WinXP Home SAM damaged? - Page 3
Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 39

Thread: WinXP Home SAM damaged?

  1. #21
    Banned
    Join Date
    Nov 2003
    Posts
    1,161

    Re: WinXP Home SAM damaged?

    Originally posted here by Tiger Shark
    Users listed:-
    HelpDesk, (or whatever it is called)
    Laura (Her)
    Mark (Her Hubbie)
    Owner (The un-passworded limited/guest account)

    Glaringly absent is the Administrator...
    This is totally illogical captain ~ Spock
    What did the list look like when you ran
    Code:
    control userpasswords2
    ?

    And when you get the box back the Event Viewer might shed some light.
    To tell you the truth I've never managed to screw up a OS like this,well I'll take that back, in 91 on Windows 3.1 I was on a BB online playing Strip-Poker..... nevermind.

    I'm sorry...I regret that I can come up with no other logical alternative." ~ Spock

    Good Luck

  2. #22
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK... These are my notes/observations to date..... I'm confuddled unless I have unknown malware... Can anyone see anything glaringly obvious before I run a repair?

    Pre-Note: This is not a forensic investigation per se. I'm looking for why rather than who or what?

    NOTE: Having left the PC on all weekend it required restart. It was not connected to the network. Entire task bar was missing and it required CTRL ALT DEL to initiate a restart. Odd! It shouldn't be that unstable.

    Reran Password Reset. Users and RIDS:-

    Help Assistant, (RID: 03ec) *Disabled or Locked*
    Laura XXXXXXX, (RID: 03ee)
    Mark XXXXXXX, (RID: 03ed)
    Owner, (RID: 03ef)

    None of the RIDS match an Administrator RID per Egals information. RIDS start at 03e8 so there have been other users that are now deleted because RIDS e9, ea, eb are missing? None of the passwords "appear" to be set per Jinxy's post.

    Theory: Since the Administrator can't be removed without another admin being present has someone deleted the admin?
    Test: Log in as each user and determine permissions
    Result: Logging in as Laura generates an "Error: Installation Failed".The box itself is _very_ slow. Logged in as Laura I attempted to view the users through the control panel. Computer locked up.... This is messed up but it implies damage to the SAM and an underlying process at this point. The computer is much faster under Mark's context but after trying to switch user the computer will not accept CTRL ALT DEL. Pressing the power button gives an "Other users are logged on" message, (Is this normal even though the logoff from Mark appeared to be normal, (SYSTEM?)?). As Owner the computer is also fast. None of the three can view the security log.

    Theory: Norton AV is causing an Issue
    Test: Check it's settings
    Result: I cannot change the setting in limited user context. Last system scan 2/18/05, liveupdate set to auto last defs 2/18.05. Taskmgr indicates no exceptional activity by NAV components.

    Theory: Norton Internet Security is causing an Issue
    Test: Check it's settings
    Result: I cannot change the setting in limited user context. Security, Personal Firewall and IDS are all on. Privacy, ad blocking and anti-spam are all on. No unusual component activity.

    At this point I tried to close Systray Items... MSN Messenger informed me that other apps are using messanger functionality. Is this normal?

    Theory: Malware affecting computer.
    Test: Run Hijack this in the context of owner to see if there is anything "odd".
    Result:

    04 - Global Startup: Install pending files.LNK = c:\program files\sifxinst\sifxinst.exe

    http://securityresponse.symantec.com...ad.chekin.html

    Interesting.... The drive is coming out since I cannot connect this to my network to extract data but I need some of it to properly document it.

    Dir of c:\program files\sifxinst

    03/07/2005 10:29a <DIR> .
    03/07/2005 10:29a <DIR> ..
    11/20/2004 11:09a 94,208 DoMore 1.PWR
    03/04/2005 04:20p 94,208 DoMore 2.PWR
    03/07/2005 09:14a 94,208 DoMore 3.PWR
    11/20/2004 11:09a 94,208 DoMore.EXE
    11/20/2004 11:09a 1,662,976 DoMore.PWR
    11/20/2004 10:58a 569,344 SIFXINST.EXE
    11/20/2004 10:58a 94,208 XPPrinter.exe
    7 File(s) 2,703,360 bytes
    2 Dir(s) 7,313,469,440 bytes free

    Drive slaved. SIFXINST folder copied to secondary drive. Scanned with BitDefender. No results. Scanned with The Cleaner 4.1 fully updated. No Results.

