We help IT Professionals succeed at work.

Vista PC with LOCKED graphic

Had an Vista PC brought in to me today, with a scareware remote story.  The computer is LOCKED (Pictures attached).  Drive was pulled and no virus/malware/rootkit found.  Ctrl+Alt+Del allows me to open task manager, but I cannot actually do anything with hit.  The mouse is constrained to the middle of the screen away form Task Mgr, and keyboard input closes everything immediately and then reopens the locked password request.  No actual Ransomware is found on the computer asking for money or providing a phone number or e-mail.   No change when logging into Safe Mode of any flavor.  Replacing registry from regback didn't solve it.
20180810_111145.jpg
20180810_111150.jpg
Comment
Watch Question

Russ SuterSenior Software Developer
CERTIFIED EXPERT

Commented:
It looks to me as if the user fell for the scam and allowed someone to remotely access their PC. The remote "technician" then used syskey on the machine. Syskey isn't a virus or malware. It's built in to the OS so it won't show up on any A/V scans.
CERTIFIED EXPERT

Commented:
1)  I take it you already tried the "sdfghj" password displayed in your second image?
2)  If you create a new user, does it also have the same issue(s)?
3)  Do you have a Vista reinstall DVD you can boot to?
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
This isn't SysKey it's lockpc.exe from FSPro labs
https://fspro.net/lock-pc/
The data will be safe and unencrypted but someone has maliciously installed this legitimate security package.
Can be removed by offline editing of the registry (slave the HDD to another machine or boot to a Linux bootable environment on DVD/CD) and removing the Keys at
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FSPro Labs\Lock My PC 4]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LmpcService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmpcService]
[HKEY_USERS\S-1-5-21-951547217-311956028-3541784750-1000\Software\FSPro Labs\Lock My PC 4]

Copy the folder containing the .exe's and service

C:\Program Files\Lock My PC 4\lockcp.exe
C:\Program Files\Lock My PC 4\lockpc.exe
C:\Program Files\Lock My PC 4\LmpcServ.exe

then delete the folder return the drive to the PC

You may get a few error messages on restart because you've removed the files but also removing the registry entries should mitigate against that.

This will just leave the uninstaller entries to tidy up once you're back in.
Jason JohanknechtIT Manager

Author

Commented:
Yes, it was a remote tech (Hinted that only in my question).  I had already ruled out SYSKEY.  Lock MY PC 4 was exactly right.  I hadn't heard or seen that one before.  Not sure if I had mentioned before, but yes the files were unharmed before removing the Lock MY PC 4 as MASQ mentioned.  Thanks to all who responded.