the jl.chura.pl/rc warning i get it from AVG everytime i loaded up firefox when i started getting these win32/heur warnings. It gets embedded in one of the firefox files, so everytime you load up firefox it'll try load up that site in the background or something. Thats what i have read from searching threads. I have to go in to one of the firefox folders and open a file through notepad and delete a "jl.chura.pl/rc" entry thats been embedded in the coding and save the file. But everytime i do it, it reappears again. So at the moment, i resetted internet explorer and dont have firefox on my computer.

The system scan is still going, its been left on overnight. I have to go to work now, so ill place the log here as soon as it finishes. And redo the HJT log.

Thanks for your help bobbye.

Sorry about the delay bobbye. But here are the log files for my avast scan and HJT
There are few entries when scanned by HJT that came up with file missing, after i ticked them and click fixed checked. They still reappear.

But here they are, the avast scan seems to not pick up any virut infections. I guess thats a good sign?

Ok the avast log wont upload, apparently the file is too big. So i uploaded it to fileden.
Here is the link to it
http://www.fileden.com/getfile.php?f...vast%20Log.txt

Attached Files

hijackthis.log (12.8 KB, 1 views)

Any time an AV log s too big to download you know you're in trouble: I'm not sure what to make of that log though. It's saying there is malware in everything!

Main entries are :
"HTML:IFrame-HO [Trj]"
It was in an html formatted email message that was downloaded. IFrame is an HTML element. You would not see it directly(and should be highly careful about trying to open an html email file that contains one. You would want to open it in notepad rather than an application that will try to run the page(browser, email program, etc).

"Win32:JunkPoly [Cryp]"


I need you to do an online AV scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please reopen Hijach This to "do system scan only
Check the following entries if present: Note> do not click on Fix checked until you have completer the checking.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

CLose all Window except HijackThis and click on "Fix Checked"

Follow with new scan for HijackThis. attach new log.

A comment: You have an enormous number of unnecessary processes starting on boot. That means they are also running in the background. Processes for multiple music players, CD/DVD writing software, camera, 'convenience items' like a tray icon- all of these unnecessary startups will slow you down at some point.

We'll see what the online AV scan shows up and go from there.

Specifically, tell me what system problems remain.

Ok ill do that straight away. See how it go. Thanks bobbye.

That "HTML:IFrame-HO [Trj]" only just started after i updated the virus database on the avast.

I did a previous scan before with avast and never picked it up. And i havent been on the net to surf webpage with the infected computer since. So i dont know why it is picking up every single html on my computer as "HTML:IFrame-HO [Trj]", avg never picked it up.

Ok i tried running that website. It wont let me run. Any antivirus scan websites wont work. Where as every other one is fine like google etc. When i tried running, avast picked up id12.exe as a Win32:JunkPoly [Cryp]

When i was running, IExplorer, a few applications started terminating itself. Also the short cuts on my quick launch bar, such as show desktop and windows media player is gone now. So i dont know whats going on

Where is the log for the Eset scan?
Please follow that with new HijackScan.

I tried the eset scan, internet explorer wont let me go to that page. I can hop on to any other page like google etc, but not any antivirus websites - avg, avira, or any site i put in that is an antivirus site. It doesnt load at all. Thats why i have not posted up the log, because i cant.

Okay, we need to get together on this:

From 3 of your replies: With my reply back:

About Virut: File infectors will typically infect many executables on a system, as well as others connected (via shares, USB drives). So, cleansing can be a bit of a process since it is not just registry entries and one or two loaded components on boot; every single infected file must be cleaned -

The following image might explain it better and unfortunately, you will see familiar entries:

Image source: Raymond CC Forum
More background here:http://www.infopackets.com/news/secu...pant_in_us.htm

I downloaded Avast from my brothers computer, combofix and all that i download it all from my brothers computer, put it on a usb and put on my computer.

When i rename it to something like asdf.html or something, it tries to run it through internet explorer. ill try renaming it to mpg or jpg and see how that goes.

Also previously, i downloaded a virut cleansing program from avg and a symantec virut virus cleaner. Ran both. But dont know if there was any luck.

That .txt that i attached through fileden is the avast log from the scan i did.

No luck, combo fix wont run if i renamed it to like jpg or something. It would try to open up in picture manager etc. Mp3 it would try open in media player.

So what am i headed? a reformat?

Can you get me a scan from Avast? Just save the log and attach here. You can't use a file extension that uses a particular application to open- like a photo viewer or a music player. You "might" be able to change the 'Open With" but I doubt it with a file extension that specific.

Get me an AV scan.

I'm going to ask kritius if he knows a way around this, but try the AV scan. If you cannot get that, then I will recommend the reformat/reinstall under the assumption it's Virut.

The fileden link right there is the avast log of the last scan i did. It is a 700kb txt file, thats why i uploaded with fileden

I'm not going to open that large log/ As I Mentioned before, a log this large would indicate serous problems.

Please Download Dr.Web CureIt! HERE

• [1] Run the utility and press the "Start" button in the opened window.
  [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. I
  [3] Select the Complete scan or the Custom scan mode (in the latter case, select the necessary objects you want to scan)
  [4] Press the "Start scanning" button on the scanner right.
  [5] When you call the utility, you can specify parameters for the scanner in the command line, i.e. to specify the objects for scanning or/and modify the scanning modes different from the default ones.
  [6] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.
  [7] When the scanning is finished, the log file and the quarantine are not deleted.

Please attach log on next reply.

Sorry for the late reply, been busy with work on the weekend. I think im gonna reformat it. It is a pain in the rear. Files are changing, my quick start menu - some of the icons deleted itself. I have 4 partitioned drives. If i just reformat the C: drive where windows is. Should i good to go with the virus gone or is there still a chance it is still hanging around somewhere?

I havent reformatted my computer yet. But with this virut and heur virus. Should i be right if i just reformat the c:\???

For some reason, I'm not getting some of the feedback emails when there is a reply.

IF you do have the Virut malware, reformatting is the best way to go. Can I tell you it will be gone if you just reformat the C drive? No. It's going to depend what's on the other drives and if any of the infected files got in. You'll be reformatting the operating system on the C drive, right?

From McAfee:
Another consideration is where are the System Restore files? If malware is in the restore points and the restore points are used, it can reinfect the system. I would think they are on the C drive, but I don't know this.

The IRCBot functionality can allow a remote attacker to:
• Download and execute arbitrary files
• Scan for vulnerable ports on target machines
• Attempt to infect a target vulnerable machine
• Update the bot on the infected machine

So you will need to be sure that any area- drive- on the machine is cleaned.

Ohhh ok. On all my other drives, it has games, music, pictures\photos and that. Thats about it really. The system restore files, if i unticked the box to have system restore on, do i just clear it by using the windows disk cleanup?

Also, avast hasnt picked up anything that has been infected by the virut virus. I have used avast to scan several times. But does not come up with it

do i just clear it by using the windows disk cleanup?

No. That just clears temporary internet files, Cookies and temp files,

How do i get rid of my system restores? Also, should i be worried about the compressed old files?