# Rootkit Alureon.A - undeletable ?



## Snajper (Nov 11, 2009)

Hi there,

I'm pretty sure, that my system has catched a rootkit called Alureon.A (or .gen!U) thats what mrt.exe tells me.

I do not know what to do because of the fact that mrt cant delete it.

What can I do ?

My operation system is Win7 Ultimate and the infected files are:

globalroot\Device\Ide\IdePort5\ribwnpqk\ribwnpqk\tdlwsp.dll

atapi.sys and also two other files in the system32\drivers folder which mrt cant find as infected anymore.


I hope you can help, cause it keeps coming back !


----------



## NeonFx (Oct 22, 2008)

Hello there  Welcome to the *Tech Support Guy* forums.
My name is *NeonFx*. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:


The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans check the following:
Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Please copy the following into the Custom Scans box at the bottom


```
[B]%SYSTEMDRIVE%\eventlog.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\scecli.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\netlogon.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\cngaudit.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\sceclt.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\ntelogon.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\logevent.dll /s /md5[/B]
[B]%SYSTEMDRIVE%\iaStor.sys /s /md5[/B]
[B]%SYSTEMDRIVE%\nvstor.sys /s /md5[/B]
[B]%SYSTEMDRIVE%\atapi.sys /s /md5[/B]
[B]%SYSTEMDRIVE%\IdeChnDr.sys /s /md5[/B]
[B]%SYSTEMDRIVE%\viasraid.sys  /s /md5[/B]
[B]%SYSTEMDRIVE%\AGP440.sys /s /md5[/B]
[B]%SYSTEMDRIVE%\vaxscsi.sys /s /md5[/B]
```

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.
Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

*Step 2*

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the *Sysprot.exe* program.


Click on the *Log* tab.
In the *Write to* log box select *All* items.
Place a checkmark next to *Hidden Objects Only*
Click on the *Create Log* button on the bottom right.
After a few seconds a new Window should appear.
Make sure *Scan all drives* is selected and click on the Start button. 
_(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)_
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. *Open the text file* and copy/paste the log here.


----------



## Snajper (Nov 11, 2009)

hi, im very happy that you want to help me. 

here are the logs:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\spmo.sys
Service Name: ---
Module Base: 88A98000
Module End: 88B8B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 81FC3000
Module End: 81FCE000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 81FCE000
Module End: 81FD7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 81FD7000
Module End: 81FE8000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: CHASE:49229
Remote Address: 74.125.13.89:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49228
Remote Address: FK-IN-F102.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49227
Remote Address: EY-IN-F137.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49226
Remote Address: FX-IN-F138.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49225
Remote Address: EY-IN-F103.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49224
Remote Address: EY-IN-F103.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49223
Remote Address: FK-IN-F102.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49222
Remote Address: FK-IN-F102.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49221
Remote Address: A92-123-148-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49220
Remote Address: BW-IN-F139.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49219
Remote Address: BW-IN-F139.1E100.NET:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49218
Remote Address: A92-122-188-59.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHASE:49213
Remote Address: LOCALHOST:49212
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49212
Remote Address: LOCALHOST:49213
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49211
Remote Address: LOCALHOST:49210
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49210
Remote Address: LOCALHOST:49211
Type: TCP
Process: 1728 (PID)
State: ESTABLISHED

Local Address: CHASE:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 520 (PID)
State: LISTENING

Local Address: CHASE:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 512 (PID)
State: LISTENING

Local Address: CHASE:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 964 (PID)
State: LISTENING

Local Address: CHASE:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 888 (PID)
State: LISTENING

Local Address: CHASE:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 448 (PID)
State: LISTENING

Local Address: CHASE:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHASE:WSD
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHASE:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHASE:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3240 (PID)
State: LISTENING

Local Address: CHASE:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHASE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 788 (PID)
State: LISTENING

Local Address: CHASE:63703
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:SSDP
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHASE:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHASE:63704
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:49152
Remote Address: NA
Type: UDP
Process: 460 (PID)
State: NA

Local Address: CHASE:SSDP
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:50977
Remote Address: NA
Type: UDP
Process: 1132 (PID)
State: NA

Local Address: CHASE:50975
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:LLMNR
Remote Address: NA
Type: UDP
Process: 1284 (PID)
State: NA

Local Address: CHASE:5005
Remote Address: NA
Type: UDP
Process: 3240 (PID)
State: NA

Local Address: CHASE:5004
Remote Address: NA
Type: UDP
Process: 3240 (PID)
State: NA

Local Address: CHASE:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 964 (PID)
State: NA

Local Address: CHASE:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1132 (PID)
State: NA

Local Address: CHASE:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 3124 (PID)
State: NA

Local Address: CHASE:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1132 (PID)
State: NA

Local Address: CHASE:500
Remote Address: NA
Type: UDP
Process: 964 (PID)
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\ISwift3.dat
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\Syscache.hve
Status: Access denied

Object: C:\System Volume Information\Syscache.hve.LOG1
Status: Access denied

Object: C:\System Volume Information\Syscache.hve.LOG2
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\Windows Backup
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup
Status: Access denied

Object: C:\System Volume Information\{1b956e5f-cedf-11de-8abd-001a4f9d97fa}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{7472e7b1-cf9d-11de-adba-001a4f9d97fa}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{aa5793b3-ceeb-11de-a7a6-001a4f9d97fa}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{acca5696-cfa0-11de-b9fe-001a4f9d97fa}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied


and the other one attached, as desired 

Greetings, Snajper


----------



## NeonFx (Oct 22, 2008)

Good Job. Please do the following:

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.

