WinXP Home SAM damaged? - Page 4
Page 4 of 4 FirstFirst ... 234
Results 31 to 39 of 39

Thread: WinXP Home SAM damaged?

  1. #31
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ShipMA: I've thought about a hardware issue but I can't see how it would hit the SAM in a similar fashion three times. The box has been re-installed with the repair disk twice now and updated numerous times - the SAM would _have_ to have moved even if it only offset by 1 byte on the disk. The chances of hardware failure causing such a specific error in a single file three times on the trot through a re-install are pretty remote even if the repair disk is a simple image. I have to discount this as highly improbably.

    dalek: The rootkit _shouldn't_ be able to survive two reinstalls because the disk is formatted and she loses her data - she backs up regularly to CD - can you believe that for a home user.... . Furthermore, Windows rootkits are not common simply because of the complexity required to create a stable one that will work on any box regardless of configuration. Then it would be required to call home because she has an external router/firewall and finally what would be the motivation of an attacker to do silly mischief like this and raise the chances of her reformatting and installing from something other than the Gateway repair disk thus losing him the box.... Again, I put this down as highly improbable.

    Jinx: No, no BSOD's or other "oddities" and yep, the two accounts are restricted as is the owner account hence the problem with being unable to do anything sensible on the box when this happens. It wouldn't be an issue if we could just add a new user as Admin but we are prevented by the account restrictions.

    As it stands I have told her to go ahead and run her repair disk because I can't spend the time trying to find a cause for this issue having already spent so much time previously. If it's malware then it's pretty damned sophisticated to be able to get to the SAM in any way other than reading it. Changing it, even if it is screwing it up rather than successfully acheiving some nefarious goal is yet more sophisticated and is way beyond my level of skill simply because if he can attack the SAM he's also going to have done a fine job of hiding his malware's existence or this would be common knowledge.

    I was just hoping for some luck in finding someone new coming across this and being able to explain it..... As it is it just goes in the "Odd, inexplicable, but I have to move on and hope that I run across the solution sometime in the future" file..... It's the longest label in my filing cabinet....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #32
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Just a thought.

    Ask the user if she restored anything from backup prior to the "crash" Perhaps she is restoring something that is causing the issue.

    Kicks and giggles, scan the backup media.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #33
    Member ams2d's Avatar
    Join Date
    Aug 2001
    Location
    Indianapolis
    Posts
    58
    TigerShark,

    I've only seen a problem like this with PC Anywhere installed/running but it was after an upgrading a system to XP Home a few years ago and ended up removing PC Anywhere.

    I know you've filed it away in the file with the label that wraps around the file twice but in case you have an urge to dig into this again ...

    Have you tried to have them restore to a point prior to this latest corruption? Were there any errors listed in the eventsviewer if you got in this time?

    Since it has happened on several occasions, maybe have them create a backup SAM once everything is back to "normal".

    I did see this article which may be of use:
    http://support.microsoft.com/default...b;en-us;312131

    This isn't directly related to the issue but may provide some further options to investigate as your time permits:
    http://support.microsoft.com/default...;en-us;q307545
    Wise men talk because they have something to say;
    fools, because they have to say something.
    Plato

  4. #34
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    My gut feeling is, (Iím a cynical bugger) this could well be an issue built in. Accidentally on purpose.

    To insure the system goes back to the point of sale for repair/service. I have never come across an OEM box that does not restore without an Administrators account.

    This is not beyond the bounds of possibility, just look at all the custom builds of XP that are available via P2P.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #35
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    She tried the usual attempts, (safe mode etc.), and was in the same position as before. She then did the restore from the gateway disk and it worked fine... again... OK.... She asked me if she should just get a different install media such as the original system disk for Win XP Home... I told her it would be a good idea to try that..... I guess we'll see if this happens again in a month or so....

    Why do I have the horrible feeling it will raise it's ugly head again????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #36
    Senior Member
    Join Date
    Feb 2005
    Posts
    188
    Hi

    It just came to my mind that the pc with win xp home has got the same file infected many times even after reinstalls. The hardware on the pc has been the same all the time. So it can be that a TSR(Terminate and Stay Resident) virus.

