Users who received an email claiming to come from a administrative address (ex. admin@virginia.edu) and followed the link for verifying account status were actually directed to a web site containing a malicious program. While initially appearing to be a known version of the Mytob virus, published fixes for known versions of that program do not work to clean this malicious software.
The User Support Services group continues to try to find ways to completely identify the virus.
At this point, users needing to clean the virus off of their machine should consult the directions below.
Local Virus Cleanup Instructions for Windows XP with Service Pack 2
These instructions have been tested with Windows XP with Service Pack 2
- Obtain these following three files and put them on a CD or place them on the desktop of your computer.
virusfix.exe (UPDATED Tool :2/01/07)
http://holmes.acc.virginia.edu/~helpdesk/downloads/virusfix.exe
Symantec AntiVirus 10
http://www.itc.virginia.edu/central/display/details.php?installerID=178&nav=t
itle
Symantec AntiVirus Local Definitions
http://www.itc.virginia.edu/central/display/details.php?installerID=76&nav=title<
- UNPLUG YOUR COMPUTER FROM THE INTERNET
- Restart the computer in safe mode, to do that restart Windows and
immediately start pressing F8 until the list of boot options appears.
Choose Safe Mode.
If you see the windows login screen, start over.
- Run virusfix.exe (cleanup tool). Once the file is extracted, please follow the instructions given on the screen. Then when prompted with the main menu select the virus removal tool that you have been notified that you have. Then continue following the instructions provided to you on the screen.
- Reboot the computer into normal mode.
- Use the Add/Remove programs in the control panel to remove any currently installed anti virus products. If Live Update is listed as separate installed program remove it also.
- You MUST un-install ANY PREVIOUS VERSIONS of ANTI-VIRUS Software. If you don't the installation may fail.
- Install Symantec Anti virus version 10 (double-click on the download sav1001itc.exe file)
- Update to the latest virus definitions (double-click on the downloaded newdefs.exe file)
- Reboot the computer.
- Disable System Restore. (Click the System icon in the control panel then choose the System Restore tab, then click the box to disable)
- Reboot again, back in to safe mode.
- Then run a complete scan of the computer.
- If no remaining viruses are found, return your computer to the network.
- If remaining viruses are found, use another computer to find the cleanup instructions for those viruses.
- Once cleaned up, plug your computer back on the the network.
- If block through the automated system go to https://asbru.itc.virginia.edu/unblock.html and unblock yourself. Wait 15 minutes to see if you have been unblocked. If not please write to abuse@virginia.edu and let abuse know what was done to repair the problem and arrange to be unblocked.
- If blocked through the abuse team, (you have mail from them) you must reply to that mail and let them know what was done to clean up the machine before they will unblock the systems.
- Then run a complete scan of the computer.
- If any 'adware' or 'spyware' is found by Symantec, check each on the
Symantec web site for cleanup instructions. AFTER you plug back into the network
- After everything is clean, enable System Restore.