Window Update for XP SP1 Express Failure - Access Denied

[Jack]

I have tried for several weeks to apply the Window Update
for XP SP1 Express which is a "critical update". Each time
it fails to install as when the Wizard is inspecting the
system, it indicates the "C:\windows\system32\ftp.exe" is
in use and can not be deleted.
I have successfully applied numerous "critical updates"
via Windows Update both before and after the update
mentioned above.
I have tried it in "safe mode" and also have tried to
delete it and also rename it all without success ("access
denied" or "in use"). I have also tried the update under
the Administrator login and all the user logins that I
have set up.
I am running XP Home Edition.
I have Norton Antivirus which is up-to-date and have
successfully scanned the system (not viruses found - ever).
I suspect the I need to edit the registry but I don't know
where to start.
Any assistance would be greatly appreciated.
Thanks.

Jack

 

[PA Bear]

| I have tried for several weeks to apply the Window Update
| for XP SP1 Express which is a "critical update". Each time
| it fails to install as when the Wizard is inspecting the
| system, it indicates the "C:\windows\system32\ftp.exe" is
| in use and can not be deleted.
<snip>

Sounds like an MSBlast infection.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

<paste>
At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a
worm reported by Microsoft Product Support Services (PSS). A new worm
commonly known as W32.Blaster.Worm has been identified that exploits the
vulnerability that was addressed by Microsoft Security Bulletin MS03-026.
Who Is Vulnerable?
Users of the following products are vulnerable to infection by this worm:
.. Microsoft® Windows NT® 4.0
.. Microsoft Windows® 2000
.. Microsoft Windows XP
.. Microsoft Windows Server(TM) 2003

Your computer is not vulnerable to the Blaster worm if either of these
conditions apply to you:
.. If you are using Microsoft Windows 95; Windows 98; Windows 98 Second
Edition (SE); or Windows Millennium (Me).
.. If you downloaded and installed security update MS03-026 prior to August
11, the date the worm was discovered.

4 Steps for Home Users
If you are using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server
2003, you should follow the steps in this sequence to help protect your
system and to recover if your system has been infected.

1. Enable a Firewall: Make sure you have a firewall activated to help
protect your computer against infection before you take other steps. If your
computer has been infected, activating firewall software will help limit the
effects of the worm on your computer.

The latest Windows operating systems have a firewall built in. Windows XP
and Windows Server 2003 users should print or save the following instruction
s for how to enable their firewall.

If your computer is rebooting repeatedly, disconnect from the Internet
before you enable your firewall. To disconnect your computer from the
Internet:

.. Broadband connection users: Locate the cable that runs from your external
DSL or cable modem to the wall and unplug that cable either from the modem
or from the telephone jack.
.. Dial-up connection users: Locate the telephone cable that runs from the
modem inside your computer to your telephone jack and unplug that cable
either from the telephone jack or from your computer.

Follow the instructions provided for your operating system, and then
reconnect to the Internet.
.. Windows XP Professional users: http://go.microsoft.com/?linkid=220960
.. Windows XP Home Edition users: http://go.microsoft.com/?linkid=220961
.. Windows Server 2003 users: http://go.microsoft.com/?linkid=220962
.. Windows NT 4.0 and Windows 2000 users: You will need to install a
third-party firewall. Most firewall software for home users is available in
free or trial versions. If you are unable to download a firewall product,
please check with your local computer retailer. Check the following
resources for more information on personal firewalls:
-- ZoneAlarm Pro (Zone Labs): http://go.microsoft.com/?linkid=220963
-- Tiny Personal Firewall (Tiny Software):
http://go.microsoft.com/?linkid=220964
-- Outpost Firewall (Agnitum): http://go.microsoft.com/?linkid=220965
-- Kerio Personal Firewall (Kerio Technologies):
http://go.microsoft.com/?linkid=220966
-- BlackICE PC Protection (Internet Security Systems):
http://go.microsoft.com/?linkid=220967

Windows 2000 users: Alternatively, you can take steps to block the affected
ports so that your computer can be patched. Here are some modified
instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in
Windows 2000: http://go.microsoft.com/?linkid=220968.

