Operating System: Windows 7 Ultimate (32-bit)
Antivirus: Avira (and now also Emsisoft Internet Security)
Browser: Firefox 32
A few days ago I installed "Free MKV to AVI Converter". Unwisely, I hastily clicked through the installation process (Is CNET no longer a trustworthy source?). Almost immediately, Avira alerted me to problem files and I noticed Shopping Pro and Neurowise in my Add/Remove window. Alas, my MBAM software was out of date.
I googled some guidelines and started running the gamut of scans and uninstallers, in sequences given by various guidelines: ADWCleaner, RevoUninstaller, HitmanPro, CCleaner, MBAM (updated), Emsisoft, over and over the last 4 days. Also in Safe Mode. Almost all would report malicious or PUP files, which would be cleaned, but then more files would return after a reboot.
I noticed also that User Appdata folders remained hidden even though I've set folder view options to show hidden and system files (the scanning software would often pick up files in these folders). In trying to gain access to these, I foolishly mucked around with user permissions as well and I believe I have made a hash of it. I've also tried installing MVP's host file, as a belated measure and not sure what exactly the malware is aiming at. One time it did replace the original hosts file, but now, when I run the batch file, I get "access denied" messages.
One of these files that persisted especially was a roaming profile for Firefox (pref.js) but, when reported by ADWCleaner in their Firefox tab, the path and file name is blocked off by 5 hashtags at both ends. E.g.:
##### C:\Users\Guido\AppData\Roaming\Mozilla\Firefox\Profiles\hlvm6kan.default-1410647504070\prefs.js #####
And every now and again Shopping Pro or some other unknown software would reappear in my Add/Remove list. Other names that would be picked up by scanners and removal tools include: Linkury.Gen2, VO Package, Smartbar. I found and deleted, via CCleaner, Installer_geforce in my startup. On some occasions there would be other unknown files in the startup list as well; removed, but they would return.
I've tried restoring my machine to a point before I installed the malware, but Windows was unable to do so. In the mean time, out of desperation (I have a conference paper to write), I started, unwisely I suppose, to run more complicated scanners - Rootkiller before running ADWCleaner etc.
I would reset Firefox, hoping to get rid of that roaming profile, but no go. At some point I would get an error message when trying to open Firefox - that it was already running. I thus uninstalled it, installed an older Firefox, etc., but to no avail. (I'm back with the latest Firefox.)
Finally, last night, I ran scans based on a thread at Bleeping Computer (http://www.bleepingcomputer.com/forums/t/538539/vo-package-virussearch-protect-deleting-control-panel/):
- Windows Repair (All-in-one)
- ESET online scanner
- Junkware Removal Tool
I then ran ran RogueKiller, AVast Browser Cleanup, and some of the above again. Avira also, which picked up about 70 Linkury.Gen2 files. But ADWCleaner still lists that hash-tagged roaming Firefox profile, so I doubt that, after 4 days of scans, I am rid of the malware.
The question now is: Cleaning via, hopefully, BleepingComputer help, or a reinstallation (and all the user tweaking and Windows updating that that involves)? And also, is it reasonably safe to work on this machine? (My documents are saved on another partition).