Latest development: Windows machine wants a startup password. Apparently some helpful Indian cold-caller set the syskey password, and it isn't "123" nor even "12345".
And the Windows restore console ain't gonna work, 'cause it wants the password too.
Booting from System Rescue CD lets me run chntpw, which thinks SAM isn't encrypted, so there's that. But... it doesn't remove the syskey password.
Currently backing up everything, after which I'll see if I can do anything useful at the Linux level with maybe a sufficiently old restore point.
Public Service Announcement
Folks, if you get a call from someone claiming to be from Microsoft, or Urgent Tech Support, or whatever, and offering to fix the problems with your computer, there's only one correct response. See if you can figure out which one it is:
- Shoot him.
- Send Foamy the Squirrel to visit him, with a spray bottle of [organometallic compound guaranteed to kill the target after several months of more pain than you can possibly imagine].
- KILL IT WITH FIRE!
- Take off and nuke the site from orbit.
- Give your best evil laugh, and hang up.
- EXTERMINATE! EXTERMINATE!
In principle, all of these are perfectly valid, but in practice only one works over the phone.
If you have access to intercontinental weapons, there may be more options available.
Update: Found a restore point from a few days ago, with filenames ending in _SAM, _SYSTEM, and so on. Copied the ones for SYSTEM and SECURITY to those names under WINDOWS/system32/config, stripping away the prefixes. System boots OK, with no demand for a system password. For some reason, icons were hidden, but right-clicking on the blank desktop gets a little menu that includes an option for making the icons come back. So, I think they're back on the air. Running one security scan now; will leave MalwareBytes running when I head home.
Update 2: Perhaps the identity of the scammers could be determined from the payment processor. Jurisdiction might be a problem in doing anything about them, but... given how prolific they are, and the global reach of their scam, surely they've hit friends and family members of A Certain Type Of People. So... identity, some plane tickets, a few honked-off SpecOps types of whatever nationalities, and maybe the scam would suddenly become less popular?
Update 3: It's come to my attention that the scammer gangs have an initiation ritual that involves cursing the names of several deities, including Allah. And the cubicles where the phone workers sit are provided with whackable stress-relieving dolls in the likeness of the Prophet. Just sayin'.
Update 4: Seems some Indian-accented scammer (not necessarily this particular villain) is giving out a phone number with a 510 area code, i.e., somewhere in the vicinity of Fremont, California. Does that mean they're in U.S. jurisdiction? Alas, no. One of the wonders of this modern era is that the area code of a phone number no longer has any connection to the location where it actually rings. Aside from cellphones, there's VOIP, which allows you to pack up your local number (even from an area code where you've never been) and have it reach you anywhere that you can get an Internet connection. This has legitimate uses; I figure if I do relocate, I'll take along the 408 number I've had since 1988, as well as getting one that's local to the destination, since retaining the old number will make it easier for people from my distant past to find me, and it saves the bother of trying to contact everyone who might have my current number and update them. But, it also helps distant evildoers create the aura of comforting locality.