NOTE: Having left the PC on all weekend it required restart. It was not connected to the network. Entire task bar was missing and it required CTRL ALT DEL to initiate a restart. Odd! It shouldn't be that unstable.
Reran Password Reset. Users and RIDS:-
Help Assistant, (RID: 03ec) *Disabled or Locked*
Laura XXXXXXX, (RID: 03ee)
Mark XXXXXXX, (RID: 03ed)
Owner, (RID: 03ef)
None of the RIDS match an Administrator RID per Egals information. RIDS start at 03e8 so there have been other users that are now deleted because RIDS e9, ea, eb are missing? None of the passwords "appear" to be set per Jinxy's post.
Theory: Since the Administrator can't be removed without another admin being present has someone deleted the admin?
Test: Log in as each user and determine permissions
Result: Logging in as Laura generates an "Error: Installation Failed".The box itself is _very_ slow. Logged in as Laura I attempted to view the users through the control panel. Computer locked up.... This is messed up but it implies damage to the SAM and an underlying process at this point. The computer is much faster under Mark's context but after trying to switch user the computer will not accept CTRL ALT DEL. Pressing the power button gives an "Other users are logged on" message, (Is this normal even though the logoff from Mark appeared to be normal, (SYSTEM?)?). As Owner the computer is also fast. None of the three can view the security log.
Theory: Norton AV is causing an Issue
Test: Check it's settings
Result: I cannot change the setting in limited user context. Last system scan 2/18/05, liveupdate set to auto last defs 2/18.05. Taskmgr indicates no exceptional activity by NAV components.
Theory: Norton Internet Security is causing an Issue
Test: Check it's settings
Result: I cannot change the setting in limited user context. Security, Personal Firewall and IDS are all on. Privacy, ad blocking and anti-spam are all on. No unusual component activity.
At this point I tried to close Systray Items... MSN Messenger informed me that other apps are using messanger functionality. Is this normal?
Theory: Malware affecting computer.
Test: Run Hijack this in the context of owner to see if there is anything "odd".
04 - Global Startup: Install pending files.LNK = c:\program files\sifxinst\sifxinst.exe
Interesting.... The drive is coming out since I cannot connect this to my network to extract data but I need some of it to properly document it.
Dir of c:\program files\sifxinst
03/07/2005 10:29a <DIR> .
03/07/2005 10:29a <DIR> ..
11/20/2004 11:09a 94,208 DoMore 1.PWR
03/04/2005 04:20p 94,208 DoMore 2.PWR
03/07/2005 09:14a 94,208 DoMore 3.PWR
11/20/2004 11:09a 94,208 DoMore.EXE
11/20/2004 11:09a 1,662,976 DoMore.PWR
11/20/2004 10:58a 569,344 SIFXINST.EXE
11/20/2004 10:58a 94,208 XPPrinter.exe
7 File(s) 2,703,360 bytes
2 Dir(s) 7,313,469,440 bytes free
Drive slaved. SIFXINST folder copied to secondary drive. Scanned with BitDefender. No results. Scanned with The Cleaner 4.1 fully updated. No Results.
Looking at the strings for sifxinst.exe and domore.exe indicates that this is an installer package from LANovation and domore.exe is actually the picturetaker product belonging to LANovation
This is a Gateway Computer and there is an app Gateway uses called domore….
XPPrinter googles nothing sensible….
That domore 3.pwr would most probably have been created when I logged in as Laura
I found a copy of the SAM in the repair folder. It is only 16kb but strings shows an administrator account. The existing SAM was 256kb… Drive back in original box. Login denied as administrator. Back to Password reset. Damn. Password Reset indicates only the help assistant RID: 03ec. That's really odd... At one point there was only one user in the SAM and that user was disabled.... How could that be?
Put drive back in this box to do complete scans of drives.
BitDefender complete scan found:-
E:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe Infected Application.Adware.PowerReg.3.0
Not an issue
While the scan took place I submitted the files to viruscan.jotti.org. All were inconclusive.
Complete scan with The Cleaner… Nothing found
The oldest system restore is 2/27/05 same date as the other bad SAM file from the repair folder.