Scammer lock - anybody recognize? SOLVED!

[carmen617]

Client let the scammers on his system, and they left him locked up. Haven't seen this particular lock screen before, and doesn't show up in a reverse Google image search. Does anybody recognize it and have a suggestion how to get past it? His data is fine - can access with Hirens and have it backed up, but he is an older handicapped gentleman and I would prefer to at least get to his desktop and see how things are set up before I N&P. The first picture is what you see when you start up system, second is what you see if you hit ctrl-alt-del. There are no restore points on his system, and no reg backup files.

 

[carmen617]

OK, figured it out. Used this process to get command prompt to open up from the accessibility menu: https://www.isumsoft.com/it/enable-hidden-administrator-account-in-windows-10-without-login/

Used MSConfig to see what was booting with the system, and found NoVirusThanks Smart PC Locker Pro in services. Disabled it and was able to get into the system.

 

[Larry Sabo]

Good work!

 

[Markverhyden]

Great sleuthing!

 

[SlickMinnow]

Many thanks for the update!

 

[britechguy]

he is an older handicapped gentleman

Seriously, as I work with a lot of people in both demographics, try to convince him to get a backup drive and take a backup once a month.

Once set up, probably by you, it's a simple "plug in the drive and do a couple of clicks" process.

Brilliant work on your part, but you know as well as I do that this could have gone a completely different way, and having a recent backup to restore from saves a ton of heartache in those cases. I've gotten many of my clients "on the backup band wagon" and that's doing each and every one of them a favor.

 

[carmen617]

Seriously, as I work with a lot of people in both demographics, try to convince him to get a backup drive and take a backup once a month.

Once set up, probably by you, it's a simple "plug in the drive and do a couple of clicks" process.

Brilliant work on your part, but you know as well as I do that this could have gone a completely different way, and having a recent backup to restore from saves a ton of heartache in those cases. I've gotten many of my clients "on the backup band wagon" and that's doing each and every one of them a favor.

Thanks all, hopefully this will help someone else out as well - those scammers are just so ubiquitous and they keep coming up with new twists. Fortunately, even if I didn't get past the screen lock, the client's data was recoverable, and he also has a carbonite backup. But he uses a couple of legacy programs, and setting things up just the way he wants them is a pain in the neck. Britechguy, I am going to get him a WD external and use their included version of Acronis to create a weekly system image - that way if he falls for this again we can have a much quicker recovery.

 

[britechguy]

Britechguy, I am going to get him a WD external and use their included version of Acronis to create a weekly system image - that way if he falls for this again we can have a much quicker recovery.

Actually, I still think aspects of this, the "automated weekly" part in particular, are a bad idea. In this age of ransomware having a backup drive attached all the time is an accident waiting to happen, since most ransomware will encrypt every locally connected drive on a system.

If it must be automated, then at least have the plugging in and unplugging of that drive be a manual part if you believe he'll be able to remember and follow through.

Had what happened been real ransomware, and you'd had a connected backup drive, that drive would be toast, too. Local backup drives should be connected when taking a backup or performing a recovery, and be offline otherwise.

 

[carmen617]

Actually, I still think aspects of this, the "automated weekly" part in particular, are a bad idea. In this age of ransomware having a backup drive attached all the time is an accident waiting to happen, since most ransomware will encrypt every locally connected drive on a system.

If it must be automated, then at least have the plugging in and unplugging of that drive be a manual part if you believe he'll be able to remember and follow through.

Had what happened been real ransomware, and you'd had a connected backup drive, that drive would be toast, too. Local backup drives should be connected when taking a backup or performing a recovery, and be offline otherwise.

He'll still keep the Carbonite backup - the client is not poor, and will do what I suggest he do. Also, for what it's worth, the Acronis software includes built in ransomware protection that is meant to automatically monitor for and stop any process that is actively altering files - rather like Cryptoprevent. It actually gets well reviewed. Truthfully, I have been in this business, primarily residential, for over 25 years, and have only come across 2 systems where files were encrypted with ransomware, and one was a small business, not an end user. However, I see multiple clients every month who let a scammer onto their system, necessitating a nuke and pave to be truly sure they are free of whatever junk the scammer left behind. I think the risks of having the drive attached are outweighed by the risk of the client not ever attaching the drive.

 

[britechguy]

I think the risks of having the drive attached are outweighed by the risk of the client not ever attaching the drive.

It certainly could. That depends entirely on the client. And you know your individual clients, and how each is likely to behave, just as I do. I've got certain clients where I will only do automatic backups (they're the minority) because I know very well that they will never, ever remember to connect and disconnect a drive. Or, if they remember to connect it, will likely not remember to disconnect it, so the whole point is lost.

I've been really lucky, too, that I have had a single residential client - one - who allowed a scammer on to their computer and that scammer installed ransomware. They realized, almost literally a second too late, and "pulled the plug" just a scintilla too late.