"Microsoft" called...

[GoodBytes]

Ah yes... the famous ""Microsoft"" called.

I have a family computer that I have received, where the users of the system barely knows how to use the computer. One day, they have received the famous Microsoft called scam. Ever wonder what they do?

Well now I know.

 

They call, and some thick Indian accent person talks, and in this case, the system affected was Windows Vista Pro 64-bit system. What they do is act like the system is non genuine or in danger of failing or infected by a virus. Basically they try to scare the c*rap out the person to be forced to allow them access to the computer, and then lock it and asks you for credit card or use Paypal to charge you a certain amount of money for the code to unlock it.

 

So, here, now I have the computer in hand, given to me and asked to please fix it. Lucky for me, I got the OK to do a full format, and that nothing is important on the system (in fact there is nothing on the system, just Skype and Firefox, Flash plugin, and a bunch of bookmarks, and no documents or images. The system it just used for the Internet, like literately). I check it by plugging the drive on my system. Of course, I check for viruses, spyware, and malware, none found.

 

So ok, how the system is locked (as no money was paid). This is interesting part.

When you power the system, and Windows loads, you see this screen:

 

 

I have never seen this message. It looks like it's from Windows due to the icon, but then, look at the space before "This", and "Password", a very unlikely error from Microsoft part, making me think it's not genuine. Meaning some program shows this in some fashion. There isn't the transparency, so it suggests to me that DWM (Dynamic Window Manager) has not started, at this point.

 

Ctrl+Alt+Delete doesn't work. So it's not in the account or blocked, and using SafeMode, SafeMode with Command Prompt results in the same situation.

After digging, I realized that what happened is that the SAM (Security Accounts Manager) registry hive has been locked out. And there is no way around this.

Password reset tool can't do anything. You NEED the password. Of course, you can access the files by plugging the HDD/SSD on another system, like I did previously, assuming they are not encrypted by Windows, and you also that you don't have the certificate backup to decrypt them. So, the message is genuine, sadly.

 

But, I didn't break my head. I just used System Restore (thank your Microsoft for this feature) to bring back the system back in time, to undo this mess, and see how this mess was done.

Lucky, System restore points where not cleared or corrupted. So, I brought back the system and everything is working now.

 

 

So now, investigation work.

I could not found any remote access software installed, or System Restore removed it. I definitely didn't see anything when i checked Program Files and Program Files (x86) previously when I plugged it on my desktop. Maybe I skipped it, it is a possibility.

 

But, here is what I found interesting. I found the following software installed: Microsoft Readiness App

When you start it, you see something like this (it was an older version of the latest version of the screen shot bellow which I took.)

 

So the picture above is the latest version running on my desktop, to see what it is.

Download: http://www.microsoft.com/en-ca/download/details.aspx?id=39058

 

I tried to login, but I can't. I am presented to a form which I need to fill and see if I am approved for usage. So I would guess this tool is for Enterprises, and Microsoft usage due to the Microsoft Employee login button.

 

So somehow, this program includes the ability to lock out SAM registry hive. I know that this ability is for administrators for businesses, but yea. So it looks like they are using an account they hacked, or stolen from a large company (maybe ex-employee sold that information to the black market, or ex-Microsoft employee where somehow his account was not disabled).

 

Anyway, I found it interesting. Computer is up and running now. I mean what ever at worst, I would just format and re-install Vista.

[flibberdipper]

Thank you for saving one of my Vista brethren. I am very grateful.

Speaking of stuff like this, I had a virus on my netbook with Vista that tried to open every executable with Adobe Reader. Even though it wasn't installed. Weird part is, Adobe reader was loading.

[Imabigmac]

If you couldn't get in where did you a system restore from? 

 

My mom had them call and she hung up, only to be recalled and yelled at with them asking why she hung up....

[ttam]

I get 7-8 of these a week in my shop and they really vary in what happens.

 

Some are they get the call, someone remotes into the PC and shows empty registry values and calls them infections. Wants $150 to Fix. This is a solid 70% of the time.

The other ones are the same call, they install a few programs to scan for malware and show the system being heavily infected. They lock system down and want $300.

