ShipMA: I've thought about a hardware issue but I can't see how it would hit the SAM in a similar fashion three times. The box has been re-installed with the repair disk twice now and updated numerous times - the SAM would _have_ to have moved even if it only offset by 1 byte on the disk. The chances of hardware failure causing such a specific error in a single file three times on the trot through a re-install are pretty remote even if the repair disk is a simple image. I have to discount this as highly improbably.
dalek: The rootkit _shouldn't_ be able to survive two reinstalls because the disk is formatted and she loses her data - she backs up regularly to CD - can you believe that for a home user.... . Furthermore, Windows rootkits are not common simply because of the complexity required to create a stable one that will work on any box regardless of configuration. Then it would be required to call home because she has an external router/firewall and finally what would be the motivation of an attacker to do silly mischief like this and raise the chances of her reformatting and installing from something other than the Gateway repair disk thus losing him the box.... Again, I put this down as highly improbable.
Jinx: No, no BSOD's or other "oddities" and yep, the two accounts are restricted as is the owner account hence the problem with being unable to do anything sensible on the box when this happens. It wouldn't be an issue if we could just add a new user as Admin but we are prevented by the account restrictions.
As it stands I have told her to go ahead and run her repair disk because I can't spend the time trying to find a cause for this issue having already spent so much time previously. If it's malware then it's pretty damned sophisticated to be able to get to the SAM in any way other than reading it. Changing it, even if it is screwing it up rather than successfully acheiving some nefarious goal is yet more sophisticated and is way beyond my level of skill simply because if he can attack the SAM he's also going to have done a fine job of hiding his malware's existence or this would be common knowledge.
I was just hoping for some luck in finding someone new coming across this and being able to explain it..... As it is it just goes in the "Odd, inexplicable, but I have to move on and hope that I run across the solution sometime in the future" file..... It's the longest label in my filing cabinet....