I got infected right after a Java and Adobe update on my Windows7 machine.
folder \jnihmpibahpjjmcodbopcpdaelkbpjnc is most likely a random generated folder.

Note on malware PriceLess (pops up as Chrome extension, highlights strings for ads):
PriceLess is in folders:
C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser\User Data\Default\Extensions\jnihmpibahpjjmcodbopcpdaelkbpjnc\5.2
C:\Users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\jnihmpibahpjjmcodbopcpdaelkbpjnc\5.2
C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnihmpibahpjjmcodbopcpdaelkbpjnc\5.2
C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\jnihmpibahpjjmcodbopcpdaelkbpjnc\5.2
C:\Users\HomeGroupUser$\AppData\Local\Torch\User Data\Default\Extensions\jnihmpibahpjjmcodbopcpdaelkbpjnc\5.2
go down to /Extensions each and delete folder \jnihmpibahpjjmcodbopcpdaelkbpjnc

do the same for folders:
C:\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions
C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions
C:\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions
C:\Users\Guest\AppData\Local\Torch\User Data\Default\Extensions

also do the same for folders:
C:\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions
C:\Users\Administrator\AppData\Local\Torch\User Data\Default\Extensions

in each case remove folder /jnihmpibahpjjmcodbopcpdaelkbpjnc
contains subfolder /5.2
with files -->
background.html
content.js
lsdb.js
manifest.json --> contains ref to "PriceLess"
r1Iz.js

Do a FindFile search for
*/5.2/r1Iz.js
to make sure you deleted them all

Clear your Recycle Bin

Recommended Answers

All 18 Replies

Ah ha! its Adware your PriceLess Malware is adware very tricky to remove adware well not really there just annoying stuff that pops up all the time.
I recommend trying to go into your Program files and uninstalling this. if not missed since this automatically deletes its uninstaller.

1: Download Malwarebytes if this doesnt work try SpyHunter this will check and see if you got the malware installed.

2: this can be uninstalled through control panel add or remove programs.
if you get an error message try closing all web browsers and try again.

3: reset all browsers if you have chrome
1: open chrome
2: click on browser menu three bars in top right corner
3: select settings menu option
4: Find a thing called show advance settings
5: scroll down all the way and click reset browser settings and click reset
restart browser by opening again.

if you have IE Internet Explorer:
open Internet Explorer
1: click on settings wrench icon in top right corner
2: click on internet options
3: click on advanced tab
4: Find reset button and click it
5: click on delete personal settings
click reset
reset browser by opening again

if you have mozilla Firefox:
Open Mozilla Firefox
1: click menu tabs three bars in top right corner
2: select help and trouble shooting information
3: Click on restart firefox
click reset to confirm
click finish to restart firefox

If you want more tools to try out try SuperAntiSpyware Removal tool or junkware removal tool which are these links:
1:http://www.bleepingcomputer.com/download/junkware-removal-tool/
2: http://www.superantispyware.com/
If all dont work well at least i tried to help you so good luck and hope everything goes well for you.

Regards RobertHDD

Junkware Removsl Tool found a few things and removed them, but PriceLess popped up again.

Ok try looking for related programs such as webcake, search protect Babylon Toolbar and Babylon chrome toolbar in Programs and uninstall in the control panel if you tried junkware again and repeating those steps while disconnected from the internet since this gives you a greater chance of getting rid of priceless that means its all gone if Junkware doesnt work try it while connected once its done disconnect from internet and try the above steps in my previous post if thats go good make sure to have a antivirus installed like Avast or Bitdefender and wipe the remaining viruses off for all your needs heres another tool called Kaspersky TDSS KILLER which can find rootkits in a matter of minutes: http://usa.kaspersky.com/downloads/TDSSKiller and good luck while your diconnected while trying to remove PriceLess Malware

Good Day
From RobertHDD

@RobertHDD
I tried all your suggestions, but to no avail. PriceLess keeps popping up in the Chrome browser extensions.

I took XFind.exe and searched for the string PriceLess and found it in folder ProgramData, hidden in the Wildtangent games that MS shipped with Windows7. I deleted those silly games.

