Have I been bitten

[0_0]

I'm sorry if this is in the wrong place - move the post if you see fit.

OK, I don't know exactly what happened and I didn't notice anything wrong until last Saturday. I came home late, my PC was off, I fired it up and updated Avast free, Malwarebytes free, Spyware Terminator free. I ran PerfectDisk 10 on 2 partitions using Smart Placement - rebooted.

I then went to amd.com and attempted to download a pdf file, when I tried to save it to my downloads folder I was presented with a warning - read-only location and the file was saved with zero bytes. I checked the folder and sure enough it was read only. I attempted to uncheck read-only in properties, applied but no luck - it is once again read-only - newly created folders the same.

Long story short ALL my folders (as far as I can tell not any files) are read-only, 4 partitions on 2 accounts, both admin, and I can't remove the read-only properties to save my life. One strange thing happened (only once), when I unchecked read-only on a folder and clicked apply - the hidden files and folders appeared - only once, but this doesn't sound good.

The only software I installed has been the latest portable stuff from the source, Filezilla, Notepad++, CCleaner. I forgot, I also ran CCleaner with the modest settings recommended - no registry edits just crap cleaning.

I must admit I only use ZoneAlarm Pro while online, and I think this might very well be my first virus.

I spent Sunday and Monday, maybe 12 hours total running all that I knew and had (above apps) and McAfee Avert Stinger, f-secure BlackLight, MS MRT v3.1 (full scan 4 hrs), Trend Micro's Sysclean - nothing found. I did want to run a few online scans but I decided not to when the files were anywhere from 10 to 15 megs (I'm on dialup) and I figured the download would get foobared should I get disconnected.

I am clueless when it comes to the advanced features of Windows XP Pro and would like to know where to look for such system wide settings - security policy or wherever.

Any help would be appreciated.

BTW, I apologize in advance should the condition affect my internet connection and I can't respond right away.

[Tarun]

Have you checked the Event Viewer (eventvwr.msc) for errors around the suspected date and time?

[rridgely]

I would try system restore. If it works its probably a good idea to do a massive back up of everything on the computer.

[0_0]

@rridgely

I don't have/use restore points as I would prefer to simply start fresh. True though, if I should ever lose important data I'm sure I will cry.

I have most everything I care about copied to 320GB external enclosures - I still have more data to move unfortunately.

@Tarun

I spent most of yesterday looking through the events and nothing really stands out. There were no significant entries in Antivirus, started/stopped. In Security - no entries. The other areas were essentially events I was familiar with, but there were a few I'm not sure about...

...In Application --- ERROR

(Type) Error - (Date) 11.21.2009 - (Time) 12:14 pm - (Source) Userenv - (User) SYSTEM

Windows cannot set the background refresh timer for Group Policy. WaitForMultipleObjects (The handle is invalid.). Group Policy processing aborted.

...In System --- ERROR

I posted the 2 "disk" errors just to see what the opinion was ie; future controller failure or just a single hiccup. The DCOM entries, I was wondering if it is common to get errors when using safe mode, I think command prompt only?

(Type) Error - (Date) 11.11.2009 - (Time) 5:42 am - (Source) disk - (User) N/A

The driver detected a controller error on DeviceHarddisk2D.

(Type) Error - (Date) 11.11.2009 - (Time) 5:46 am - (Source) disk - (User) N/A

The driver detected a controller error on DeviceHarddisk2D.

(Type) Error - (Date) 11.22.2009 - (Time) 2:27 pm - (Source) DCOM - (User) SYSTEM

DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server: {1LG1F739-4563-15L3-H648-03M04GT381AF}

(Type) Error - (Date) 11.22.2009 - (Time) 2:28 pm - (Source) DCOM - (User) SYSTEM

DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server: {1LG1F739-4563-15L3-H648-03M04GT381AF}

(Type) Error - (Date) 11.22.2009 - (Time) 2:30 pm - (Source) DCOM - (User) SYSTEM

DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server: {1LG1F739-4563-15L3-H648-03M04GT381AF}

(Type) Error - (Date) 11.22.2009 - (Time) 2:30 pm - (Source) DCOM - (User) ADMINISTRATOR

DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server: {BA134AF7-2186-11F2-B1D0-04805LK1280G}

Anyway, this is really all I could find, if there are specific events I should look for please let me know. I'm still curious about were to look for a system wide setting that forces all folders to be read-only?