2. Update Windows: If you are disconnected from the Internet, remember to
reconnect before you take the next steps. Download and install the security
update addressed in Security Bulletin MS03-026 for the version of Windows
that you are using from the Microsoft Download Center.
-- Windows NT Server 4.0 and Windows NT Workstation 4.0:
http://go.microsoft.com/?linkid=220969

-- Windows NT Server 4.0, Terminal Server Edition:
http://go.microsoft.com/?linkid=220970

-- Windows 2000:
http://go.microsoft.com/?linkid=220971

-- Windows XP: The vast majority of Windows XP customers use this version.
If you are unsure, it is likely that you are using this version.
http://go.microsoft.com/?linkid=220972

-- Windows XP (64 bit): The 64-bit version of Windows XP requires special
hardware to run. If you are unsure, it is likely that you are not running
this version of Windows XP.
http://go.microsoft.com/?linkid=220973

-- Windows Server 2003:
http://go.microsoft.com/?linkid=220974

-- Windows Server 2003 (64 bit):
http://go.microsoft.com/?linkid=220975

3. Use Antivirus Software: Make sure you have the latest updates installed.
.. If you already have antivirus software installed, go to your antivirus
vendor's Web site to get the latest updates, also known as virus
definitions.
.. If you do not have antivirus software installed, get it. If you are unable
to download antivirus software, please check with your local computer
retailer. The following vendors participating in the Microsoft Virus
Information Alliance (VIA) offer antivirus products for home users:
.. Network Associates: http://go.microsoft.com/?linkid=220976
.. Trend Micro: http://go.microsoft.com/?linkid=220977
.. Symantec: http://go.microsoft.com/?linkid=220978
.. Computer Associates : http://go.microsoft.com/?linkid=220979

Learn about Microsoft's Virus Information Alliance:
http://go.microsoft.com/?linkid=220980.

4. Remove the Worm: If you think there is even the slightest possibility
that your computer might be infected, use the worm removal tool available at
your antivirus vendor's Web site. For additional details on this worm from
antivirus software vendors participating in the Microsoft Virus Information
Alliance (VIA) please visit the following links:
-- Network Associates: http://go.microsoft.com/?linkid=220981
-- Trend Micro: http://go.microsoft.com/?linkid=220982
-- Symantec: http://go.microsoft.com/?linkid=220983
-- Computer Associates: http://go.microsoft.com/?linkid=220984
</paste>

 

[Jack]

Thanks Torgeir, but how do I
"Verify that e.g. Administrator and SYSTEM have full
control over the file." as you suggested?

Jack

 

[Torgeir Bakken (MVP)]

Thanks Torgeir, but how do I
"Verify that e.g. Administrator and SYSTEM have full
control over the file." as you suggested?

Hi

Be sure that you are logged in with a user that has administrator rights.
From a command prompt (Start/Run and then cmd.exe), run the following command:

cacls.exe %windir%\system32\ftp.exe

You should get exactly this security setting listing:

C:\WINDOWS\system32\ftp.exe
BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

(F indicates full control)

Even if you get the exact listing, something can be wrong with the file rights
setting. Regardless of the listing is the same or not, refresh the file rights
with the following command (IMPORTANT: the newsreader will wrap the line, be
sure the following two lines is put into *one* line when running the command):

cacls.exe %windir%\system32\ftp.exe /P "NT AUTHORITY\SYSTEM":F
"BUILTIN\Administrators":F "BUILTIN\Power Users":R "BUILTIN\Users":R

(be sure that there is at least one space between each usererm)

You should get the question "Are you sure (Y/N)?" Select Y.

Verify that you have got it right by running <cacls.exe
%windir%\system32\ftp.exe> again.


If you get an error message when refreshing the file rights, try to take
ownership and then run the command again:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

 

[PA Bear]

Have you patched against RPC (and other) Exploits and removed any possible
MSBlast (or other) tie-ins, Jack?

http://support.microsoft.com/?kbid=826955

http://www.kellys-korner-xp.com/xp_qr.htm#rpc
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com