Avast didn't catch "AllCheapPrice" virus. Need help removing.

[Mugsy]

(Continued from original post here.)

I'm not sure how, but some malicious website ("4shared"?) was able to install a nasty little virus (malware?) on my PC that is giving me nothing but headaches. I've gone to great lengths to remove it (even finding the little bugger was a chore), yet it STILL seems to keep coming back.

The offending app in question is called "AllCheapPrice", which I eventually discovered on my PC listed as "AAlilCheappPuReiicee", which should give you some idea of the extent they went to hide it to prevent its removal.)

The first sign there was a problem is that logging into Windows (after entering my password) seemed to take longer than usual. And just before my wallpaper appeared, the screen was blank for about a second (presumably while it loaded before anything else.) Then, every webpage link (including Google search results) started redirecting me to the "4shared.com" website. Flash stopped working and my computer stopped playing sounds (clicking on the Volume control slider in the tray only causes it to freeze/crash.) The coup de'gras was when it deleted my Internet networking connection. 

I eventually discovered the "AllCheapPrice" program and corresponding browser add-on was on my PC and uninstalled them. That solved the problem till about my second reboot when the problems returned, only now there is no "AllCheapPrice" (or anything like it) to be found.

And for some odd reason, I can't get Flash to work. If I visit "iHeartRadio", it says I need the Flash plugin. I install it, and still I'm told it's not installed. (yes, Javascript is enabled.)

I've done a complete virus scan of my entire PC using Avast, which found nothing. Ditto for "Spybot Search & Destroy" and (remarkably) even HiJackThis shows no suspect programs running. (Nor does the Running Processes in the Windows Task Manager.)

As a last resort, I finally gave up and downloaded ComboFix (which is a hatchet compared to AV removal scalpels and should only be used as a last resort), which seems to have made my computer usable (for now), but Flash still isn't detected after an install and I have little doubt the malware is still lingering somewhere on my PC just waiting to infect me again.

As you can tell from above, I'm no novice at this, but this has to be the most elusive & persistent piece of malware I've ever come across. The lengths they've gone to make it undetectable... EVEN IN SAFE MODE... is astonishing.

[essexboy]

Hi there, once we have removed this I will show you how to turn on PUP protection and link you to a small programme that will try to stop this happening again (bundled download)

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Select LOP and Purity
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach  both logs

[Mugsy]

Thanks. Attached are the resulting logs.

Note: After I checked "Para-Noid's" first link in the original thread, I downloaded and ran the "MalwareBytes" scanner, which detected 6 remnant mystery files on my PC and removed them (This was AFTER "ComboFix"), so it is entirely possible I finally have a clean system once again. Even Flash seems to be working again. But please check the logs to be sure.

I'm still quite concerned how this even happened in the first place. Something so harmful and difficult to remove (I only made it look easy thanks to 30 years of experience) should never have found its way onto my PC.

Thx.

[Pondus]

I downloaded and ran the "MalwareBytes" scanner, which detected 6 remnant mystery files on my PC and removed them

can you attach that log also

I'm still quite concerned how this even happened in the first place. Something so harmful and difficult to remove (I only made it look easy thanks to 30 years of experience) should never have found its way onto my PC.

did you read my post in the first topic you started.....

Usually AllCheapPrice come bundled with free applications from the internet, such as free softwares, videos, system utilities. When you download and install these free applications you may agree to install the AllCheapPrice program on your computer. For example when you download and install these free programs from Internet you may agree to get AllCheapPrice program and other unknown programs installed together if you just keep click on the I Agree or Accept button during installation setup.

[essexboy]

You look to have got it, there are probably a few orphan registry entries somewhere.  Combofix is not the ideal tool to check for adware as it is not targeted at that, something like AdwCleaner is much better

  Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[Mugsy]

I downloaded and ran the "MalwareBytes" scanner, which detected 6 remnant mystery files on my PC and removed them

can you attach that log also

Unfortunately, MalwareBytes doesn't seem to have created a log file unless I'm just not seeing it (I searched its program folder for any "*.txt" log files.)

I'm still quite concerned how this even happened in the first place. Something so harmful and difficult to remove (I only made it look easy thanks to 30 years of experience) should never have found its way onto my PC.

did you read my post in the first topic you started.....

Yes, thanks. As noted previously, I didn't run or install any unknown app. I simply visited the 4shared website, which was deliberately confusing, "tricking" me into clicking what appeared to be download links but were in fact ads and links to unrelated utilities. So I probably clicked something I shouldn't have.

But the resulting malicious program seems to have found its way onto my pc WAY too easily.

Usually AllCheapPrice come bundled with free applications from the internet, such as free softwares, videos, system utilities. When you download and install these free applications you may agree to install the AllCheapPrice program on your computer. For example when you download and install these free programs from Internet you may agree to get AllCheapPrice program and other unknown programs installed together if you just keep click on the I Agree or Accept button during installation setup.

Nothing prompted me to agree to anything, and I certainly never would have done so knowingly. I know far better than to just click "Yes" or "install" before looking for checkboxes.

Thanks for the feedback. Much appreciated.

[Pondus]

Nothing prompted me to agree to anything, and I certainly never would have done so knowingly. I know far better than to just click "Yes" or "install" before looking for checkboxes.

that is why they are called PUP = Possible Unwanted Program ....as they often dont ask for permission to install

Unfortunately, MalwareBytes doesn't seem to have created a log file unless I'm just not seeing it (I searched its program folder for any "*.txt" log files.)

open Malwarebytes.... at top of the gui > History button > application logs

[Mugsy]

Unfortunately, MalwareBytes doesn't seem to have created a log file unless I'm just not seeing it (I searched its program folder for any "*.txt" log files.)

open Malwarebytes.... at top of the gui > History button > application logs

Thx. It does appear the violator was indeed a "PUP" (though nothing "Possible" about it.)

I attached the log. I also did a screencap b/c it's easier to read:

[Michael (alan1998)]

Your MBAM Logs show nothing except a bit of Adware or as you know it "PUP".

[Mugsy]

Your MBAM Logs show nothing except a bit of Adware or as you know it "PUP".

I guess "Combofix" took care of it then.

Thx.

[Mugsy]

You look to have got it,

It's baaaack. 

I didn't run anything new nor did I revisit the offending website. But all of the sudden after turning on my PC this morning (everything was fine before I powered off last night), the first telltale symptom returned: loss of sound and clicking on the Volume slider causes the slider to freeze.

This is the most persistent virus I've ever seen. It may be in my Boot Sector. That's the only thing left that I can think of (though I would have thought all those repair programs would have caught that.)

[Pondus]

attach new Malwarebytes / OTL and aswMBR logs

Essexboy is notified....

[Mugsy]

I did an immediate scan in Safe Mode and it came up "clean" with "no problems detected". Ditto for a scans using "Spybot" and "Adw".

Here is my MalwareBytes log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/18/2014
Scan Time: 6:52:41 AM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.15.11
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mugsy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 300761
Time Elapsed: 2 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

When I first clicked the link to respond to your post, I got a BSoD. Upon reboot, my Internet connection did not connect.

[essexboy]

Could you attach the combofix log please.

[Mugsy]

Could you attach the combofix log please.

I'm not finding one. I searched the entire computer for "Combofix" and only found the app itself. I'd prefer not to run it again.