A new behavior is after I download a PDF and open it in Foxit, appended to the title is (SECURED) ie; name of file.pdf (SECURED) in the title bar, the PDF isn't read-only. I also downloaded the latest McAfee Stinger yesterday and it wasn't saved with the read-only property. Somewhere a security policy has been altered, I know I didn't do it, no one else uses my computer (I know this absolutely) - I wish I knew where to look.

[Tarun]

Any more symptoms since then?

[James_A]

Only just seen this topic, been away a few days...

First, we are dealing with more than one problem.

1. "name of file.pdf (SECURED)" in the title bar has nothing to do with the other problems. It means that the file is password-protected against changes. You can read it, but not alter it. If you open the file with Adobe Reader and select File -> Properties... and, in the Document Properties dialog that appears, select the Security tab, you will see the message: "The document's Security Method restricts what can be done to the document". Other PDF readers should show similar behaviour.

2. "Read-only" on a folder does not behave like "Read-only" on a file. "Read-only" on a folder is, in fact, nothing of the sort. It means that the view of the folder has been customised (anything from a custom Icon to completely custom propertires, as in the Fonts folder). DON'T remove "Read-only" from Windows "special" folders.

3. You cannot change the Read-Only property of a folder in Windows using Windows Explorer. This applies to everything from Windows 95 to Windows 7. You have to use Attrib, from a Command Prompt. Again, DON'T remove "Read-only" from Windows "special" folders.

4. Incidentally, true "Read-only" properties of a folder are set, not by the folder Attributes, but by NTFS permissions.

Microsoft has published Support articles on this behaviour:

a) for Windows 95 / 98 / Millennium / NT / 2000, see Unable to remove Read-Only attribute from folder

b) for Windows XP / Server 2003 / Vista / Windows 7, see You cannot view or change the Read-only or the System attributes of folders in Windows Server 2003, in Windows XP, in Windows Vista or in Windows 7.

The long explanation is:

Unlike the Read-only attribute for a file, the Read-only attribute for a folder is typically ignored by Windows, Windows components and accessories, and other programs. For example, you can delete, rename, and change a folder with the Read-only attribute by using Windows Explorer. The Read-only and System attributes is only used by Windows Explorer to determine whether the folder is a special folder, such as a system folder that has its view customized by Windows (for example, My Documents, Favorites, Fonts, Downloaded Program Files), or a folder that you customized by using the Customize tab of the folder's Properties dialog box. As a result, Windows Explorer does not allow you to view or change the Read-only or System attributes of folders. When a folder has the Read-Only attribute set it causes Explorer to request the Desktop.ini of that folder to see if any special folder settings need to be set.

Sometimes, non-Microsoft programs behave differently. In that case, use a Command Prompt from the parent of the Download folder to change its attributes, for example:

attrib -r +s "C:\Documents and Settings\<username>\My Documents\Downloads"

Yet again, for the benefit of others reading this post, DON'T remove "Read-only" from Windows "special" folders.

5. At this stage, I don't know why all your folders are affected, unless you have a program for putting custom Icons on folders.

6. Also, the disk controller problem is unrelated. It may be anything from a timing problem (e.g. the infamous Fujitsu on Compaq problem) to a momentary glitch in the power (mains or PSU), to an actual failing disk. Again, at this stage, I can't tell.

Whew! Long post. Hope it helps.

==

[0_0]

Thanks to all who replied - much appreciated.

First, the PDF business, James_A was correct, those were the properties on this particular PDF file. The strange part is that in all my years of downloading PDFs from various sources I don't think I have ever had a secured PDF file, in fact, this file was from Western Digital (not AMD) and the other 3 PDFs (from WD) were all unsecured. This happened simultaneously with this read-only trouble which is why I may have over reacted.

The disk error - I'm going to view it as a one-time glitch, I read further on the ID error number and this particular error can occur when using images in virtual drives - something I do regularly. I will keep an eye on the event viewer though.

The read-only issue, this one still makes me wonder but I'm not going to fret about it. I did remember I switched from the ugly classic Windows look to the less ugly default XP theme prior to this. The only edits I made were to effects (unchecked all but clear type) and I changed the background.

I will likely run the attrib -r command on my data partitions, after more reading and a better understanding of when it is safe to use attrib -r +s I may give it a go on my boot drive.

Thanks again for the help.