Form Letter for Current Virus Problems on Campus, April 29, 2004

This letter is sent by the CIT Contact Center (HelpDesk) when the Network Operations Center (NOC) has detected activity indicative of a Backdoor.SDBOT.RC infection on a user's computer. Although the user's access to the external Internet has been blocked to prevent the spread of the virus, the user will still be able to access any site that ends with "cornell.edu" and the Symantec Security Response website (http://www.sarc.com). This means that the services included in Bear Access, such as e-mail (through WebMail and Eudora) and Just the Facts, will still work, along with any course websites the user may need to access.

With this in mind, a number of steps are necessary for you to take in order to clean and secure your computer to prevent more infection in the future; you can either call the HelpDesk at 5-8990 for assistance or to schedule an appointment, or you may try the following removal steps.

The first thing you should do is disable System Restore; for Windows XP, go to Start > Control Panel > System, go to the System Restore tab, turn off System Restore on all drives, and click Ok. Windows 2000 does not have System Restore, so if you use Windows 2000, you can ignore this step. Then, go to the Windows Task Manager by holding down the CTRL, ALT, and DELETE keys, and then go to the Processes tab. End any processes that begin with wmiprvs, e.g. wmiprvsc.exe and close the Task Manager.

Then, open the Windows Registry Editor by going to Start > Run and entering regedit. Then navigate to the following key: My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for any entry that refers to the process(es) you terminated, and then delete the entry. Generally, the entries will be labeled as "Windows Update Process", "System Update", or something fairly similar. Then repeat the process with My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (this may not exist on your computer) and My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run; once you've done both, close the Registry Editor.

Finally, run the stinger.exe utility [or the Gaobot Removal Tool on Cornell's local downloads page]; this should restore your Windows host file in case it was damaged by the virus. Once you've done that, go to http://www.sarc.com/avcenter/defs.download.html in order to download the intelligent updater with the latest virus definition files for your version of Symantec Antivirus. Once you've done that, reboot into Safe Mode by tapping the F8 key while the computer is starting up. In Safe Mode, do a full scan of your computer and note which viruses are detected, and what is done with them (e.g. left alone, quarantined, or deleted).

If all of the viruses were quarantined or deleted, then reboot normally and turn System Restore back on. Then call the HelpDesk at 5-8990 indicating what viruses were detected. If there were some viruses that were left alone, reboot normally (but hold off on turning System Restore back on) then go to http://securityresponse.symantec.com/avcenter/tools.list.html and download the removal tool for those viruses. Then reboot into Safe Mode and run those tools, noting how many files each deleted. Only after you have finished all of the removal tools should you reboot into Normal Mode and restore System Restore.

Drop helpdesk@cornell.edu a line when you're done; once you're back on the internet, the first thing you should do is update your copy of Windows by going to http://windowsupdate.microsoft.com to make sure that all of the known vulnerabilities in Windows are patched and that your computer is safe from attack. Also, for information about viruses that are going around on campus, make sure to check http://www.cit.cornell.edu/helpdesk/virus/ regularly. If you have any questions, please feel free to contact the HelpDesk either by phone or via e-mail and we'll see what we can do to be of assistance.

______________________________________

Need help? Ask the CIT Contact Center (HelpDesk)
Send comments to the webmaster with our Feedback Form
Last modified: June 04, 2007

______________________________________ Need help? Ask the CIT Contact Center (HelpDesk) Send comments to the webmaster with our Feedback Form Last modified: June 04, 2007

______________________________________

Need help? Ask the CIT Contact Center (HelpDesk)
Send comments to the webmaster with our Feedback Form
Last modified: June 04, 2007