"Ads by ShowPassword" malware still alive

[Dalgorn]

Hi guys,
I've noticed this "Ads by ShowPassword" today, I don't remember wich could be the reason I've been infected but I've tried several steps. I removed unknown plugins from firefox and chrome, I've cleaned the machine with spybot search and destroy and then I found your page talking about it here http://malwaretips.com/blogs/showpassword-virus-removal/#uninstall
I followed every step and I send you all my logs, but the problem still persist.
Could you please help me?

 

[kuttus]

If it is still showing on the computer could you please send me a Screenshots of it?


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[Dalgorn]

Hi kuttus, once I've switched on the pc today it seems there is something different (even if I reboted it yesterday after every scan...). Now I see only white spaces with no ads, something like if he put there the frame for the ad but is unable to load it. I don't know if he still opens other tabs because at the moment I'm not experiencing that problem, but I can't guarantee about what could happen after I'll have posted.
I send you the screenshots you asked me, from Firefox and from Chrome.
Correction: now on Chrome it has also loaded an ad in the frame like yesterday. You can see it in the second picture.

(Firefox)

(Chrome)

(Firefox)

(Firefox)

 

[kuttus]

Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)


Open FRST, and click Fix. Attach me that report after it is finished.

 

[Dalgorn]

Here is the log.
P.s. Now it has opened again new ads tabs in my firefox (before the fix, but I tell you this because previously I wrote that maybe that wasn't happening again).

 

[Dalgorn]

Just a moment, I used the FRST before closing my browser, I don't know if it could have been a problem so I did it again doing it, this is the log (maybe the same...).

 

[kuttus]

STEP 1: Clean your temporary files to gain more hard drive space and remove the junk files

1. Download Ccleaner from the below link:
   CCLEANER DOWNLOAD LINK (This link will automatically download Ccleaner on your computer)
2. Install Ccleaner by following the prompts
3. Start Ccleaner
   
   
4. Click
   
   and choose
   
5. Uncheck
   
6. Then go back to
   
   and click
   
   to run it.
7. Exit CCleaner.

On your computer is there any program called GreatArcade Hits, Scorpion Saver, Highlightly?

 

[kuttus]

Please do one more thing. Go to Control Panel and remove Foxtab (x32 Version: - FoxTab)

 

[kuttus]

Please do one more thing. Go to Control Panel and remove Foxtab (x32 Version: - FoxTab)

 

[Dalgorn]

Excuse me but I can't see the image in the point 5 of your post, it say that has been removed "5. uncheck ?"

 

[kuttus]

Please proceed with default one...
Please do one more thing. Go to Control Panel and remove Foxtab (x32 Version: - FoxTab) from installed programs.

 

[Dalgorn]

Ok, I've cleaned the pc with ccleaner and I've uninstalled Foxtab, I don't have programs named GreatArcade Hits, Scorpion Saver, Highlightly.
The problem persist.

 

[kuttus]

STEP 1: Run a scan with OTL by OldTimer

1. Download the OTL utility using the below link :
   OTL DOWNLOAD LINK (This link will automatically download OTL on your computer)
2. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
   
   
3. When the window appears, underneath Output at the top change it to Minimal Output.
4. Check the boxes beside LOP Check and Purity Check.
5. Click the Run Scan button.
   
   
6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
   Please post this 2 logs in your first reply..

Settings You need to Select in OTL

1. Click the Scan All Users checkbox.
2. Change Standard Registry to All.
3. Check the boxes beside LOP Check and Purity Check.

Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: OTL.scr, or OTL.com.

 

[Dalgorn]

Here they are, no problem with OTL.

 

[kuttus]

Are you using Octoshape Streaming Services?

 

[Dalgorn]

Absolutely no, I don't know what it is and I don't use streaming or other strange plugins services or programs.

 

[kuttus]

STEP 1: Run the below OTL fix

1. Start OTL.exe
2. Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
   
   

   :OTL
   FF - HKLM\Software\MozillaPlugins\@caminova.com/DjVuPlugin: C:\Program Files (x86)\Caminova\Document Express DjVu Plug-in\npdjvu.dll (Caminova, Inc.)
   FF - HKCU\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0: C:\Users\asus\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1103234-0-npoctoshape.dll (Octoshape ApS)
   FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\asus\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
   FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
   FF - HKCU\Software\MozillaPlugins\thehappycloud.com/HappyCloudPlugin: C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll (The Happy Cloud)
   FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
   [2013/01/01 18:25:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
   [2014/01/29 22:29:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions
   [2013/10/21 19:16:30 | 000,000,000 | ---D | M] (FoxTrick) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}
   [2012/12/15 20:12:22 | 000,000,000 | ---D | M] (Memory Fox) -- C:\Users\asus\AppData\Roaming\mozilla\Firefox\Profiles\7yndtten.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}
   [2012/12/05 20:55:39 | 000,001,552 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\unseen@tangrs.xpi
   [2013/03/22 00:38:14 | 000,107,167 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}.xpi
   [2014/01/17 12:50:28 | 000,287,587 | ---- | M] () (No name found) -- C:\Users\asus\AppData\Roaming\mozilla\firefox\profiles\7yndtten.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
   [2013/12/20 19:22:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
   [2013/12/20 19:22:02 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
   [2013/12/20 19:22:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions
   
   [2013/12/20 19:22:06 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\anelkojiepicmcldgnmkplocifmegpfj\0.0.0.23_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjlbbjhmpalbgknklblmoieohiflgmpc\1.0_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndchnghhmhihefpdjfkedhcmielpmckc\1.0.0.1_0\
   CHR - Extension: No name found = C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
   O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
   O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
   O8:[b]64bit:[/b] - Extra context menu item: Ritaglia immagine - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
   O8:[b]64bit:[/b] - Extra context menu item: Ritaglia questa pagina - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
   O8:[b]64bit:[/b] - Extra context menu item: Ritaglia selezione - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
   O8:[b]64bit:[/b] - Extra context menu item: Ritaglia URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
   
   O8 - Extra context menu item: Ritaglia immagine - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
   O8 - Extra context menu item: Ritaglia questa pagina - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
   O8 - Extra context menu item: Ritaglia selezione - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
   O8 - Extra context menu item: Ritaglia URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
   O9:[b]64bit:[/b] - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found
   O9:[b]64bit:[/b] - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found
   
   
   
   :commands
   [emptytemp]
   [reboot]

   
   
   NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
3. Then click the Run Fix button at the top
4. Let the program run unhindered, reboot when it is done
5. Attach the new log produced by OTL (C:\_OTL)

 

[Dalgorn]

It's always here... this is the last log from OTL

 

[kuttus]

Is it still showing in all browsers? If yes please restart your computer and check it.

 

[Dalgorn]

Yes I've rebooted again and checked Firefox and Chrome, it's all as before.