    Looking at the strings for sifxinst.exe and domore.exe indicates that this is an installer package from LANovation and domore.exe is actually the picturetaker product belonging to LANovation

    This is a Gateway Computer and there is an app Gateway uses called domore….
    XPPrinter googles nothing sensible….

    That domore 3.pwr would most probably have been created when I logged in as Laura

    I found a copy of the SAM in the repair folder. It is only 16kb but strings shows an administrator account. The existing SAM was 256kb… Drive back in original box. Login denied as administrator. Back to Password reset. Damn. Password Reset indicates only the help assistant RID: 03ec. That's really odd... At one point there was only one user in the SAM and that user was disabled.... How could that be?

    Put drive back in this box to do complete scans of drives.

    BitDefender complete scan found:-

    E:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe Infected Application.Adware.PowerReg.3.0

    Not an issue

    While the scan took place I submitted the files to viruscan.jotti.org. All were inconclusive.

    Complete scan with The Cleaner… Nothing found

    The oldest system restore is 2/27/05 same date as the other bad SAM file from the repair folder.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #23
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    as an 'off the wall' approach ........
    would it be possible for someone to access the box from across the web, and as THEY had admin rights, they screwed with the owners heads by deleting the physical admin ?

    it IS possible to bypass Norton / MacAfee ?

    [edit]
    It is XP home, so the admin is only available in 'safe' mode.
    user accounts are admin or limited

    off the top of my head I cannot think of anything that fits the bill bar that first paragraph.

    What net connection do they have ? broadband ? continious [easier to gain access throuh a big pipe that NEVER shuts.]
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  4. #24
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This box was damn good for a home user's box.... I think she's been listening to me... . I found one piece of spyware..... that's pretty damned fine unless there is unknown malware there that nothing is detecting.

    I think she's cable but the firewall, IDS, AV etc. were all on and up to date. Frankly, I'm baffled. I went ahead and tried to repair hoping it would fix the SAM for me.. It didn't. So I did a reinstall which is still running..... I've only done that because I can;t think of another way of repairing the SAM such that the existing permissions etc. don't get messed up. It's really not worth the hassle to go much further. If it happens a third time I will have all the notes etc. to refer back to and compare and I have told her that if it does happen again that she shouldn't do anything to try to fix it, just bring it in.

    [EDIT]

    Oh, I forgot... none of the event logs go back past 3/4/05 so they don't take me back to the 2/27/05 point which is where the things seemed to be going funny.... Shame really... there had to be something in there

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #25
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    you know I was smelling a RAT.. or a kernel Hijack.. but what you have found dosen't seem to fit..
    if you had a win.ini or system.ini that had a "shell= explorer; XXXX.exe" I wouldn't have been suprised.. or a hijacked userinit file.. .. so I am no help
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #26
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Undies:

    Yeah.... I'm with you... But if it's that deep then it's a reinstall anyway and since it's a home box with no remote access but a user that does work at home then carries or emails it in I'm giving up.... Like I said, it's not a forensic investigation...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #27
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The user just reported the same thing has happened again......

    I'm utterly out of ideas......

    Is there anyone here that didn't see this thread before that would like to review it and see if there is something I'm missing......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #28
    Senior Member ShippMA's Avatar
    Join Date
    Oct 2002
    Posts
    165
    Hi,

    This thread reminded me of something that happened with my PC a while back (long shot though and feel free to laugh at the cause of my problem)

    When i moved house the mains plug for the pc was no longer hidden behind it and so very easy to access. Because of this (and cause i look things to be properly off if possible) i started turning it off and unplugging from the wall each night. Something that i then noticed about my the box was that every time i plugged it back in it would power up for a second and then turn off. (i guess just the way my power supply works) anyway after a couple of months it started acting "odd" (things like random crashes, even while do nothing etc) until eventually one day i turned it on and the users were all screwed up. (one wasn't there, others wouldn't work etc) So as i don't know that much about the depths of windows i eventually got in in safe mode backed up and formatted.

