Skip to main content

Fotos 27/07 Email Virus (hotmail)

This morning I received odd emails from two of my team with the heading Fotos 27/07. This was because they had both got a virus which has spread very quickly. That is because instead of having failed photos it links to an odd website.

I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.

To clean the computer.

1. Look for a directory c:\winnt_

2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.

3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)

4. Delete all the files in winnt_

5. Remove the directory.

At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.

On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.

Comments

Jerry said…
Hi John, Got one of these from E W-G this morning, as it wasn't in Emily's usual format I knew something dodgy was going on with it.

ah well fund and games as always.
Aurealeus said…
Got the same email this morning. Purported to come from a friend in my email list. Called my friend and he said he didn't send me anything but that he also received the same email. CC showed the same email was sent to others from his contact list so apparently this virus is able to scan your contact list and send to others in the contact list.
Michelle said…
HI John,
Thanks for your blog, its very helpful! when trying to delete the winnt files I get a box saying Destination Folder access denied - you need permisson to perform this action and it has a try again or cancel button, and advise on how I can actually delete these file?
If you could help that would be great!!
Thanks
John Hemming said…
It is possible that some of the processes are still running. Probably, however, you need to sign on as an administrator.
Michelle said…
great - now I just have to work out how to log on as administrator...lol! I'm not IT savvy!
TiTi said…
just wanted to say thank you- i couldnt figure out what the process' were that were running in task manager until i saw your note. Last night i went to send an email through hotmail and it said i had reached the max number of emails for the day (240) which was impossible, then started getting tons of post master failures, and went into my sent folder and there were hundreds of emails to my contact list- saying fotos 27, like i had sent it- the brilliant part is it was only sending the email to 5 contacts at a time so it didnt look like a mass emial. I ran all of my spyware programs and cc cleaner and it didnt pick up on anything. I came across your site and found all the files you said and deleted the directory, does that mean I am clean now? any idea how i would get something like this? i never open mail from people i dont know.. ever, i'm a bit confused where it came from and how they hijacked my account. thanks again!
Unknown said…
Thanks John, I got the same email and have tried your solution. Lets hope the solution works.
Noblese said…
Thanks for this message. I received a couple from colleagues in my address book! Your message really helped.
d-bo said…
I cannot locate C:\winnt on my directory. I am using Windows Vista. Please help...
John Hemming said…
This, of course, could change. But you are missing an underscore from what you have posted.
d-bo said…
have tried with underscore also, but still cannot find.
John Hemming said…
Sorry, but I cannot really do that much Tech Support. I am a Member of Parliament in the UK and have a weekly advice bureau at 1772 Coventry Road, Birmingham B26 1PB. I suppose you could try to bring your computer there and if you are not a constituent I will see you after I have dealt with all my constituents.
TiTi said…
Hi, Thank you John but I live in Ontario, Canada LOL so that wouldnt be possible! to anyone trying this you have to make sure all of the processes under task manager are ended wnnt and i think there were 6 of them running, then you go to C drive, the winnt folder was 4 folders below the Program Files folder- erased it and done, Thanks again!
Unknown said…
oh, i want to ask something. does this virus only send e-mails from hotmail domains when the e-mail is opened?

btw, forgot to thank you for the guide.
Sheila said…
I also had difficulty locating the directory but then I searched for it using c:\winnt_ and the date I received the email. That worked. Good luck!
Unknown said…
Thanks mate,
That fixed it
Cheers
Unknown said…
this virus has deleted files from my computer! thank goodness for back ups.
Unknown said…
hey there so im totally computer illiterate but what i did was searched for C:\winnt_ and it came up under c files with a thing called id but that was it there wasnt anything else attached to it so i just deleted the whole winnt file was that right :s
thanx
Gabrielle said…
Hello John,
Thanks so much for this - I was getting absolutely desperate and losing email buddies!
Only bit I didn't understand how to do from your instructions was 'cleaning up registry' stuff. I know I'm showing my total IT ignorance, but what is it, and how do I do it, please!!
Thanks again, Gabrielle
Gabrielle said…
Oh, sorry, one other question about this. Although I seem to have cleaned it up so it has stopped sending out the emails all the time, each time I'm logged into that email account, I get a little MSN pop up telling me that I am now signed on in two places and that my messages will be visible in both places....I only have one computer and am only signed on into that one account at the time...is this also part of the virus problem, and if so..do you have any idea how I get rid of it? I'm worried that someone else somewhere is getting to read all my emails!! Thanks again, Gabrielle
John Hemming said…
You may need to change your password.

