Malicious URL Blocked on every site I visit.

[Rockbear99]

First I must apologize  I don't know much about code and software stuff like that so you may have to talk to me like a child.

Since July 5th I have been getting This on every site I visit.
Infection Details
URL:   http://includeit.info/include.js?id
Process:   C:\Program Files (x86)\Mozilla Firefox\f...
Infection:   URL:Mal

avast! saved your computer from crashing
You just dodged a bullet

You may be wondering how you ended up with a virus, especially if you were visiting a ‘normal’ site. The latest research from the avast! Virus Lab shows that more than 80% of malware (viruses, spyware, and the like) spreads through legitimate websites, with only 1% coming from suspicious or ‘dodgy’ sites.

Good thing avast! had your back.

I have run the computer scan and it shows everything working OK and clean.  Also use CCcleamer and that come up OK too.  I am not sure what to do next.  Sorry if this is a repeat topic but I just joined today and only have done a little research on this. 

[Rockbear99]

Sorry I forgot I am using FireFox and is does not seem to happen on IE.

[polonus]

Sophos give this a s a suspicious site so break that link (chenge hxtp for http or wXw for www).
See: http://urlquery.net/report.php?id=84074

polonus

[essexboy]

Hi there lets have a look at the system

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[sifo69]

I too am receiving the same message as Rockbear99.
It is blocking depositfile.com but comes up with domtrot.com.
Had no problems before last Avast update.

P.S
As a Dyslexic, I hate this bloody Captcha,s.

[Pondus]

As a Dyslexic, I hate this bloody Captcha,s.

that only happens on the first 3 posts......spam protection. 

OBS... if you need help....start your own topic where you explain the problem

[cgilley]

same issue on my end, although I'm not going to attribute it to Avast.
I've scanned my wife's hard drive off-line with a known clean system, most files that are tagged as suspicious are cleaned.  So, my theory is that includeit.info has been hacked.  The javescript shows an attempt to touch include it . info / scripts  which is out in Russia somewhere.

I'll try the system tool mentioned by the above poster.

The version I'm running is 7.0.1456.

[DavidR]

The tools shouldn't be run with the guidance of a malware removal specialist, and then as mentioned in your own topic as all fixes, etc. are unique the the users logs/system.

[Rockbear99]

Try to do scan and it no into a not responding when it gets to Scaning FireFox Settings.  has been going at that spot for 30 min now. 

[Rockbear99]

Sorry it just finished I guess I was not patient enough LOL

[essexboy]

When this run is complete can you let me know if the alerts have ceased

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
  IE - HKU\S-1-5-21-2078843078-1231484962-1418948643-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
  IE - HKU\S-1-5-21-2078843078-1231484962-1418948643-1000\..\SearchScopes\{E163AE6E-254C-5FF4-BE33-4CBD31D63F5C}: "URL" = http://dm.startnow.com/s/?q={searchTerms}&src=defsearch&provider=bing&provider_name=bing&provider_code=Z055&partner_id=195&product_id=611&affiliate_id=&channel=dm5&toolbar_id=200&toolbar_version=2.1.0&install_country=US&install_date=20110624&user_guid=64B644223281474280BABB7F96F27290&machine_id=fba6c041dc2d0fa5774b4af80b34e0ff&browser=IE&os=win&os_version=6.0-x64-SP2&iesrc={referrer:source}
  FF - prefs.js..browser.search.defaultthis.engineName: "vshare.tv Bar Customized Web Search"
  FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2818425&SearchSource=3&q={searchTerms}"
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
  FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
  FF - user.js..keyword.URL: "http://zinkwink.com/?tmp=redir_bho_bing&prt=zsharefqbho&keywords="
  FF - user.js..keyword.enabled: 1
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ClickPotatoLite@ClickPotatoLite.com: C:\Program Files (x86)\ClickPotatoLite\bin\10.0.519.0\firefox\extensions [2010/07/23 21:53:15 | 000,000,000 | ---D | M]
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files (x86)\Object\facetheme [2011/06/26 12:18:36 | 000,000,000 | ---D | M]
  FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files (x86)\Object\facetheme [2011/06/26 12:18:36 | 000,000,000 | ---D | M]
  [2011/09/18 13:02:09 | 000,000,000 | ---D | M] (Complitly - Speed up your search with your personal search suggestions tool) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\k4gvhtxw.default\extensions\{33e0daa6-3af3-d8b5-6752-10e949c61516}
  [2012/05/30 19:48:45 | 000,000,000 | ---D | M] (vshare.tv Community Toolbar) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\k4gvhtxw.default\extensions\{7aeb3efd-e564-43f1-b658-5058a7c5743b}
  [2010/10/10 14:46:45 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\k4gvhtxw.default\extensions\vshare@toolbar
  O2:64bit: - BHO: (Complitly) - {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - C:\Users\Ross\AppData\Roaming\Complitly\64\Complitly64.dll (SimplyGen)
  O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O2 - BHO: (Facetheme) - {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - C:\Program Files (x86)\Object\bho_project.dll (InternetEngine)
  O2 - BHO: (Complitly) - {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - C:\Users\Ross\AppData\Roaming\Complitly\Complitly.dll (SimplyGen)
  O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1000\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1000\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1001\..\Toolbar\WebBrowser: (no name) - {9565115D-C7D6-46D3-BD63-B67B481A4368} - No CLSID value found.
  O3 - HKU\S-1-5-21-2078843078-1231484962-1418948643-1001\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
  O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
  [2010/07/23 21:53:15 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\ClickPotatoLite
  [2011/09/18 13:02:02 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Complitly
  
  :Files
  ipconfig /flushdns /c
  C:\Program Files (x86)\ConduitEngine
  C:\Program Files (x86)\Object
  C:\Program Files (x86)\ClickPotatoLite
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Rockbear99]

You are a godsend thank you very much

[chlselyn]

Essexboy, I'm having the same problems-- your post says other users shouldn't use the same solution, so can you help me as well?

[Asyn]

Essexboy, I'm having the same problems-- your post says other users shouldn't use the same solution, so can you help me as well?

Please start a new topic and post your logs there.
http://forum.avast.com/index.php?topic=53253.0

[essexboy]

@Rockbear99 has that cleared the problem ?