File Permissions on Application Data Folder

[mcp6453]

An XP SP3 computer has been working well for several months. It is part
of a domain with Windows Server 2003. All of a sudden and for no
apparent reason, it started exhibiting the following problems. For
troubleshooting purposes, I logged into the local machine as administrator:

o Initially unable to start IE
o Unable to start Firefox
o Symantec AV will not remain enabled
o Symantec Live Update would not run
o Start | All Programs doesn't open
o ActiveX controls would not install once IE worked
o Malwarebytes would not update

The symptoms seemed as if the computer had a virus, particularly since
SAV would not stay enabled. However, somehow I discovered that XP was
unable to write to the C:\Documents and
Settings\Administrator\Application Data folder. I tried to change the
permissions on the folder to give the Administrators group Full Control,
but XP wouldn't let me because Administrators was not the owner. So, I
took ownership of the folder and assigned the rights.

How and why did the rights on this folder change? Before I discovered
the rights problem, I put the drive into a second computer and performed
a virus and adware scan. Both scans came up negative except for one cookie.

Should I have confidence that changing the permissions on this folder
and its contents is a competent solution to the problem?

 

[R. McCarty]

I wouldn't trust it's integrity unless the Virus scan you made was with
another vendor program than your standard. I use NOD32, but always
run an occasional alternate scan from other products. It's always a
surprise to discover an infection that one product detects and others
seem to ignore/pass over.
Here are several online scans I recommend/use:
http://www.bitdefender.com/scan8/ie.html
http://www.eset.com/onlinescan/
http://www.kaspersky.com/virusscanner
*Usually running any combination of these isolates and removes the
majority of current threats.
Also Trend Micro offers a nice program called SysClean that can
clean up an infected computer.
http://www.trendmicro.com/download/dcs.asp

 

[mcp6453]

Yes, it was with a different brand (McAfee Corporate Edition).

Thanks for the links. Isn't Kaspersky limited to virus identification
but not removal? I used to use http://housecall.trendmicro.com
religiously, but since they changed their site a couple of years ago, or
whenever it was that they added the Java routines, I can only get the
online scanner to download, install, and run about 30% of the time.

Do you have any thoughts about why the folder permissions changed?

 

[R. McCarty]

Permission changes are really hard to isolate. It's one of those issues
you don't readily consider in diagnosing a problem. I've seen a few
cases of a complete loss of ACL on folders and never really found
out the reason for the changes. Since your problem was in the tree
for Application Data I'd suspect a recent update or program install
may have been responsible. Could a USB Flash device have been
used to install a program ?

 

[mcp6453]

I was not there when the problem started, so I cannot really identify
the source of the problem. In any case, I was lucky to find the problem.
If the problem were to occur again some time in the future, I'm not sure
I would know to look for it.

Do you have any comments on my online AV scanner questions?

Thanks much for your help!

 

[R. McCarty]

Sorry I forgot. I used to use Housecall ( Pre 6.0 ) but not so much
anymore. Because it's Java dependant it takes a while to update the
definitions ( not as bad as Kaspersky - but close ). For me the other
online scanners are quicker and seem to have higher detection rates.
I'm always checking out new Security software and try not to get
complacent using the same products.