Normally the latter will actually delete all restore points and results in a complete reinstall.

[AMD Lover]

My aunt has them call all the time. Also @Imabigmac you can use a disc to system restore

[GoodBytes]

Speaking of stuff like this, I had a virus on my netbook with Vista that tried to open every executable with Adobe Reader. Even though it wasn't installed. Weird part is, Adobe reader was loading.

One of the silly things in Windows, is that the .exe file format is defined in the registry, much like .jpg, .png, and so on with all your files. So, you can change which program you want Windows to open the exe with.

If you open the registry, you can go to: HKEY_CLASSES_ROOT\.exe, and change what happens when you double-click on an executable file of this type (.exe).

You want to make sure that 'Content Type' is defined as: application/x-msdownload, and PersistentHandler is defined as default as: {098f2470-bae0-11cd-b579-08002b30bfeb}, for the case if Windows 8 and 8.1 (not sure for Windows 7 or earlier)

[GoodBytes]

If you couldn't get in where did you a system restore from? 

 

My mom had them call and she hung up, only to be recalled and yelled at with them asking why she hung up....

Oh sorry. You boot from any Vista disk, set your language at the language screen. Then you'll be at the screen where you have a big button "Install", to install Windows.

You'll also notice a white text at the bottom that says: "Repair your computer"

 

Then when you do, Vista's Startup repair will start. Just cancel that, as Vista starts just fine already, and you'll be directed at this screen:

(Sorry, can't find a better screen shot quickly)

 

And, you click, like highlighted on the pictures above, System Restore, and now you wait a couple of seconds to a few minutes to show up, depending how fast your HDD/SSD is. Nothing will happen after you clicked, you just need to wait, there is no feedback that it started, this is normal. Just wait and it will show up eventually.

 

And when it does, just pick a restore point, and voila. System will go back in time.

[Imabigmac]

Oh sorry. You boot from any Vista disk, set your language at the language screen. Then you'll be at the screen where you have a big button "Install", to install Windows.

You'll also notice a white text at the bottom that says: "Repair your computer"

Thanks.

 

I completely forgot about being able to use a disk.

[flibberdipper]

One of the silly things in Windows, is that the .exe file format is defined in the registry, much like .jpg, .png, and so on with all your files. So, you can change which program you want Windows to open the exe with.

If you open the registry, you can go to: HKEY_CLASSES_ROOT\.exe, and change what happens when you double-click on an executable file of this type (.exe).

You want to make sure that 'Content Type' is defined as: application/x-msdownload, and PersistentHandler is defined as default as: {098f2470-bae0-11cd-b579-08002b30bfeb}, for the case if Windows 8 and 8.1 (not sure for Windows 7 or earlier)

Even regedit tried to open in Adobe Reader. Even Adobe reader tried to open itself with itself...

[Raboo]

I have never seen this before. how common is it?

[GoodBytes]

I have never seen this before. how common is it?

Very common. I got the call too. I have contacted my phone service provider and local police.

However, I was pretty much told there is nothing they could do, as it outside, and usually uses proxies or other tricks to hide their identity.

All I got was an offer from my service provider to block the further call, but it may block genuine service due to proxies they use, or false caller ID info provided.

[GoodBytes]

Even regedit tried to open in Adobe Reader. Even Adobe reader tried to open itself with itself...

You can try this: http://support.microsoft.com/kb/2688326

(use the Fix it tool. It is msi file)

You can also write a reg file in notepad, which will apply the fix once you save (as .reg) and double click on it. If you don't know how, lucky we have the Internet.

Here is a list of them: http://www.sevenforums.com/tutorials/19449-default-file-type-associations-restore.html

Just download, and double click on file to apply.

[Raboo]

Very common. I got the call too. I have contacted my phone service provider and local police.

However, I was pretty much told there is nothing they could do, as it outside, and usually uses proxies or other tricks to hide their identity.

All I got was an offer from my service provider to block the further call, but it may block genuine service due to proxies they use, or false caller ID info provided.

I have caller ID so I don't pick up odd numbers.