Hi Guys & Gals,

As much as I consider this the UNICEF, World Wildlife Fund and Cancer Research Society of the computer health world, all rolled up into one wonderfully free package, I hope you don't take offense when I say that I wasn't wanting to return here in a hurry.

Earlier today a friend and work colleague of mine from Argentina sent me an Excel file via the website Sendspace.com. We've both used this site for years and never encountered any problems. There can be pop ups from time to time, but until today they've all been harmless. I was in the process of clicking the download button when my AVG Free alerted me that it had just saved me from a couple of viruses. I clicked 'ok' and the warning message went away. However, about a minute later I received another warning from AVG and this time it gave me the option to move the virus to the vault. On doing this it said the computer had to be restarted for it to take place. All of these were (I'm 99% positive) genuine AVG messages and not fake/manufactured.

On restarting the laptop I decided to do a full system scan with AVG, just to be on the safe side. I did this and it said their were zero viruses (or is it virii?) and so I relaxed a little bit. However, I am still quite anal retentive and thought I'd also do a Malwarebytes scan juuuuuust to be completely sure. It was upon double clicking the Malwarebytes icon that I knew something was up. The program didn't open, so I double clicked it again. I was now suspicious as to my computer's health and tried one last attempt - this time by right clicking and running as an Administrator. As soon as I did this I received another warning pop up from AVG that there was a virus. It gave the same instruction as before, i.e. that the computer would need to be restarted in order for the effect to take place. So I clicked to restart and the laptop was as unresponsive as when I tried to open Malwarebytes. I clicked to shutdown after this and still there was nothing. Being the coward that I am, at this point I resorted to what all non-techie cowards do and unplugged the machine from the wall (even though it's a laptop, I nearly always have it plugged into the mains while sitting on my desk) and restarted in Safe Mode with Networking. I did this in order to fully update Malwarebytes. I then shut it down and restarted only in Safe Mode, i.e. no internet connectivity. I completed a full Malwarebytes scan and surprisingly it said there were no malicious items detected. Dubiously, I restarted in normal mode and no sooner than I had done so than I got a Microsoft Command Prompt, telling me this specific path...:



C:\Users\Amy\AppData\Local\Temp\xofmauwx.exe

... required my permission to be accessed. I clicked 'cancel' and immediately I received another AVG warning which necessitated me to restart my machine in order to take effect. I managed to close down the laptop this time without pulling out the plug and restarted in Safe Mode once more to see if I could navigate to the aforementioned folder in order to manually delete the offending file. Bottom line: I can't. It doesn't appear to be there and I'm at the end of my tether.

I've read the prework considerations here and want to ask you HOW I am to perform them when every time that I boot up normally I'm sabotaged before I can a thing? Is it possible to perform the scans in Safe Mode? I'd appreciate someone here to give me an idea of how to begin.

Thank you in anticipation,

Ian

Hi Crush,

Thanks for your reply and for confirming its possible to scan in Safe Mode. I started the OTL scan (using the settings indicated in the prework section) about an hour and a half ago and I don't if it is actually doing anything. Initially at the bottom of the OTL window it seemed to be scanning files but after about a minute it stopped in its tracks when it came to 'Scanning FireFox settings...". I don't know how long a scan should take, but it seems odd to me that it should be scanning Firefox for so long without movement. Just out of curiosity I clicked on the minimise button in the top right of the window a few moments ago and it didn't minimise. Is all of this normal or do you think its 'stuck'?

Regards,

Ian

I think I'm going to need to try an alternative to the OTL scan, as it continually gets stuck at the 'scanning Firefox' part. I left it running all night just in case I had given up too soon, but it was still reading the same this morning. So the question is now: what does one do when the very first thing recommended won't work?!

Hello again Crush,

Thank you for getting back to me. I've performed the scan and when I finished it I received a message which informed me to zip the 'Attach.txt' file before uploading it to any forums. I did what it said and you'll find it here along with the dds.txt file that you asked for.

Regards,
Ian

Yes, I am. I booted up in normal mode and immediately I received the Windows Command Processor prompt. I clicked cancel and AVG kicked in with the virus warning, followed by the notice that I'd have to reboot for it to take effect. This time however I attempted to do the OTL scan in normal mode, but not only did it get stuck at the firefox part, AVG flashed another warning, this time to say that I could only delete the virus, but to do so might cause irreversible errors, so I declined to allow it and just shut my laptop down. The viruses seem to be in the Appdata\Local folder and also in the Startup folder. Is there anything else I can do to sort this problem? I really hope so because this machine is my main one for work.

From my first post:

And unfortunately nothing seems to have changed since then. I've set the folder options so that I am able to see hidden files and folders, but nothing shows up in the actual scans while in either normal or safe mode.

I've taken a couple of photos of the screen warning messages on my mobile phone and could attach them here for you if you'd think that could help. I must admit to being rather dismayed now, as you guys have always been able to help in the past and perhaps wrongly I thought this would be easy to resolve!

A worried,

Ian

I actually meant the offending FILES don't appear in the folders specified by the AVG warnings, however, it may be the case that one of the folders doesn't exist either. What I mean by this is that AVG specifies C:\Users\Amy\AppData\Local\Temp\ as the location of one of the files, but my machine's actual path has the temporary folder starting with a lower case 't'. Perhaps this is a ridiculous observation, but I thought I'd mention it on the off chance that it has validity.

I've also noticed a few places on my laptop are denying me access (Start Menu for example) while in Safe Mode and I wondered if that's normal or another symptom of my problem?

I'll check out your link now and report back either tonight or tomorrow morning. Its late here right now.

Thank you anyway for your continued help on this matter. I really appreciate it.


*Addendum: I've just read the info in the link you sent me and I had already done that myself beforehand.

Ok, so I CAN browse to the folder, but as I said, the offending .exe files don't appear to be there, so what do I do? I was unable to do the OTL scan, but I didn't try the aswMBR one. Can I try that or will it be pointless without doing OTL first? Ow what about HijackThis... Or Combofix? There must be some other way of progressing.

*Edit: I know you didn't ask for them but attached are the couple of pictures I spoke about that I took from my phone.