Malicious url being blocked repeatedly

Viruses and worms
1

Using firefox every time I open a new tab I get this little popup:

Infection Details
URL: hxxp://includeit.info/include.js?id
Process: E:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.12.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Kat :: KAT-PC [administrator]

Protection: Enabled

7/12/12 11:04:21
mbam-log-2012-07-12 (11-04-21).txt

Scan type: Full scan (C:|E:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 454282
Time elapsed: 30 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
E:$RECYCLE.BIN\S-1-5-21-2621000531-1797798595-3892017207-1000$R79QPD3.exe (PUP.Adware.Agent) → Quarantined and deleted successfully.

(end)

After this scan was done I immediately did a restart as it prompted. Upon rebooting I was still getting that little popup on every new tab.

I only got the otl.txt log out of the otl scan so I’m assuming I did something wrong but I’m not sure what. :expressionless:

Thank you so much for whatever help you are able to offer!

2

And the last bit

3

Thank you for posting your logs. I am going to refer you to our Certified Malware specialist, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine since you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices with this machine.

Let us know if you have any questions. Thank you.

4

Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 [2011/10/27 21:10:47 | 000,000,000 | ---D | M] (Complitly - Speed up your search with your personal search suggestions tool) -- E:\Users\Kat\AppData\Roaming\Mozilla\Firefox\Profiles\c5nntu90.default\extensions\{33e0daa6-3af3-d8b5-6752-10e949c61516} [2010/11/21 13:19:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/11/01 16:35:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2011/01/03 08:15:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011/03/13 13:19:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011/06/18 18:23:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} O2:64bit: - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - E:\Users\Kat\AppData\Roaming\Complitly\64\Complitly64.dll (SimplyGen) O2 - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - E:\Users\Kat\AppData\Roaming\Complitly\Complitly.dll (SimplyGen) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

:Files
ipconfig /flushdns /c
E:\Users\Kat\AppData\Roaming\Complitly

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

5

Everything seems to be back the way it should be. I’ve got the log that popped up on reboot and the one after I ran a quick scan, so I’m putting both in here (even though I don’t think you need the first one, always pays to be thorough right?).

Thank you so much for your patience and time. This was the first time I couldn’t figure the damn thing out myself through google. . .I think the constant malware alerts were freaking me out. As well I have a friend visiting from Australia (I live in Alaska) so trying to figure it out on my own in the two hours I have before he wakes up in the morning just wasn’t gonna cut it. Heh. So you’ve double saved me! (I don’t think I can fully relax on vacation knowing my computer is potentially borked)

6

It was the Complitly toolbar that was the source… So be carefull what toolbars you have…
All I have is Roboform ;D

When you are happy then run OTL and hit the CleanUp button to remove it

7

Typically I don’t allow any toolbars, so I must have somehow let one slip by. . .good job me! Cheers man, thanks for being awesome. :slight_smile: