We ran into an issue with a client recently that had been hit by a trojan and made the mistake of calling the Microsoft toll-free number displayed. Whether it was the virus or the customer giving access, they did get into the PC. The client hung up once she realized what had happened and rebooted the PC. She thought everything was fine and asked us to remote in and run a scan. We ran TechSuite, but it became hung up at the end of the Emsisoft Anti-Malware scan, requesting a reboot. We couldn't move past that point and were forced to reboot. Upon reboot, we were prompted for a start password.
It appears that the trojan was still in the system when we remoted in and at some point after the client rebooted before contacting us, they likely issued a c&c command to set a password via syskey. Being Windows 10 & UEFI, any of the syskey reset solutions based on ntpasswd wouldn't work. Also, Passcape Password Recovery wasn't able to crack it open. They had also deleted any of the previous restore points. The TechSuite restore point was useless as well, as I suspect they had issued the command prior to us starting it. Long story short, we had to backup and reset Windows. PITA. Also, the first time I've seen syskey used in a LONG time. Kinda brilliant actually. I'm 100% sure the client will get a call today or tomorrow from Microsoft offering $$$ for the password.
So, I'm wondering if it might be possible to have TechSuite detect that a password has been enabled via syskey and throw up a warning. It would also be nice to see Kabuto do something similar. Because I suspect we might see more of this. It's a simple thing to do that can really mess up the PC.