I think you can live without fixing the registry.
Gabrielle said…
Thanks again, John - all seems to be well again now. What a relief! Oh and you can congratulate yourself as having worked out a 'fix' when it seems the techies at hotmail are struggling! Cheers.
Jay Valambhia said…
Sorry bunch of losers. Get a Mac.
Unknown said…
thanks a mill john!!!!

Jay Valambhia's comment:

Sorry bunch of losers. Get a Mac.

How does having a PC make us losers?

its lame comment like yours that taint helpful threads.

Thanks again John
Unknown said…
thank you...i had the same problem...i hope the virus is removd now..
mr yeti said…
thanks a lot for this fella - much help!!
Rona said…
Thank you so much for your note!! It helped!!!!
Such an annoying virus!
Again thank you!
Jess Po said…
Thanks so much for the fix... was driving me crazy!!
Unknown said…
Had a similar problem to this today. Someone downloaded a "foto.com" file on their computer and ran it... In the winnt_ folder it contained "winnt.exe" and "winntR1.exe".

I also had to remove these from starting up by going into the registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run ... and removed all instances of the virus there.

Popular posts from this blog

Statement re False Allegations Campaign

Many people will know that my family and I have been subject to a campaign of false allegations by Esther Baker for the past 4 1/2 years. Yesterday there was a court judgment Baker v Hemming [2019] EWHC 2950 (QB) which formally confirmed that the allegations were false. Esther Baker, who had brought a libel claim against me, dropped her defence of Truth to my counter-claim and was taken by the judge as no longer trying to prove her allegations. Due to Baker's various breaches of court rules and orders, she has been barred from further repeating her allegations even in the court proceedings. Further claim of mine in libel against Baker are ongoing. There is a good summary in the Daily Mail here.

This demonstrates the challenge in fighting false allegations in today's Britain. A substantial campaign was built up to promote allegations which had no substance to them. Various Labour MPs and in pa…

Statement re false allegations from Esther Baker

Statement by John Hemming
I am pleased that the Police have now made it clear that there has been a concerted effort to promote false criminal allegations against me and that the allegations had no substance whatsoever.
I would like to thank Emily Cox, my children, Ayaz Iqbal (my Solicitor), my local lib dem team and many others who supported me through this dreadful experience. There are many worse things that happen to people, but this was a really bad experience.
It is bad enough to have false allegations made about yourself to the police, but to have a concerted campaign involving your political opponents and many others in public creates an environment in which it is reasonable to be concerned about ill founded vigilante attacks on your family and yourself. Luckily there was a more substantial lobby to the contrary as well, which included many people who were themselves real survivors of abuse, which has helped.
I am normally someone who helps other people fight injustice. …

Service launched to reduce the pain of calling a call centre.

Click here to try the beta test call entre phoning service"John Hemming, who has created an internet Startup called Cirrostratus since he ceased being an MP, is launching a free online service to make life easier for people phoning call centres.   The service is provided by Cirrostratus, but the SIP backbone is provided by the multi-award winning business VoIP solution, Soho66." John said, "Many people find phoning call centres a real pain.  Our service is aiming to make things a lot easier.   One click on alink or the bookmarks list and our server will phone up the call centre and get through all the menus.  This is a lot faster than when people have to phone up and is less irritating." "Additionally the system uses WebRtc and the internet to make the call. This means that people don't find their normal phone system being blocked whilst they hang on the line waiting to speak to a human being." Marketing Manager from Soho66, David McManus, said: &q…