The following lines were added (+) and removed (-):
Most commonly associated with "This is Microsoft Support" telephone scam.Most commonly associated with "This is Microsoft Support" telephone scam or The [[Microsoft Tech Support Phone Scam]].See: Microsoft Support Article 310105== Malicious Use ==As with many of the [[Microsoft Tech Support Phone Scam]]s the goal of the scam artist is to intimidate you into paying money or something very bad will happen to your computer and data. One technique this can be accomplished is by enabling SAM hive encryption after you have been tricked into allowing the scammer remote access, or you have downloaded and installed malicious software.== Recovery ==The scammers often prevent easy recovery by deleting all System Restore points on the machine, which normally house backup copies of the registry hives. If a restore point is available, it is the easiest means to recover the machine by restoring to a point prior to the hive being encrypted.=== Manually Restore Registry Hives ===This is verified to have worked on a system where the automatic backup of the registry was still intact. #Boot from Hiren's boot or a live linux distro via USB or optical media#Mount the Windows partition#Navigate to %SYSTEMROOT%\system32\config #copy the registry hives (these are the damaged ones) to another location or media#Navigate to %SYSTEMROOT%\system32\config\RegBack #copy all the backup registry hives in this folder and paste to the config folder overwriting the damaged registry hives#Reboot You may find that there are no backup registry hives in %SYSTEMROOT%\system32\config\RegBack because the intruder removed them. However, it has been my experience that they are still present.== Resources ==* [https://fixedit.itxpress.biz/2015/01/16/unlocking-after-the-microsoft-support-phone-scam/ Unlocking After the Microsoft Support Phone Scam]* [https://www.bleepingcomputer.com/forums/t/470753/remove-a-startup-password-before-account-screen/ BleepingComputer.com- Remove a startup password before account screen]* [https://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-locked-after-scam-call-syskey/5933abb9-4f1b-46cf-bc6a-f81ed33c0a85?auth=1 Windows 7 Locked after scam call - SYSKEY]