This is done to hide the original URL and make it harder for scanners to identify the malware.
Not very common type of malware. Some URLs:
http://enuarutranslate.com/dev/in.cgi?default .. a few more..
Those are often used to redirect the browser of anyone visiting the site to Fake AV (anti virus). However, since this is a generic rule, the malware can change from site to site.
Any web site (no specific target).
Clean up: Nothing specific.
Last update: 2013/Feb