tinyapps.org / blog


Malware causes "Access is denied" error #

A malware infection disabled explorer.exe and all antimalware apps as soon as they were launched (in both Normal and Safe modes) by changing permissions on the EXEs. After clearing the infection with DaRT/Standalone System Cleaner, permissions had to be fixed on the apps. As Windows XP Home does not include the Security tab in Normal Mode by default (Claus breaks down a number of workarounds), the CACLS command came in handy. Files which would not launch had been modified as in this example:
C:\Program Files\Prevx>cacls prevx.exe
C:\Program Files\Prevx\prevx.exe Everyone:(NP)(special access:)
 DELETE
 READ_CONTROL
 WRITE_DAC
 WRITE_OWNER
 STANDARD_RIGHTS_REQUIRED
 FILE_READ_DATA
 FILE_WRITE_DATA
 FILE_APPEND_DATA
 FILE_READ_EA
 FILE_WRITE_EA
 FILE_EXECUTE
 FILE_DELETE_CHILD
 FILE_READ_ATTRIBUTES
 FILE_WRITE_ATTRIBUTES
These permissions are easily replaced:
C:\Program Files\Prevx>cacls prevx.exe /g administrator:f
Are you sure (Y/N)?y 
processed file: C:\Program Files\Prevx\prevx.exe
Now Administrator has full access:
C:\Program Files\Prevx>cacls prevx.exe
C:\Program Files\Prevx\prevx.exe ComputerName\Administrator:F
and the program runs normally. Compare and match permissions from a clean system for best results.

UPDATE: Recently ran into a similar issue after removing a Security Tool infection, which had altered permissions on the C:\%WinDir%\system32\drivers\etc\hosts file after inserting rogue entries. Having completely forgotten about cacls, I rebooted into Safe Mode and reset permissions via the Security tab. Interestingly, attempting to delete or rename hosts from a Knoppix 6 Live CD also failed; I later learned that NTFS-3G can be set to honor or ignore ownership and permissions.

/windows | Aug 16, 2009


Subscribe or visit the archives