I have some experience in removing viruses that I can find, but this one has been very elusive.
I used HiJackThis first - it found nothing out of the ordinary, BUT I had to run it in Safe Mode: When I run it normally, even as Admin (Windows Vista 32bit), about the time it gets to the Services it simply quits, and I cannot run it again - I get the message from Windows that access is denied to the file.
Same with RunScanner.
Same with the installed copy of AVG 8.5 and AdAware - they had already tried to run earlier and were also inaccessible.
In the case of AVG, I was finally able to remove it and install version 2012, update it and then run it in Safe Mode - found nothing.
Ran MBAM in Safe Mode, found a few minor infections.
Tried SilentRunners, also nothing I found to be out of the ordinary.
I found your entry on what other programs to run, and I just started the VIPRE scan, and I'll run SuperAntiSpyware, too.
The files that get their permission changed can be deleted from DOS prompt using rmdir, but otherwise I can't run them. ATTRIB doesn't show anything out of the ordinary, and I am still the owner of the file, so I don't know for sure how I am being locked out of the files. AVG scan found quite a few files/folders to be "locked", including some of the files I found to be locked.
My questions are:
1. What infections are likely to deny access to executable files, and what can I do to find and remove them?
2. What can I do to restore access to some of these files? I don't know what version of AdAware this person has installed (paid or not), and I'd rather restore it than wipe and re-install it.
I'll also keep you guys posted on the result of VIPRE and SAS if they find anything.
If you need HJT logs, please let me know, but as far as I can tell it's clean - been using it for 5 years :-)
After reading around in the forum for a bit (it's been a while since I was last here), I found out about OTL, so here's my logs. I saw a few suspicious things in there (mostly files not found and keys not found - probably part of the same "access denied" issue), but I didn't see any suspicious file that starts with Windows.
Also, in the attached files you'll likely see traces of things I have tried so far to figure this out, including a few rootkit detectors (sysinternals). Right now, this computer has been in Safe Mode since yesterday, just running scans, so it probably never had a chance to clean up some of these things.
VIPRE finished - it found one Reg Key (but didn't tell me what it was - the logs are about 25MB in size!) and identified a file called Avenger as a virus - which is a program I have used in the past to delete infections that couldn't be deleted otherwise :-/
Running SAS now...
Edited by semmel, 11 October 2011 - 10:31 AM.