'allow' or 'not allow'. And if you're not sure how to answer these questions, it's probably better to just rely on your NAT router (which acts as a kind of hardware firewall) and the built in Windows firewall.
3. Keep Windows up to date.
4. Use Secunia to keep other vulnerable programs up to date.
6. Backup your registry (and preferably your whole system as well) as frequently as possible. (Using third party utilities.)
Apart from whether or not to use a third party software firewall, which is more a matter of personal choice than anything else, all the above steps are very important. However, if a disaster does happen, step number 6 is the one that will save you. Because, with good backups, you are basically bulletproof. 
Stay safe everyone.
via Bleeping Computer Last 20 Posts http://www.bleepingcomputer.com/forums/t/471360/sneaky-trick-by-tech-support-scammers/
Aucun commentaire:
Enregistrer un commentaire