This morning I received odd emails from two of my team with the heading Fotos 27/07. This was because they had both got a virus which has spread very quickly. That is because instead of having failed photos it links to an odd website.
I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.
To clean the computer.
1. Look for a directory c:\winnt_
2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.
3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)
4. Delete all the files in winnt_
5. Remove the directory.
At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.
On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.
I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.
To clean the computer.
1. Look for a directory c:\winnt_
2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.
3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)
4. Delete all the files in winnt_
5. Remove the directory.
At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.
On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.
Comments
ah well fund and games as always.
Thanks for your blog, its very helpful! when trying to delete the winnt files I get a box saying Destination Folder access denied - you need permisson to perform this action and it has a try again or cancel button, and advise on how I can actually delete these file?
If you could help that would be great!!
Thanks
btw, forgot to thank you for the guide.
That fixed it
Cheers
thanx
Thanks so much for this - I was getting absolutely desperate and losing email buddies!
Only bit I didn't understand how to do from your instructions was 'cleaning up registry' stuff. I know I'm showing my total IT ignorance, but what is it, and how do I do it, please!!
Thanks again, Gabrielle
I think you can live without fixing the registry.
Jay Valambhia's comment:
Sorry bunch of losers. Get a Mac.
How does having a PC make us losers?
its lame comment like yours that taint helpful threads.
Thanks again John
Such an annoying virus!
Again thank you!
I also had to remove these from starting up by going into the registry:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run ... and removed all instances of the virus there.