    Anyway i figured just one of those things kept turning it off etc and lo and behold a couple of months later same deal. I now don't turn the mains off each night (obviously shut down but just not flicking the wall switch) and she works as good as gold again. Been going fine for a year now.

    My thinking was that if like you think the users of the computer aren't silly and actually do all they can to stop spyware viruses etc then maybe it isn't that, maybe its something as simple as a piece of hardware coming near to the end of its life, or like for me, just the way the machine was powered on each day.

    Hope that you do find the solution to this and please do post it as its very intriguing.

    Matt
    www.simpleits.co.uk
    www.tazforum.**********.com
    Google is god ....... of the Internet

  9. #29
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Ts

    It was mentioned before, however the symptoms seem to point in this direction:
    Persistent Rootkits
    A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
    If you haven't allready done one, I would recommend a scan withRootkitrevealer


    Also, if you get a chance this time, have a look at the event logs.I am using Pro, so don't know if this is useful on Home, but try control userpasswords2 at the run command, it will open the user accounts window, there is a secure logon feature in Pro not sure for Home.

    Also have they used remote assistance at any time:
    You can change a Windows User Account password that is on any Windows computer from any other Windows computer regardless of whether the User Account is on a workstation, a stand-alone server, or a Windows domain controller. Additionally, it makes no difference whether the password being changed from a workstation, a stand-alone server, or a Windows domain controller. This is true for any NT 4.0, W2K, XP Pro and Windows Server 2003 computer.

    You do not have to be logged on from the User Account Database that contains the Username, and you do not have to be currently logged on with that Username. This procedure is especially useful if you want to change your password in a User Account Database or security accounts manager (SAM) that is not in your default logon domain.
    This procedure is allowed even if the User Right “Access this computer from network” is disabled for the group Everyone. Changing a password does not use resources on the server. The ability to change a password without requiring the user to be logged on allows a user to change his or her password outside of the user’s logon hours, or when the password has expired and the user is not able to log on.
    Add Administrator Account to Log In Screen
    When Windows XP is first installed it requires you to enter at least one name of a user who will access the computer. Once you create this name the default Administrator account vanishes. To access it, press Ctrl-Alt-Delete twice at the Welcome screen to retrieve the standard Windows 2000 logon dialog. Log on as Administrator from this point. To log the Administrator off, click [Start] [Log Off] and [Log Off] when the [Log Off Windows] selection box appears. The Log On screen with the available users will be displayed.


    To Make the Administrator Account Always Visible on the Login Screen

    [Start] [Run] [Regedit]Registry Key: HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListModify/Create the Value Data Type(s) and Value Name(s) as detailed below.Data Type: DWORD// Value Name: AdministratorSetting for Value Data: [0 = Disabled / 1 = Enabled]Exit Registry and Reboot


    Bypass The Windows XP Log On Screen
    To make logon an unattended process:
    Click [Start] [Run] and type control userpasswords2 Click [OK]
    The [User Accounts] Property Sheet displays.
    On [Users] tab, clear the [Users must enter a user name and password to use this computer] check box.Click [Apply].
    Enter a user name and password that should be used to logon automatically in the dialog box that appears.Click [OK].
    Go to [Control Panel] [User Accounts] [Change the Way Users Log On and Off].
    Uncheck [Use the Welcome Screen] and [Use Fast User Switching]
    http://www.theeldergeek.com/missing_...or_account.htm

    Just an aside IMHO Norton is bloatware, have they recently upgraded their version of Norton, if so then this may be the culprit, as it seems intermittent, try uninstalling Norton and replacing it with AVG or Avast and see if over a period of time anything happens.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  10. #30
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Tiger,

    Is there any warning before this happens, such as BSODs etc? All symptoms suggest the damage could be being caused be the system recovery process.

    Norton Internet Security 2005 has an issue with one of Microsoft’s hotfixes, for instance. Which will BSOD the system.

    As the lady seems to be switched on, is she running user accounts as restricted? If this is the case and the OEM seems to have renamed the Administrators account Owner (with restricted privileges) or deleted the Administrators account.

    If this is the case the box would not have an account with admin privileges. Perhaps the problem lie’s here?
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides