# Tech Support Phone Scam



## jackdup (Nov 9, 2010)

I posted this in the Viruses section but have a feeling I should have posted it here first so hopefully can get the computer to the point where I can run the programs and supply the logs they require in that forum to troubleshoot issues.

I don't know how many people have had an issue with the phone call from tech support and they want access to your computer and then they essentially lock it and you need a password to get access again and the only way to get the password is to pay them.

A friend called tonight and she was taken in by the scam. Her immediate concern was to get her pictures and other personal documents off of the computer. I have no idea what these people do or if it is just a matter of getting the password and once input everything is okay?

Anyway I took her drive out and connected it to my computer and copied off all of her personal data to a flash drive. I ran Malwarebytes and selected only drive E, which is her drive, but the only problems it showed were on Drive C. I have no idea how it detected issues on Drive C as I had unselected Drive C and only selected Drive E for a scan.

So the first question is, is there a way around the password and to be able to remove it without reinstalling the OS. or recovering from a set of recovery disks?

Second is there a way to access the control panel on her drive with it still being connected to my computer to make a recovery disk for her drive, as like most people she didn't bother making a recovery disk set so if it has to be reformatted and the OS reinstalled she has no disks? It has a partition on the drive which I assume may the recovery information but the only visible folders are system volume information and recycle bin and I do have the appropriate boxes checked so I can see hidden files and operating system files. The computer is an ASUS.

Where is the start menu stored on her computer so I can find the actual shortcut for creating the recovery disk to see what it runs and try to run it that way to make a recovery disk in case it is the only way to recover her computer. I have found more than one start menu folder but they all have the arrow inside which I assume means it is actually in a different folder elsewhere on the drive but have been unable to find a start menu that I can open as they all say access denied.

Once I can get a recovery disk set made I can try to access her drive installed back in her computer either in safe mode or whatever and then can run and post the logs you require to see if there are other concerns on the drive but need to get to the place where I can run her computer.

Thank you


----------



## Panther063 (Jul 13, 2009)

I'd suggest reinserting her hard drive and running Malwarebytes from a USB.
If that fails try safe mode with networking.


----------



## Daifne (Mar 28, 2011)

The scammers added a Sys key password. This has been a common tactic used when the victim balks. Try easy stuff like 1234 or abcd for example. They haven't been that creative with the password used so far. Also see this. It's for XP, but can help for other OS's. How to remove Syskey and Administrator password


----------



## jackdup (Nov 9, 2010)

Daifne said:


> The scammers added a Sys key password. This has been a common tactic used when the victim balks. Try easy stuff like 1234 or abcd for example. They haven't been that creative with the password used so far. Also see this. It's for XP, but can help for other OS's. How to remove Syskey and Administrator password


Thank you for the advice. Do you have any more guesses for a password?
I tried

ABC
ADCD
ABCDE
Both in upper and lower case
123
1234
12345
999
9999
99999
000
0000
00000
None worked.

I assume running Malwarebytes wouldn't remove the password either but am not sure about that?

Do you know how to boot into safe mode on Windows 8.1 as F8 doesn't seem to work. I assume In safe mode it wouldn't ask for the password and then I could follow the instructions on the link you provided to remove the password requirement?

Thanks again.


----------



## MPR (Aug 28, 2010)

I don't know specifically about OEMs but, in my experience, any Windows 8.1 boot disk will allow access to the system repair options. A system restore to a date before the SysKey password was set should allow you access to the machine.


----------



## jackdup (Nov 9, 2010)

Thanks
Using F8 i was able to get to where i could use system restore but it said in order to use it you needed to be logged in as administrator and there were no administrator accounts on the computer.


----------



## MPR (Aug 28, 2010)

Can you log onto the system admin account and do a restore?

Built-in Administrator Account - Enable or Disable in Windows 8


----------



## jackdup (Nov 9, 2010)

No, no matter what I select, be it safe mode, safe mode with conmand prompt or networking, system restore it tells me it requires admin account and that there are none on the computer or it boots to where it asks for the password.

I can't get anywhere to try the suggestion above or to setup an admin account or anything.


----------



## Panther063 (Jul 13, 2009)

We are not meant to assist with bypassing passwords, it is against forum policy, as we do not know the provenance of the computer.
If you have copied all the personal details from the hard drive already, then format the drive and reinstall is all I will suggest.


----------



## sobeit (Nov 11, 2007)

I hope your friend has changed all passwords to online accounts including the routers. at this time, she needs to use someone elses computer to do it.


----------



## MPR (Aug 28, 2010)

Unfortunately, as stated above, we have probably come to the end of what's allowable on these forums. The "techs," by changing the admin password, have locked the user out of the computer. All that I can suggest from here is to obtain a set of recovery disks from the OEM and reinstall the OS.


----------



## Corday (Mar 3, 2010)

The scammers delete System Restore points. They don't do anything about a backed up Registry.


----------



## LMiller7 (Jun 21, 2010)

Once the security of a computer has been compromised the safest thing to do is to backup the data and reinstall the OS. There is no way of knowing for certain what might have been done during the time the computer was subjected to remote control. As there is no access to an admin account just about everything that might otherwise be possible is barred from you. We cannot help with passwords.


----------



## jackdup (Nov 9, 2010)

I did create a rescue USB drive and can now boot to a command prompt, can also access the registry but do not know what to look for without some assistance from someone that knows a whole lot more than I do. I can also get into safe mode but again without some assistance am lost.

Reformatting and installing the OS again would be ideal but without recovery disks that is not possible either.

Could someone provide a link to a support site that might know how to remove what the scammers did to require a password?

Thank you


----------



## MPR (Aug 28, 2010)

If you can get into the system administrator's account (see my previous link) you should be able to create a new admin account and assign it a new password. However, if it's the system administrator's account that the "scammers" changed the password to then you will have to reinstall the OS.


----------



## jackdup (Nov 9, 2010)

MPR said:


> If you can get into the system administrator's account (see my previous link) you should be able to create a new admin account and assign it a new password. However, if it's the system administrator's account that the "scammers" changed the password to then you will have to reinstall the OS.


I was able to follow the instructions at the link you provided where you use the net user administrator /active:yes and received the command completed successfully message.

Not sure what the next step is though?

Thank you


----------



## jackdup (Nov 9, 2010)

FYI this is the password screen that comes up. It is not a normal Windows login password and comes up before ever receiving the screen that says staring windows or loading windows, don't remember exactly what is says.


----------



## MPR (Aug 28, 2010)

There is no way of knowing on an Internet forum who might have set up a computer's password. Although the members here strive to help people as much as they can, one really doesn't want to chance helping an unauthorized user break into a system that is not their own. Thus, the admins forbid help with passwords.

The only "official" thing I can suggest is to reinstall Windows. I had to do this myself once when I made a mistake keying in a system password and unwisely failed to create a password reset disk.


----------

