"Ads by ShowPassword" malware still alive

Dalgorn

Dalgorn

New Member
Thread author
Verified
Jan 29, 2014
17
1
6
48
Hi guys,
I've noticed this "Ads by ShowPassword" today, I don't remember wich could be the reason I've been infected but I've tried several steps. I removed unknown plugins from firefox and chrome, I've cleaned the machine with spybot search and destroy and then I found your page talking about it here http://malwaretips.com/blogs/showpassword-virus-removal/#uninstall
I followed every step and I send you all my logs, but the problem still persist.
Could you please help me?
 

Attachments

If it is still showing on the computer could you please send me a Screenshots of it?


To Take Screen Of Your Screen.
  1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
  2. Now Open MS Paint
  3. Open Paint by clicking the Start button
    4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_47.png
    , clicking All Programs, clicking Accessories, and then clicking Paint.
  4. In MS Paint Click Edit, and then click Paste.
  5. After this Save the File on your computer by Clicking on File --> Save
Add this Saved File in your next Replay
 
Hi kuttus, once I've switched on the pc today it seems there is something different (even if I reboted it yesterday after every scan...). Now I see only white spaces with no ads, something like if he put there the frame for the ad but is unable to load it. I don't know if he still opens other tabs because at the moment I'm not experiencing that problem, but I can't guarantee about what could happen after I'll have posted.
I send you the screenshots you asked me, from Firefox and from Chrome.
Correction: now on Chrome it has also loaded an ad in the frame like yesterday. You can see it in the second picture.

(Firefox)
qj2f.jpg


(Chrome)
wdkc.jpg


(Firefox)
ekg1.jpg


(Firefox)
ewm6.jpg
 
Here is the log.
P.s. Now it has opened again new ads tabs in my firefox (before the fix, but I tell you this because previously I wrote that maybe that wasn't happening again).
 

Attachments

Just a moment, I used the FRST before closing my browser, I don't know if it could have been a problem so I did it again doing it, this is the log (maybe the same...).
 

Attachments

STEP 1: Clean your temporary files to gain more hard drive space and remove the junk files
  1. Download Ccleaner from the below link:
    CCLEANER DOWNLOAD LINK (This link will automatically download Ccleaner on your computer)
  2. Install Ccleaner by following the prompts
  3. Start Ccleaner
    4l5a4i.png
  4. Click
    16jox2o.png
    and choose
    5x3nu8.gif
  5. Uncheck
    amuvj8.gif
  6. Then go back to
    2jb4qyb.gif
    and click
    nf47ev.gif
    to run it.
  7. Exit CCleaner.
On your computer is there any program called GreatArcade Hits, Scorpion Saver, Highlightly?
 
Excuse me but I can't see the image in the point 5 of your post, it say that has been removed "5. uncheck ?"
 
Ok, I've cleaned the pc with ccleaner and I've uninstalled Foxtab, I don't have programs named GreatArcade Hits, Scorpion Saver, Highlightly.
The problem persist.
 
STEP 1: Run a scan with OTL by OldTimer
  1. Download the OTL utility using the below link :
    OTL DOWNLOAD LINK (This link will automatically download OTL on your computer)
  2. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    OTL-logo.png
  3. When the window appears, underneath Output at the top change it to Minimal Output.
  4. Check the boxes beside LOP Check and Purity Check.
  5. Click the Run Scan button.
    OTL.png
  6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    Please post this 2 logs in your first reply..

Settings You need to Select in OTL
  1. Click the Scan All Users checkbox.
  2. Change Standard Registry to All.
  3. Check the boxes beside LOP Check and Purity Check.
Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: OTL.scr, or OTL.com.
 
Absolutely no, I don't know what it is and I don't use streaming or other strange plugins services or programs.
 
STEP 1: Run the below OTL fix
  1. Start OTL.exe
  2. Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :OTL
FF - HKLM\Software\MozillaPlugins\@caminova.com/DjVuPlugin: C:\Program Files (x86)\Caminova\Document Express DjVu Plug-in\npdjvu.dll (Caminova, Inc.)
FF - HKCU\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0: C:\Users\asus\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1103234-0-npoctoshape.dll (Octoshape ApS)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\asus\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\thehappycloud.com/HappyCloudPlugin: C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll (The Happy Cloud)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
[2013/01/01 18:25:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2014/01/29 22:29:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions
[2013/10/21 19:16:30 | 000,000,000 | ---D | M] (FoxTrick) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}
[2012/12/15 20:12:22 | 000,000,000 | ---D | M] (Memory Fox) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
[2012/12/05 20:55:39 | 000,001,552 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\unseen@tangrs.xpi
[2013/03/22 00:38:14 | 000,107,167 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}.xpi
[2014/01/17 12:50:28 | 000,287,587 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
[2013/12/20 19:22:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013/12/20 19:22:02 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013/12/20 19:22:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions

[2013/12/20 19:22:06 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\anelkojiepicmcldgnmkplocifmegpfj\0.0.0.23_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjlbbjhmpalbgknklblmoieohiflgmpc\1.0_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndchnghhmhihefpdjfkedhcmielpmckc\1.0.0.1_0\
CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O8:[b]64bit:[/b] - Extra context menu item: Ritaglia immagine - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8:[b]64bit:[/b] - Extra context menu item: Ritaglia questa pagina - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8:[b]64bit:[/b] - Extra context menu item: Ritaglia selezione - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8:[b]64bit:[/b] - Extra context menu item: Ritaglia URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found

O8 - Extra context menu item: Ritaglia immagine - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8 - Extra context menu item: Ritaglia questa pagina - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Ritaglia selezione - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Ritaglia URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O9:[b]64bit:[/b] - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found
O9:[b]64bit:[/b] - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found



:commands
[emptytemp]
[reboot]


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  3. Then click the Run Fix button at the top
  4. Let the program run unhindered, reboot when it is done
  5. Attach the new log produced by OTL (C:\_OTL)
 

You may also like...