Avast! Popup Malicious URL Blocked

[Jamespb]

I followed DavidR's instructions to the best of my ability

I am getting a red Avast! pop up periodically as follows:

Malicious URL blocked
Avast! Network shield has blocked.....
Object:http://www.mp3codec.net/pldl.php
Infection: URL:Mal
Process: C:\windows\system32\svchost.exe

My System:Windows Vista Home Premium Service Pack 2 (build 6002)

I have run
Avast! full scan
And Boot time scan
Malwarebytes full scan
Trendmicro (free) online scanner
Also another tool i had not heard of previously tdsskiller.

I deleted a suspicious file in the Temp folder pl.exe

I might add that when I log on as a alternate user the problem does not seem to occur

Thanks Jamespb

[DavidR]

Well as you mentioned before MBAM found nothing.

The aswMBR.exe is reporting an Unknown MBR code (e.g. not the default MBR code), this can indicate the presence of an MBR rootkit, but it can also mean nothing more than you have a customised system, like a Dell, HP, etc. These may have a custom MBR to allow for use of their recovery partition, to restore your system back to the factory settings. Is your system from a major computer manufacturer like Dell, HP ?
The tdsskiller is also looking for rootkits, specifically TDSS variants, I assume it didn't find anything ?

####
The OTL logs will have to be analysed by a specialist, when he is on-line.

[essexboy]

On completion of this run can you let me know if the mal url continues

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O3 - HKU\S-1-5-21-1916948713-297805433-2369559756-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-1916948713-297805433-2369559756-1001\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
  [2011/10/18 00:11:01 | 000,000,493 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[DavidR]

Thanks for joining the topic essexboy.

[essexboy]

Keeps me out of the pub 

[Jamespb]

Problem appears solved Much thanks.
The question was posed about the OEM it is a Compaq Presario C769US.
I see from the OTL log that the host file was deleted/replaced fresh. Can i overwrite this with the Spybot default host file?  I see that 2 files were deleted from a folder in created for this situation
C:\Users\James\Popup BS Fix\cmd.bat deleted successfully.
C:\Users\James\Popup BS Fix\cmd.txt deleted successfully.
I did not see these in that folder if you could explain to me what happened i'd enjoy the knowledge. Attached file per your request. Ps I'm glad i kept you out of the pubs :-)
Cheers
Jamespb

[YoKenny]

I see from the OTL log that the host file was deleted/replaced fresh. Can i overwrite this with the Spybot default host file?  I see that 2 files were deleted from a folder in created for this situation
C:\Users\James\Popup BS Fix\cmd.bat deleted successfully.
C:\Users\James\Popup BS Fix\cmd.txt deleted successfully.
I did not see these in that folder if you could explain to me what happened i'd enjoy the knowledge. Attached file per your request. Ps I'm glad i kept you out of the pubs :-)
Cheers
Jamespb

Spybot HOSTS file is useless and not well maintained.

The hpHosts and MVPS HOST files are much better maintained.

http://winhelp2002.mvps.org/hosts.htm

[Jamespb]

Ok YoKenny I took your advice and substituted the host file with the one you suggested. Thanks.
Have you replied for essexboy because i had a few questions I had posed for him [note above] about my issue. Although it was solved i was just curious about a few things?
 Cheers
Jamespb

[polonus]

Hi YoKenny,

Also consider this info: http://www.threatexpert.com/report.aspx?md5=10a7fdacbebe7164b47da0a3e873eb71
because of request for GET /pixel/18410 HTTP/1.1
Host: -dm.demdex.net see: http://www.malware-control.com/statics-pages/059b40f6f5eafc7324fa78f1027b4aa5.php

polonus

[essexboy]

Problem appears solved Much thanks.
The question was posed about the OEM it is a Compaq Presario C769US.
I see from the OTL log that the host file was deleted/replaced fresh. Can i overwrite this with the Spybot default host file?  I see that 2 files were deleted from a folder in created for this situation
C:\Users\James\Popup BS Fix\cmd.bat deleted successfully.
C:\Users\James\Popup BS Fix\cmd.txt deleted successfully.
I did not see these in that folder if you could explain to me what happened i'd enjoy the knowledge. Attached file per your request. Ps I'm glad i kept you out of the pubs :-)
Cheers
Jamespb

OK the problem was in the Host.ics file which I deleted and then reset the main host file to default.  The command files that were deleted were created by the malware and were set as hidden - but OTL could see them and delete them   

So the redirects are now history ?

[Jamespb]

I had been through the etc folder and scrutinized then edited the host file to ignore the redirect site trying for a fix to no avail. I do know that the etc folder contains other host type files and left them alone. ICS is apparently an outlook related file i did not touch it or try to view it. I see the host.ics is again present in the etc folder I'm assuming it was replaced with a fresh/clean file. This is my sisters PC and i had not enabled to view hidden files and to view extensions as i normally would, hence my not seeing the cmd.bat and cmd.txt
So Cheers to you

The redirects are gone thank you for your time.
Excellent

Jamespb

[Jamespb]

Incidentally i am still confused as to why a ics file would shoot me to a malicious site
hmm
Cheers
Jamespb

[essexboy]

It is a very old trick - replacing the legitimate ICS with a bad one. 

Run otl and press the cleanup button to remove it and its components 

[Jamespb]

Ok thanks again for the help