I am using Avast Free Antivirus and am getting repeated ‘Trojan Horse Blocked’ / ‘Malicious URL’ alerts (one being: http://agrifarma.com/p/as?64206) whenever I go to my / some of my friends MySpace profiles; I have been in contact with MySpace about this, but was told that my profile was checked at their end and no issue was found. This is driving me crazy, so much so that I am considering removing Avast and trying a different antivirus, but I really do not want to do this as I am very happy with it otherwise. Can anyone help please?
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
the problem is not avast…but that you have an infection.
so replacing avast with a AV that does not detect, does not solve/remove the infection 
so follow Asyns advice
Thank you very much for your help. One object was found and removed (see below), however, I have just visited my MySpace profile again and Avast alerted me with a different URL Mal:
Infection Details
URL: http://www1.strongpqcleaner.dnset.com/O…
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal
!!
Shall I run Malwarebytes again?
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.27.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dell owner :: OWNER-25721C41B [administrator]
27/05/2012 11:45:51
mbam-log-2012-05-27 (11-45-51).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179764
Time elapsed: 40 minute(s), 24 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
you also have to attach (not copy and paste) OTL and aswMBR log
Sorry, missed that. I hope these attachments are okay…I had already recently used aswMBR.exe.
Please note that this issue has been going on for some months now, so it will not be linked to recent modifications
i see lots of McAfee files in your log…do you have McAfee installed ?
I only have McAfee Security Scan installed, which runs a very short basic safety test, I installed that after this problem arose…it showed clear. I used to use McAfee before Avast, but my hard drive has since (as far as I can remember) been wiped clean by a PC World technician so I don’t think that would show now? The issue only occurs when I am on MySpace, could MySpace be the problem?
Let me look over the logs and I will return as quickly as I can. 
Thank you - I really appreciate you all helping me. Here are two of the public MySpace profiles I have problems with…perhaps you can test whether you receive alerts here too in order to ascertain where the fault lies:
http://www.myspace.com/merlinmallet
Infection Details
URL: http://www1.bestdefenseij.dnset.com/i.ht…
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal
http://www.myspace.com/573275561
Infection Details
URL: http://agrifarma.com/p/as?1015
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: HTML:RedirME-inf [Trj]
My two private profiles trigger alerts too every time I click on them.
Your friends, most likely with out knowing, are probably attaching malicous sites/videos/content from other URL’s to their page(s). A big problem these days is thinking we can do this without it affecting anyone else, or not understanding how code injection CAN be used in different ways.
You may want to give your friends a heads up, unforunatly like most, they will take it completly personal and tell you its your machine or even your fault. I have had this problem myself, and even once on my own MySpace page. Once I got rid of the URL-redirect I didnt realise was malicous, it went away. Its why I utterly HATE >:( the ‘Share’ feature on FB.
But again, to tell anyone their stuff is broken/infected is like claiming they did it on purpose. They will get as defensive as one can fathom and say ‘it didnt set off mine so its just you’ and subsequently further spread malicous content.
I would advese you continue working with Asyn.
I dont know if you realise this but being that we pay for AND/OR trust Avast to prevent infection. If our machines become infected thats EXACTLY whos fault it is. Thats not saying that Avast made the infection, just that Avast let us be infected. Just say’n… not tryin to change this thread.
Either way;
Hi,
I went to the link and got the popup about the infection so I agree that the infection is on that particular page itself.
Are you using McAfee or Avast for your antivirus program? We need to remove one of them. Let me know which one you would like to remove.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-725345543-839522115-1202660629-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://uk.myspace.com/home"
[2010/05/18 15:24:37 | 000,002,139 | ---- | M] () -- C:\Documents and Settings\dell owner\Application Data\Mozilla\Firefox\Profiles\q0me9ao2.default\searchplugins\MyStart Search.xml
[2011/12/23 17:17:46 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[createrestorepoint]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
HELP!
I started OTL as per your instructions…it stated killing processes and my computer immediately displayed the screen of death. Nothing has happened since, I am afraid to turn it off. What do I do? I am using a neighbour’s computer for this.
Hi,
It’s ok to reboot your system. This time boot into Safe Mode and run the instructions I posted for OTL from there.
Didn’t expect that and got worried! Reminded me of the time I grew impatient with a ‘System Restore’…I turned my computer off and my operating system wouldn’t restart…ended up with a partition, new operating system and a computer technician’s bill! Does this mean that the OTL ‘fix’ hasn’t been carried out? I couldn’t boot into safe mode, nothing happened when I clicked on the up/down arrow options.
No the OTL fix probably has not been completed. Are you not able to boot to Safe Mode now?
Hi jesamine,
jeffce’s question is critical.
As he has other ways to fix your system using programs that run outside of windows, do not worry. So even if you cannot get into Safe Mode there are other ways of doing this. You are in good hands here, and very sorry about that other bad time you had a while ago.
If you can get into Safe Mode, tell jeffce.
No, just tried again…cannot get into safe mode through F8, nothing happens when I press the arrows, option remains on ‘boot normally’ and pressing enter also does nothing, so I had to switch off and start again. I also wasn’t able to use System Restore recently, again nothing happened. Oh I do have faith in jeffce…I just don’t in this computer! It’s not new and I’m not sure it can withstand the alterations. If it’s the pages on MySpace that are infected, not this computer?, what exactly are we trying to do?
Off issue, I was slightly concerned by this on the Extras.Txt:
ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability.
I removed the McAfee Security Scan.
Hi,
Sorry to hear about your problems. When you say “It’s not new…” how old is your system? If your system is actually old, than it could be that Windows has just gotten a bit sloppy and a format/reinstall would be a prudent option.
As for the infections, the page on MySpace does seem to be infected but there are other little nasties that need to be removed.
Okay. The computer is Dell and 12 years old, a PC World technician wiped it clean and reinstalled XP 2-3 years ago. It’s not really worth further work though, it’s rather low on RAM, which cannot be easily upgraded (Rambus)…and I cannot afford a new one at the moment. :-\