Friend has a virus, seems to be Russian

[JohnD]

A friend has picked up a virus which has sent me (and others of her friends and family) email saying:

Subject: Fotos 18/08

6:17:12 PM Fotos 18/08..:

Imagens Anexadas..: DSC_0401.jpg - DSC_0402.jpg - DSC_0403.jpg


Videos Hotmail.com..: w*ww.*hotmail.co*m/videos.avi

--------------------------------------------------------------------------------
Celebrate a decade of Messenger with free winks, emoticons, display pics, and more. Get Them Now

The links that look like photo attachments are acvtually links to a Russian website. The third one goes to h*ttp:*//cli.gs/6dRHhV (my asterisks) and trieed to download an .exe which Norton blocked (I think teh URL may be removed now). The others go to h*ttp:*//cli.gs/NWGRAb and h*ttp:*//cli.gs/Ndud3G (I put the asterisks in to prevent you clicking on them accidentally)

She has asked if I can help.

Because I use Norton Internet Security I am not experienced in cleaning viruses myself. I think she is using an unprotected laptop away from home on hols.

Any suggestions? I am looking for a free tool that will enable her to identifyt and remove whtever the thing is.

 

[dave.m]

John,
Comodo picked up the links too and prevented them downloading.

What antivirus program does your friend have and is she getting any name for the virus that is being found.
What operating system, XP or Vista?

If her AV is finding it but cannot remove it in normal operation, tell her to reboot into safe mode
Shutdown and restart and as soon as it tries to boot up keep tapping the F8 key.
When the black screen appears use the arrow keys to select Safe Mode and then hit the Enter key.

Once booted in safe mode, open the AV program and run a full scan, let it remove everything it finds.

Then shut down and boot up in normal mode (it will do it automatically) and run another scan with the program that found the virus.

Post back when that is done but ask her to answer the questions I asked at the begining

dave

 

[JohnD]

have passed the advice on.

Norton Internet Security says it blocked W32.induc.a when I looked at any of the links in mail, it says it is a high risk virus but it seems to infect Delphi files at complialtion which seems odd. It has only been around since 18th August 2009 so I suppose users need an up to date Antivirus program to catch it. See http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99

Sophos has a free tool (see below) is that a good one to use?

http://www.sophos.com/security/analyses/viruses-and-spyware/w32induca.html

 

[dave.m]

John,
This is a cracker of a program:

http://www.freedrweb.com/cureit/?lng=en

DrWebCureit is upto date when you download it so you just download and run it. After you have used it you just uninstall it as it does not get updates once installed. Full simple instructions on the web site.
Get it, run it, ditch it.

dave

Sophos has a free tool (see below) is that a good one to use?

http://www.sophos.com/security/analyses/viruses-and-spyware/w32induca.html[/QUOTE]

That is only a scan to see if you have it, it is not a removal tool.

 

[empip]

My A/V provider has a free tool - with a manual too !
http://www.avira.com/en/support/antivir_removal_tool.html

Virus: W32/Induc.A
Date discovered: 18/08/2009
Type: File infector
In the wild: Yes
Reported Infections: Medium
Distribution Potential: Low to medium
Damage Potential: Low
Static file: No
VDF version: 7.01.05.130 - Tue, 18 Aug 2009 15:24 (GMT+1)

(VDF is 'update file' for Avira a/v.)

General
Aliases:
• Symantec: W32.Induc.A
• Mcafee: W32/Induc
• Kaspersky: Virus.Win32.Induc.a
• Sophos: W32/Induc-A
• Eset: Win32/Induc.A
• Bitdefender: Win32.Induc.A

--