Malware causes "Access is denied" error #
A malware infection disabled explorer.exe and all antimalware apps as soon as they were launched (in both Normal and Safe modes) by changing permissions on the EXEs. After clearing the infection with DaRT/Standalone System Cleaner, permissions had to be fixed on the apps. As Windows XP Home does not include the Security tab in Normal Mode by default (Claus breaks down a number of workarounds), the CACLS command came in handy. Files which would not launch had been modified as in this example:
C:\Program Files\Prevx>cacls prevx.exe
C:\Program Files\Prevx\prevx.exe Everyone:(NP)(special access:)
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
These permissions are easily replaced:
C:\Program Files\Prevx>cacls prevx.exe /g administrator:f
Are you sure (Y/N)?y
processed file: C:\Program Files\Prevx\prevx.exe
Now Administrator has full access:
C:\Program Files\Prevx>cacls prevx.exe
C:\Program Files\Prevx\prevx.exe ComputerName\Administrator:F
and the program runs normally. Compare and match permissions from a clean system for best results.
Updates:
- Ran into a similar issue after removing a Security Tool infection, which had altered permissions on the C:\%WinDir%\system32\drivers\etc\hosts file after inserting rogue entries. Having completely forgotten about cacls, I rebooted into Safe Mode and reset permissions via the Security tab. Interestingly, attempting to delete or rename hosts from a Knoppix 6 Live CD also failed; I later learned that NTFS-3G can be set to honor or ignore ownership and permissions.
- Malwarebytes FileASSASSIN and IObit Unlocker are also handy for deleting recalcitrant files throwing errors like:
- Cannot delete file: Access is denied
- Make sure the disk is not full or write-protected and that the file is not currently in use
- The source or destination file may be in use
- The file is in use by another program or user
/windows | Aug 16, 2009
Subscribe or visit the archives.