Windows 10: client had syskey installed on computer

Hey, new guy here. Tom is my name.

I have a client who's computer was hacked by a scammer, she allowed them access and then set a syskey on the computer. After she paid them they told her the password. They came back several times and extorted money from her. I've removed everything so they can't access the computer, but the syskey is still there.
Questions:
1) The data....is it encrypted through syskey? Or can it be copied to use on another computer or after a re-install of the OS (win10)?
2) Can I remove the syskey, beings we know the password and un-encrypt things? (I'm thinking NOT)
3) Being we have access and I have disabled all outside access, are we good to go as is? (again I'm thinking not as Win10 won't let me install the latest updates)

Thank you in advance for the help.

:)

 

Creators Update 1709 failing

I am having the same problem failed update 1709. I have been told by troubleshooter that it has to do with a syskey. The syskey has to be removed so the version 1709 can be installed. I followed the directions to remove the syskey- but I'm not sure it
worked. The upgrade keeps trying and failing - no error message. Anyway try checking the syskey.

 

Just enabled syskey on Windows 10 version 1703 stuck in boot screen

So i enabled syskey on my windows 10 computer and no syskey doesent appear and its just stuck in the boot screen. What to do? I have no backups

***Post moved by the moderator to the appropriate forum category.***

 

What little I know, or think I know, about Syskey is, it is a registry feature of Windows for many years. It was originally designed for enterprise companies to restrict users from certain areas. If you have a system image of before someone installs the syskey, you can defeat it. If you have a registry backup from before syyskey was set, it can be restored. Windows keeps a backup of the registry. If you have not booted into Windows/ tried to boot into windows once it is realized that a syskey has been set, the backup registry can be restored. Once it is booted into, the syskey is usually a part of the backup registry.

I would make sure we are dealing with a syskey and not something else. Even with a syskey installed, you should be able to boot into a rescue CD/USB and still have access to user files. Unless they have installed something else which gives them access to the machine, I wouldn't worry about them resetting it. I would recommend a good clean install to make certain. I know if it was my machine that would be the first thing I would do.

The Registry Backup is located at C:\Windows\System32\config\RegBack and contains folders Default, SAM, Security, Software and System.

Another option, while not foolproof, would be for you to set a syskey password. While a big pain, it would prevent others from setting one, in most cases.

 

Hello teebee, and welcome to Ten Forums. *Smile

In addition, here's some more information about the Syskey feature if this what is being used. It includes how to remove it using the password.

SysKey - Set Startup Password to Lock or Unlock Windows - Windows 7 Help Forums

SysKey - Create USB Key to Lock or Unlock Windows - Windows 7 Help Forums

 

The real issue is what else has been compromised. Advise your client, as an urgent prioriy, to change all online passwords (bank, amazon, paypal, ebay etc), and examine accounts for suspicious behavior.

Your client may think that is overkill, but ask her if she can afford to take the risk.

I also strongly advise clean installing from scratch, for same reasons.

No amount of use of tools like malware removal can give you 100% certainty all is right.

As you are undoubtedly a man of integrity, do you believe doing anything other than a complete reinstall is in your client's interests.

You will (imo) provide a much better service if you help her backup valuable data, clean install and assist in reinstalling stuff if necessary. Do that and clients will always come back.

 

Thank you so much for verifying what, I guess, I already knew.

 

Data is usually ok. It is exe files etc that get infected. Infections of videos, photos etc is rare,word docs and excel etc less so.

For most, it is photos that are the primary concern. You can scan data with a high degree of confidence.

 

While copying her 'documents' file, I got a "Your infected" warning, while moving through the docs. A file with no real name ("file") or extension set it off. I shredded that file then proceeded to fine-tooth-comb all the copied files. Anything that looked suspect was shredded. I then did a clean install of Win10. I then Installed Malwarebytes, CCleaner and AVG, ran thorough scans before I copied her data back to the clean install. Then again once the data had been copied. I believe that we are clean and nearly back again to where she was before this all happened.

Thank you all once again, for proving to me that my gut was telling me the right things to do.