Virus infestation guide

If you have a well-founded suspicion that your computer has been infected by a virus ("behaves strangely") or you have been informed by colleagues or system administrators at the university that your computer is the starting point for attacks on the network, the following checklist can help you to eliminate the problem:

  • First of all, don't panic!
  • Inform us immediately of the virus attack so that the network address of your computer can be blocked (if we have not already done so) and so that it no longer poses a danger to other users. Please contact our helpdesk.
  • Also physically disconnect your computer from the data network (pull the plug). This does not mean the power supply of your computer! You need power, of course, so that you can rid your computer of the virus in the following steps.
  • Provided the virus has already been identified, find out about the effects of the virus and the chances of a "soft" repair that does not require reinstallation. The virus libraries of e.g. NAI or Symantec offer extensive information on this.
  • Decide for your individual case whether a new installation of your PC is advisable, for example because the virus is demonstrably difficult or impossible to remove even with scanning programmes, or if it has already caused too much damage to your PC by deleting files. If you decide to do a new installation, you can in principle do it without formatting the hard disk, so that your files are preserved. On the other hand, however, you must bear in mind that your files may already be infected by the virus and you will reactivate it when you open the file.

  • If you have the possibility to make a local data backup on a USB stick or CD burner, you should do so. It is less advisable to simply back up your files to another PC or a server in your department. Firstly, you may already no longer have access to the network due to the IP blocking and secondly, you could spread the virus to other computers. If you still want to back up to another computer, at least make sure that a virus scanner with the latest virus signatures is installed there and that all transferred files are also scanned. Before you back up files from an infected PC to a server, you should talk to the responsible administrator!

  • Whenever a computer is infected, it can be assumed that ALL passwords entered on the system are compromised. The backdoors run under system privileges and almost always come with so-called keyloggers. Here, the keystrokes in login windows are logged.
    Furthermore, there are many tools that search the entire computer for passwords, which often lead to the desired result.
    It is therefore of no use to install a new system and not think up new passwords. The computer is immediately reinfected, tries to infect others and is blocked again.

  • Install your operating system from the installation media provided. If you have previously backed up your data, reformat the hard disk. This will ensure that nothing from the old installation is carried over.
  • Before reconnecting the computer to the network, install the native firewall or a non-system firewall. The average incubation time is currently less than 10 minutes unless you have installed all the latest security updates that affect services.
  • Configure your computer for operation on the network (IP address, gateway, subnet mask, etc.).
  • Ask the kiz to reactivate the blocked IP address. To do this, use our online form for reactivation.
  • After the computer is connected to the network again, immediately install the current service pack and all security updates based on it. For Windows, use the Windows Update service. If necessary, you can also call this service directly using the following link: http://windowsupdate.microsoft.com. In any case, a connection to the Microsoft update server is established and the required updates are automatically downloaded in the correct order and language version.
  • After installing the updates and the necessary reboot, please install a virus scanner on your computer immediately. If you have not already done so, you can obtain the Bitdefender virus scanner from the kiz. Please read our information on the Bitdefender Endpoint Security Tools..
  • Update the virus scanner with the latest virus signatures.
  • Perform a complete scan of your system.
  • Reinstall your application programs.
  • Restore your data from the backup, provided you have chosen the safe way and the hard disk was formatted during the reinstallation.
  • Set up your virus scanner so that it automatically (preferably daily) updates the virus signatures.

  • Get (e.g. with the help of a colleague who is still "online") the stand-alone utility Stinger from NAI/McAfee. It is specially designed to clean infected computers and contains all the necessary definitions for detecting viruses. This tool can be downloaded free of charge and without registration.
  • To transfer the scan software to the infected computer, you must use USB sticks or burn a CD-ROM beforehand.
  • Start the infected computer in safe mode (F8 for Windows).
  • Start the "Stinger" utility and perform a complete scan of your system. If you are lucky, this may already remove the virus. However, it is also possible that the virus prevents the scanner from running. In this case, please check the homepage of the virus scanner manufacturer (see above) to see if they provide manual instructions for removing this virus.
  • After the computer has been cleared of the virus, please contact the kiz to have the blocked IP address unblocked. To do this, use our online form for reactivation.
  • As soon as the computer is connected to the network again, immediately install the current service pack and all security updates based on it. For Windows, use the Windows Update service. If necessary, you can also call this service directly using the following link: http://windowsupdate.microsoft.com. In any case, a connection to the Microsoft update server is established and the required updates are automatically downloaded in the correct order and language version.
  • Get the Bitdefender virus scanner from the kiz. Read our information on the Bitdefender Endpoint Security Tools. Of course, you can also use another virus scanner. The "Stinger" utility that you used to clean your computer is no substitute for a proper virus scanner.
  • Set up your virus scanner so that it automatically (preferably daily) updates the virus signatures.

Of course, the network of the University of Ulm is constantly monitored. Virus-infected PCs usually make themselves quickly noticed through the mass sending of e-mails, (denial of service) attacks on controlled servers or other "unusual" behaviour. The network administrators then immediately block the IP address of the causing computer. This means that it can no longer cause any damage outside the respective subnet. If possible, the responsible system administrator is immediately informed in order to physically disconnect the infected computer from the network. Reconnection of the computer will only be permitted or made possible once the virus has either been removed or the computer has been reinstalled and provided with all security updates. In the case of WLAN access, further account-related measures can be taken by the kiz.

 

Communication and Information Centre (kiz)

Please contact us if you have questions or problems related to the kiz services:

Office hours
Monday - Thursday
09:00 h - 12:00 h and 13:00 h - 15:30 h

Friday 09:00 h - 12:00 h

Phone
+49 (0) 731 / 50 - 30000

Telefax
+49 (0) 731 / 50 - 1230000

Order a Callback
helpdesk(at)uni-ulm.de
Support Portal (Uni internal)
[more]

Service Points are locations where you can visit us personally.

[more]

Using self-service functions of the Identity Management System (IDM): Administer permissions, subscribe to services, change passwords.

IDM Self Services
[more]

Research in the library stock: monographs, textbooks, magazines, university publications, e-books, e-journals, national licenses, and the contents of the institutional repository OPARU.

library catalogue::local

With about 400 keywords you will get direct access to our services. If something isn't listed, please contact our Internet Editorial Office.

A-Z List

more to: Virus infestation guide

Inform us about the virus attack:
Mon - Thurs 9am - 12pm | 1pm - 3:30pm
Fri 9am - 12pm
+49 (0)731/50-30000
Via e-mail:  Helpdesk