Then I disabled it in the Chrome extension and so far it stays disabled. When I removed it in the past, it simply came back after a few boots.

It is also found in folder:
ProgramData/Microsoft/Application Virtualization Client/Softgrid Client/sftfs.fsd

That is a huge file and I don't want to mess with it. Let's hope it stays disabled in the Chrome extensions.

Since the file manager that comes with Windows7 does not even show folder ProgramData, I used used this little Python program to poke around:

''' file_get_full_path2.py
list file names with full path in a given folder and its subfolders
the Windows Explorer file manager does not bring up folder ProgramData
'''

import glob

folder = "C:/programdata/microsoft/application virtualization client"

for full_name2 in glob.glob(folder+"/*/*.*"):
    print(full_name2)

'''
C:/programdata/microsoft/application virtualization client\SoftGrid Client\sftfs.etl
C:/programdata/microsoft/application virtualization client\SoftGrid Client\sftfs.etl.old
C:/programdata/microsoft/application virtualization client\SoftGrid Client\sftfs.fsd
C:/programdata/microsoft/application virtualization client\SoftGrid Client\sftfs.fsG
C:/programdata/microsoft/application virtualization client\SoftGrid Client\shortcut_ex.dat

note:
on my Windows7 computer file sftfs.fsd contains string "PriceLess" (a nasty adware)
'''

print('-'*50)

# more info ...

import os
import stat
import time

# pick a file you have ...
file_name = r"C:/programdata/microsoft/application virtualization client\SoftGrid Client\sftfs.fsd"

file_stats = os.stat(file_name)
file_size_bytes = file_stats[stat.ST_SIZE]
last_modified = time.ctime(file_stats[stat.ST_MTIME])
mode = file_stats[stat.ST_MODE]

print(file_size_bytes)  # 801424592 --> 801,424,592 bytes --> 801 mb
print(last_modified)    # Wed Jan  7 09:36:27 2015
print(mode)  # 33206

Use Linux, problem solved =)

Can you run Linux on a Windows machine? Would that solve the problem?

This might be good trying to install windows again make sure to have a backup too but I wouldnt waste time on you so i think linux is better since it barely gets attacked be warned this aint like windows i think you will learn more coding through that.

But if you want to reinstall windows with a usb link ill put the link here: http://downloads.pcauthority.com.au/article/25017-windows_7_ultimate_sp1_64-bit

Good Day! From Robert

Actually, after removing the contaminated MS installed Wildtangent games, the MS "application virtualization client" complains about not being able to reload a program. It doesn't tell which program it is, but my bet is that it is "PriceLess". So far it has stayed away!

Folks tell me that Linux is not bothered by hackers as much, since it has only a very small user number. I do enjoy Linux on my tiny Raspberry Pi computer.

Well I almost done it last night when I was going to Install 8.1 but changed my mind lol

@sneekula,
the majority of windows users have no idea on computers or what so ever, their daily use is Facebook, Twitter, google and clicking links such as "OMFG YOU MUST SEE THIS!!" - with some attractive image under the title. As you are technically running windows as root, it is easy to get malware to self install and in a way easy to distribute it by hiding it in stuff that the mass of people would fall for. On the other hand, Linux is not so much used as a general os, people are unaware of it and its capability. I mean, just the idea of making everything(kind of) to be what you want it to is a reason to really go for it. For malware authors, they would indeed aim at an audiance that is easier to get infected, grow their botnets or spread their RATs

Ok so um I went on PCTECHAUTHORITY which nevers gets infected and they GOT INFECTED While away ON THEIR HOLIDAY!!! Should I report this urgently or just leave it?

Update:
PriceLess has so far stayed away from my Chrome Web Browser extensions. However I can still find references to it, for instance if I save a file without extension then the file manager lists "PriceLess" as the file type. Like I claimed before frigging Windows7 is like Swiss cheese, and has too many places to infect!

All good

You can try running process monitor and try to find out what exactly it does, what it accesses, what registries its modifying if any etc

I gotta fishy feeling of priceless and im about to get a sample of it

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.