Google Redirect and Avast Malicious URL

I have been hit with the same virus many others have.

When doing a Google search and clicking on a safe link I get redirected to various random sites.

I am also getting the pop-up from avast that says.
I don’t have the exact details of the Avast Pop-Up, as I can’t get it to pop up now when I acutally need it. But it is something along the lines of:

Malicious URL Blocked
64.111.211.150
c:/documentsandsettings/???/sysmapdb.dll
URL: Mal

This seems to have spread to all users on the computer.

I have tried multiple scanners(MalwareBytes, Avast, Ad-Aware, TDSSKILLER).
None of them have returned any infections at all.

I have attached my first scan with OTL, this was my first time using this program. I left all of the settings to the default and check marked scan all users.

When I load OTL, avast pops up and says it’s potentially unsafe and gives the option to “open in sandbox” this is what I did.

When I load OTL, avast pops up and says it's potentially unsafe and gives the option to "open in sandbox" this is what I did.
you should not run it in sandbox

anyway essexboy prefer the OTS log so you can follow the guide here
http://forum.avast.com/index.php?topic=53253.0

Essexboy is notified…it may be some hours before he arrives

OK I have attached the scanned version of OTS.
Thanks

Do you have a bad hosts file.

////////////////////////////////////////////////////////////////////
O1 HOSTS File: ([2010/03/23 07:56:03 | 000,379,997 | R— | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com

////////////////////////////////////////////////////////

Run: [Sysmapdb] C:\Documents and Settings\Steve’s\Local Settings\Application Data\DirectAuthenticationcdrom\Sysmapdb.dll ()

Sysmapdb.dll - send to VT - http://www.virustotal.com, and show the result on the forum and send the sample to the laboratory (virus@avast.com)

http://www.freedrweb.com/cureit/how_it_works/

Dr.Web CureIt! - you will correct the host file.

No problem I can use either OTL or OTS - me clever clogs ;D

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKU\S-1-5-21-2234471834-1297456408-683464090-1015..\Run: [Sysmapdb] C:\Documents and Settings\Steve's\Local Settings\Application Data\DirectAuthenticationcdrom\Sysmapdb.dll () O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found [2011/05/27 21:22:42 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~24567588r [2011/05/27 21:22:01 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~24567588 [2011/05/27 21:21:47 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\24567588

:Files
ipconfig /flushdns /c
C:\Documents and Settings\Steve’s\Local Settings\Application Data\DirectAuthenticationcdrom

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Attached is my log file after following your instructions and running upon reboot

Essexboy will be at work now 11:55am in the UK right now, so he will be back on-line later this evening. Same sort of time that his last post was made.

That looks better - have the alerts ceased ?

So far today the browsing has been smooth.
Thanks for the help!!!

If you are still happy tomorrow let me know and I will remove my bits and bobs