    A TSR virus will load into memory and can infect all programs that are executed by the computer. Anyhow a TSR virus can certainly spread a lot faster compared to a Non-Resident Virus. Because a NON-Resident Virus will only infect file each time it is ran. Though the NON-Resident will start off very slowly infecting the system files but after the virus is in the system after a number of weeks, it will certainly infect ALL files that are in the system. Where a TSR virus will USUALLY infect files that are executed.

    After loading them (by launching an infected program for example), they fix themselves inside of the computer's memory (RAM, Random Acces Memory), and they get control over the machine. Inside of PCs, there is a kind of memory which users can't directly access to. I'm talking about ROM memory (Read Only Memory) which can't be updated or written but only read. This means that no program can change it. Inside of this memory there is the BIOS (Basic Input Output System), just a program - or even better, a set of programs - which handle all the machine's main operations. The BIOS for instance - whenever you start your PC - read the first floppy's sector (if you have put it into its drive, of course) and if it doesn't find any floppy, looks inside of the hard disk searching for that record indispensable to load the operating system. The BIOS reads the RAM. The BIOS 'reads' the characthers which you type on the keyboard and then display them on the screen. All these functions are handled by BIOS programs, called 'services'. Programs can use these services by means of 'interrupts'. An innterrupt is' - as you can easily understand by its name - a temporary break of all things the machine was doing till that moment, to execute something of more important. For instance, when you press a key, the keyboard causes an hardware interruption, in other words, the keyboard asks the machine to handle the 'key-pressed' event. Any program was running before, is stopped, a BIOS program handles that event and, soon after, all stopped activities can resume. All that happen thousands of times and you don't notice anything! There are many kind of interruptions, and each of them is needed to handle a particular event, such as reading pressed keys, writing on the screen, writing into the disk, reading of RAM and so on. Well, a TSR virus, once placed itself inside of the RAM, intercepts all system's interrupts, and, before calling real BIOS programs to handle a certain event, it launchs itself. Soon after it calls the real BIOS program, so nobody can notice its presence.
    Each virus is recognizable by its 'identification sttring', that is a kind of virus' finger-print, composed by the first statements of the virus (remember: a virus is just a program). Well, many viruses try to hide themselves, by encrypting their code; in this way antiviruses can't detect them! This kind of viruses have a encryption algorithm to hide their statements, and decrypt them just a second before they are runned. Whenever a virus is launched, it encrypt itself, every time in a different way. But cryptography algorithm, is always the same, so antiviruses can detect it.
    There might be a possibility that the pc's RAM may be infected by such a virus that targets SAM.

  7. #37
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    Why not try some other OS on the pc . Like windows pro or even linux. This might tell something.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

  8. #38
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    You need just replace SAM with SAM from "system volume information" folder that stores restore information, or use files from "%windir%\repair" folder. Other way can be to create new user from bootcd and then use that account if possible, to restore others settings and passwords.

    Here is from microsoft:
    http://support.microsoft.com/default...;en-us;q307545


    RAM damaged, mainboard damaged,PCI cards or HS's , or even if CD/DVD damaged or some other parts that able to generate "block access" to file (memory holes in system).
    // too far away outside of limit

  9. #39
    Senior Member ShippMA's Avatar
    Join Date
    Oct 2002
    Posts
    165
    Hi Again,

    When you mentioned that she was gonna try a different install media it reminded me of another issue i had with a different PC.

    Back when Win 98 was king i purchased a brand new PC from Tiny (company in england that has now gone bust due to crap computers but they were new then so noone new they were crap) Anyway this machine would run fine for a half hour and then freeze. After doing a couple of restores with THERE cd i called there tech support. Basically they ended up coming out three times and in total they changed:

    HD
    CD
    RAM
    Power Supply
    Graphics Card
    Processor

    and still the damn thing wouldn't stop crashing. Anyway my Dad had a work copy of Win 98 so we tried that and the machine worked beautifully, no crashes or anything. By that time we had got so peed off with tiny that we were in the process of sending it back anyway but it was nice to finally know that actually it was there build of 98 that was causing all the problems and nothing else.

    Anyway the point of the story was that she might well be on to a winner by using an origional XP Home and not the gateway build as there might be an inherent problem with it like my tiny one did.

    No real help, but a nice/ammusing story anyway

    Matt
    www.simpleits.co.uk
    www.tazforum.**********.com
    Google is god ....... of the Internet

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides