An elderly gentleman of my acquaintance just got partly fooled by a phone-call, pretending to be from his ISP.
Long version of the story:
(We don't think he was asked for money to unlock. Sounds like they just gave up on him trying to understand their accents. Or just haven't yet proceeded to the next planned stage in the scam.)
However, all is not yet well. Whether by that point, or between then and the moment that I encouraged him over the phone to turn the machine off (he also cleared the browser history, before that, which I never asked him to! ...I think he's picked that up as a 'security tip', recently) something else happened. When I get there and boot back up (disconnected from the network, for safety) and there's an XP (yes, it's XP; yes, I know, but that's not the problem; no, I'm not going to force him to get used to a newer version of Windows) administrator password required, of the "syskey" variety. And a basic bootable Linux USB stick that I happened to have requires me to input a password to mount the drive. I should have asked him to keep the machine on and disconnect the network cable, but I had my doubts that I could have directed him towards the right cable, and my priority was to prevent further damage happening.
Long story short(er), I'm going back tomorrow with the right tools to fix the problem. I previously have used a tried-and-tested bootable CD with everything I normally need for all kinds of problems, including this one, but I haven't used it for months and suspect that I left it with the last person I did anything of import for. So now I have a night to assemble a bootable stick (or several) of the tools I suspect I'll need to use. I was thinking that you lot might have thoughts on this.
My shopping list is as follows:
1) Possibly a distro with a disc image/backup utility, before I get started.
2) Very likely this password remover, to get past the first block.
3) I'd like to have a good malware finder on an independently-booting disc(/USB), although the machine already has a valid active AV (and MalwareBytes and HijackThis, just needing updating) after prior scares, and after stage 2 I'm sure I can probably go in and scan for residuals via safe-mode. (I suspect that no 'malware' was involved, merely a temporary manually-allowed hijack. Better safe than sorry, however!)
But additions/amendments to that list are welcome, and why I'm pestering your good selves. I've already considered replacing #2 with a Hijackthis-like password brute-forcing solution, and from that knowledge I can then get in and later properly disable the syskey passwords from within Windows. But the time needed would be somewhat unknowable, in advance, especially if the target solution ends up being something like ten random alphanumeric characters, or worse, rather than just one of the trivial permutations of a typical word-list. Simpler to go with the above solution, I think.
I'm not currently bothered about a combined boot-disk solution (the one I've misplaced was Ok, but had a few out-of-date tools on it, and I hadn't gotten around to updating it), and have a number of spare thumb-drives at hand so I don't need to mess with setting up multi-distro boot options. Separate "LiveUSBCreater"-type installs onto separate sticks is probably easiest, off the bat.
And perhaps someone can remind me of any other problems I might need to be prepared to deal with, but have temporarily forgotten about.
(And, once I've solved this problem - touch wood! - I would like to get my new utils disc/stick rebuilt, so the thread needn't stop once the emergency job is over.)
(Update: I've equipped myself with CloneZilla (for the first part of my shopping list) and the Trinity Toolkit (covers #2-3, if not #1 as well). Or at least I've created the USBs for them. Not yet tested that they boot up, yet, as I've no machine at hand that I can comfortably stop running its current task for a test-reboot, just yet! )