Right click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *avenger* folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to move:
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys | C:\Windows\System32\drivers\atapi.sys
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the avenger folder and *start The Avenger program* by clicking on its icon.


 Right click on the window under *Input script here:*, and select Paste.
 You can also click on this window and press (*Ctrl+V*) to paste the contents of the clipboard.
 Click on *Execute*
 Answer "*Yes*" twice when prompted.

4. *The Avenger will automatically do the following*:

It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
5. Please *copy and paste* or *attach* the contents of *c:\avenger.txt* into your reply.

Then double click on OTS.exe and under the Custom Scans section copy and paste the following:

*%SYSTEMDRIVE%\atapi.sys /s /md5*

Then click on the Quick Scan button and attach those results to your next reply.


----------



## Snajper (Nov 11, 2009)

here is the avanger log file:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

and attached the OTS-Log.


----------



## NeonFx (Oct 22, 2008)

Good Job. That seems to have done it. Please do the following now:

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the contents of following code box


```
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (352639 bytes and 12127 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> Reset Hosts -> 
[Empty Temp Folders]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.txt* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally. 
If it seems to get stuck, give it some time. It's probably still working.

*STEP 2*

1. Click Start, right-click (My) Computer and click Properties
2. Click *System protection* link in the left pane
3. In the System Protection options, select a drive-letter and click Configure.
4. Click *Delete*, and click Continue when prompted.
5. Click OK
6. Click on the "Create" button
7. Click OK to close the window.

*STEP 3*








Please download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.


Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Full Scan*", then click *Scan*. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## Snajper (Nov 11, 2009)

ok here are the results.
But I have to say that I did a MBAM scan before, and I'm not sure if it even was able to find Alureon before I started the thread in this forum. 
Anyway here's the MBAM-log and attached the OTS-log:

Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3174
Windows 6.1.7600

15.11.2009 18:56:23
mbam-log-2009-11-15 (18-56-23).txt

Scan-Methode: Vollständiger Scan (C:\|G:\|)
Durchsuchte Objekte: 233795
Laufzeit: 1 hour(s), 53 minute(s), 12 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Program Files\Reconnect\Reconnect_exe\nc.exe (PUP.KeyLogger) -> Quarantined and deleted successfully.

PS: It's in german language but I think you'll get the point and understand that nothing was found what has to do with Alureon.


----------



## NeonFx (Oct 22, 2008)

Good  Are you still being redirected?

I want to run an online scan to be absolutely sure you're clean. This will take a while but it's well worth it as it can often find things all other scanners will miss.

*STEP 1*

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

*STEP 2*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
Click the *Save report...* button.









Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply


----------



## Snajper (Nov 11, 2009)

I never was redirected, only the Windows Defender Popup annoyed me, and a new window of firefox opened with a lightsomething.biz - website.

But, since I have followed your excellent advice I don't get no messages anymore. Thanks for that 'till now, I'll do a online scan and post the results here later.


----------



## NeonFx (Oct 22, 2008)

Yeah sorry about that. I'm just so used to seeing redirection symptoms with this infection that I forget to ask haha. That scan normally takes from 1 - 5 hours but it can take even longer sometimes. There's no rush.


----------



## Snajper (Nov 11, 2009)

ok here are the results!

I think it's clean now, there were no popups till now, and the scanner just found some crap from spam mails I guess...

But take a look.


I am very happy that you've helped me, without your help it would have ended in a reinstallation of Win7 .

Thank you so much, I will recommend this forum to friends, I've opened two other threads in different forums and nowhere I got so professional help as here. Thank you very much!


----------



## NeonFx (Oct 22, 2008)

You're very welcome Snajper. Let's cleanup.

*STEP 1*

To clean up OldTimer's tools, along with a few others, do the following:


Run OTS.exe by double clicking on it
Click on the *"CleanUp"* button on the top.
You will be asked if you wish to reboot your system, select *"Yes"*

*STEP 2*

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the *Shift* key, and select *"Delete"* by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine  Make sure you update it before you run the scans in the future.

*All Clean*

Congratulations!,







, *your system is now clean*. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to *Start > All Programs > Windows Update*
To update Office
Open up any Office program.
Go to *Help > Check for Updates*

*Download and Install a HOSTS File*
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

See how to get it HERE
(For Vista and 7 see HERE )

You can also use a tool to update your Hosts file. See HERE and HERE

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.

*Install WinPatrol*
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

*Other Software Updates*
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for *Java* and *Adobe* as these are subject to many security vulnerabilities.

*Setting up Automatic Updates*
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

*Read further information* HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Please mark this thread as "Solved" by clicking on the button at the top of this page when you're ready. Let me know if you need anything else.


----------



## NeonFx (Oct 22, 2008)

Oh yeah, and as for the Kaspersky results, unless you wish to clear out your inbox and trash completely, then don't worry about it. There's really no way we could tell which emails were infected. Just don't start going through them all.


----------

