Hive knowledge about malware and strategy of redirecting user profiles to other partitions

Quote: "Ultimately, your question is about how to keep your actual data safe." No, that's the question people seem to think I'm asking. The question I am asking is: what parts of a user profile tend to be INFECTED by malware? And this isn't the same as: what parts of a user profile folder tend to AFFECTED by malware? (see my original post for more context) NOT: can a malware see my user profile if I move it to another partition? NOT: how should I protect my computer from malware? NOT: what do I do if I get an infection? Thanks.

It doesn't matter anymore. As I said I left my profile on c: and redirected a few settings/config folders to e:. Now when I reimage c: I have less work to do, and that was my goal. Thanks.

I've gone back just now and reread this thread 3 or 4 times, intentionally slowing my reading down in an effort to comprehend where we might be misunderstanding your question.... but apparently I'm still not seeing it. Your original question was: "Do/can malwares infect user's profile files and folders?"... To which (by my count) there are atleast 7 replies in this thread giving you an emphatic "YES". You also originally said: "However, I don't want to do this if there is ANY chance a malware would infect/pollute my profile's files and folders." ...and again, it seems to me that reply after reply is confirming that the odds are fairly high a typical/popular malware infection WILL do something to your profile files/folders. We padded our answers with conditional explanations because giving you a specific answer (ex: "The only folder you have to worry about is C:\Documents and Settings\%profile%\Local Settings\Temp") is extremely bad advice. It lulls you into a false sense of complacency that you only have to worry about that one folder. Although I'm not a programmer and never been part of the underground warez/virus scene, its my belief and understanding that malware authors target your profile for a specific # of strategic reasons. Your profile directory will almost never be "Read Only" (because other legitimate apps need to access/modify preference settings) and because it makes more sense to infect an active profile over something like the "\All Users\" (although I've seen All Users path get infected too). It's also strategically important for malware authors to continually update and change infection targets in the ongoing cat/mouse game of avoiding detection. I've been doing IT/Support/Sysadmin type work for almost 20 years now and have been fighting viruses since back when they were spread by floppy disk up through internet storms like Code Red, Nimda.... so while I can't speak for odinsdream, I'm pretty sure I can say for myself that I've graduated beyond "newbie wisdom".

Just because the info is accurate doesn't mean it's what I asked for. Notice (try hard) I didn't ask for advice about how to protect my computer or my data, or whether malware would be able to infect my profile if I moved it to another partition, or any of the other questions that some people seem to think (or wish) I asked. I asked a very specific question that got partially answered. That partial answer was useful, however. Even if it did get buried under an avalanche of newbie wisdom. Thanks.

Perhaps the confusion is that your "real" question seems to be about statistical probability, whereas a charitable reading of your question would lead people to believe you're actually interested in protecting real data that is important to you. Statistically, you could come up with a list of the "most frequently targeted" folders or files on any given computer, not specifically your own personal computer. Maybe you're asking this question as part of a research document, and need a figure or graph for this. If you're actually using your computer for personal information that is important to you (this is what comes across in your question), and your question is about how to protect this data, then the answers given above are accurate.

Quote: "... the SPECIFIC ones I mentioned (profile, ..." "profile" isn't very SPECIFIC. You specifically mentioned Temp And Temporary Internet Files above, and that was helpful. But here we go again. My original question, and the context I gave, still isn't being understood. Note: I REALIZE, and it doesn't matter, that malware COULD infect ANY folder on a computer (you'll see why it doesn't matter if you re-read my first post). I have only asked about folders in USER PROFILES that TEND to get infected. (Tend=most often, usually, regularly. Or, still helpful="occasionally" or "have seen"). Don't take this the wrong way, but you don't seem to have noticed that I'm not a novice. I asked a very specific question, and if you were to re-read it and my further attempted clarifications, you'd see that all answers except your first one have been non-responsive to my question. Since, judging by the previous replies, it might not be grasped without me saying it, let me say: I'm not trying to anticipate every possible malware that might be invented and what it might do. My question is aimed at people with experience and asking them what they have seen in their experience. Thanks.

> "jmnugent gave the best answer by reminding me (I had forgotten) that the Temp and Temporary Internet Files folders many times get infected. However, it looks like this answer is incomplete because he also said, "..and sometimes a few more on top of that...". He never said what the others were because he got side tracked" "..and sometimes a few more on top of that..." in more simple terms means: The current ecosystem of malware has so much variety, that there is no conceivable way for the average home users to predict what folders/files might get infected and which ones won't. I deal with 5 to 10 malware infections a week, and while the TYPICAL folders that get infected are the specific ones I mentioned (profile, along with Windows Temp and System32) there are occasions when I run into unique infections which infect non-traditional folders in ways I hadn't expected. (malware that puts files in the root of C:\ .... or the root of all local drives ... or the \All Users profile folder... or \System32\Config\systemprofile ... or rootkits that create hidden encrypted registry keys or system services, etc) Malware code is constantly changing and evolving.... the strategies of today may not protect you tomorrow.

I guess this thread is shot anyway. If a malware .exe is found in your Temp folder, that folder is INFECTED. If it then installed its running parts into System32, System32 becomes INFECTED. If it ran and performed its purpose of deleting all the .mdb files on your computer, those files (the mdb's and the folders they were in) were AFFECTED but not INFECTED. Now, the user profile folder that contains the custom menu settings for Excel is usually in the user profile's \AppData\Local\Microsoft\Office folder. Notice that this particular malware didn't AFFECT or INFECT that folder. The \AppData\Local\Microsoft\Office folder was UNINFECTED and UNAFFECTED. jmnugent gave the best answer by reminding me (I had forgotten) that the Temp and Temporary Internet Files folders many times get infected. However, it looks like this answer is incomplete because he also said, "..and sometimes a few more on top of that...". He never said what the others were because he got side tracked (like this whole thread) pontificating on how malware are able to follow environmental variables, how any folder COULD get infected, and how I wouldn't be able to hide my profile from malware. People a) haven't read my original question well enough to understand it and what knowledge I'm asking for, b) must not have used or understand partitioning and using mklink as part of a disaster recovery plan, c) don't have enough experience with malware tendencies or d) don't understand the difference between "infected", "affected", and "neither". But they answer anyway. Oh well. If people who had understood and knew this stuff had been around they'd have answered, but I guess no one was around during this time. For now, I'll be leaving my profile on c: and just redirecting a few choice folders onto e:. Kind of like using a white list instead of a black list. That'll work well enough.

I have no idea what difference you're making between affected and infected. If malware attaches to your PDFs, but otherwise leaves them readable, what would you call that? I'd call that "undesirable." All parts meaning it doesn't matter if the file is in C:\Documents and Settings\atm\Application Data\Mozilla\ or E:\atm-profile\Desktop\Stuff That seems to be the crux of your question - does the location of ${important_file} matter to malware, in which case the answer is no.