John Hemming's Web Log John's Reference Website
Wednesday, August 05, 2009
  Fotos 27/07 Email Virus (hotmail)
This morning I received odd emails from two of my team with the heading Fotos 27/07. This was because they had both got a virus which has spread very quickly. That is because instead of having failed photos it links to an odd website.

I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.

To clean the computer.

1. Look for a directory c:\winnt_

2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.

3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)

4. Delete all the files in winnt_

5. Remove the directory.

At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.

On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.
 
Comments:
Hi John, Got one of these from E W-G this morning, as it wasn't in Emily's usual format I knew something dodgy was going on with it.

ah well fund and games as always.
 
Got the same email this morning. Purported to come from a friend in my email list. Called my friend and he said he didn't send me anything but that he also received the same email. CC showed the same email was sent to others from his contact list so apparently this virus is able to scan your contact list and send to others in the contact list.
 
HI John,
Thanks for your blog, its very helpful! when trying to delete the winnt files I get a box saying Destination Folder access denied - you need permisson to perform this action and it has a try again or cancel button, and advise on how I can actually delete these file?
If you could help that would be great!!
Thanks
 
It is possible that some of the processes are still running. Probably, however, you need to sign on as an administrator.
 
great - now I just have to work out how to log on as administrator...lol! I'm not IT savvy!
 
just wanted to say thank you- i couldnt figure out what the process' were that were running in task manager until i saw your note. Last night i went to send an email through hotmail and it said i had reached the max number of emails for the day (240) which was impossible, then started getting tons of post master failures, and went into my sent folder and there were hundreds of emails to my contact list- saying fotos 27, like i had sent it- the brilliant part is it was only sending the email to 5 contacts at a time so it didnt look like a mass emial. I ran all of my spyware programs and cc cleaner and it didnt pick up on anything. I came across your site and found all the files you said and deleted the directory, does that mean I am clean now? any idea how i would get something like this? i never open mail from people i dont know.. ever, i'm a bit confused where it came from and how they hijacked my account. thanks again!
 
Thanks John, I got the same email and have tried your solution. Lets hope the solution works.
 
Thanks for this message. I received a couple from colleagues in my address book! Your message really helped.
 
I cannot locate C:\winnt on my directory. I am using Windows Vista. Please help...
 
This, of course, could change. But you are missing an underscore from what you have posted.
 
have tried with underscore also, but still cannot find.
 
Sorry, but I cannot really do that much Tech Support. I am a Member of Parliament in the UK and have a weekly advice bureau at 1772 Coventry Road, Birmingham B26 1PB. I suppose you could try to bring your computer there and if you are not a constituent I will see you after I have dealt with all my constituents.
 
Hi, Thank you John but I live in Ontario, Canada LOL so that wouldnt be possible! to anyone trying this you have to make sure all of the processes under task manager are ended wnnt and i think there were 6 of them running, then you go to C drive, the winnt folder was 4 folders below the Program Files folder- erased it and done, Thanks again!
 
oh, i want to ask something. does this virus only send e-mails from hotmail domains when the e-mail is opened?

btw, forgot to thank you for the guide.
 
I also had difficulty locating the directory but then I searched for it using c:\winnt_ and the date I received the email. That worked. Good luck!
 
Thanks mate,
That fixed it
Cheers
 
this virus has deleted files from my computer! thank goodness for back ups.
 
hey there so im totally computer illiterate but what i did was searched for C:\winnt_ and it came up under c files with a thing called id but that was it there wasnt anything else attached to it so i just deleted the whole winnt file was that right :s
thanx
 
Hello John,
Thanks so much for this - I was getting absolutely desperate and losing email buddies!
Only bit I didn't understand how to do from your instructions was 'cleaning up registry' stuff. I know I'm showing my total IT ignorance, but what is it, and how do I do it, please!!
Thanks again, Gabrielle
 
Oh, sorry, one other question about this. Although I seem to have cleaned it up so it has stopped sending out the emails all the time, each time I'm logged into that email account, I get a little MSN pop up telling me that I am now signed on in two places and that my messages will be visible in both places....I only have one computer and am only signed on into that one account at the time...is this also part of the virus problem, and if so..do you have any idea how I get rid of it? I'm worried that someone else somewhere is getting to read all my emails!! Thanks again, Gabrielle
 
You may need to change your password.

I think you can live without fixing the registry.
 
Thanks again, John - all seems to be well again now. What a relief! Oh and you can congratulate yourself as having worked out a 'fix' when it seems the techies at hotmail are struggling! Cheers.
 
Sorry bunch of losers. Get a Mac.
 
thanks a mill john!!!!

Jay Valambhia's comment:

Sorry bunch of losers. Get a Mac.

How does having a PC make us losers?

its lame comment like yours that taint helpful threads.

Thanks again John
 
thank you...i had the same problem...i hope the virus is removd now..
 
thanks a lot for this fella - much help!!
 
Thank you so much for your note!! It helped!!!!
Such an annoying virus!
Again thank you!
 
Thanks so much for the fix... was driving me crazy!!
 
Had a similar problem to this today. Someone downloaded a "foto.com" file on their computer and ran it... In the winnt_ folder it contained "winnt.exe" and "winntR1.exe".

I also had to remove these from starting up by going into the registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run ... and removed all instances of the virus there.
 
Post a Comment

<< Home

Click Here for access to higher resolution versions of the photos The license for use allows use of the photos by media as long as they are attributed.

better brent chart

ARCHIVES
12/01/2003 - 01/01/2004 / 07/01/2004 - 08/01/2004 / 12/01/2004 - 01/01/2005 / 01/01/2005 - 02/01/2005 / 02/01/2005 - 03/01/2005 / 03/01/2005 - 04/01/2005 / 04/01/2005 - 05/01/2005 / 05/01/2005 - 06/01/2005 / 06/01/2005 - 07/01/2005 / 07/01/2005 - 08/01/2005 / 08/01/2005 - 09/01/2005 / 09/01/2005 - 10/01/2005 / 10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 / 12/01/2005 - 01/01/2006 / 01/01/2006 - 02/01/2006 / 02/01/2006 - 03/01/2006 / 03/01/2006 - 04/01/2006 / 04/01/2006 - 05/01/2006 / 05/01/2006 - 06/01/2006 / 06/01/2006 - 07/01/2006 / 07/01/2006 - 08/01/2006 / 08/01/2006 - 09/01/2006 / 09/01/2006 - 10/01/2006 / 10/01/2006 - 11/01/2006 / 11/01/2006 - 12/01/2006 / 12/01/2006 - 01/01/2007 / 01/01/2007 - 02/01/2007 / 02/01/2007 - 03/01/2007 / 03/01/2007 - 04/01/2007 / 04/01/2007 - 05/01/2007 / 05/01/2007 - 06/01/2007 / 06/01/2007 - 07/01/2007 / 07/01/2007 - 08/01/2007 / 08/01/2007 - 09/01/2007 / 09/01/2007 - 10/01/2007 / 10/01/2007 - 11/01/2007 / 11/01/2007 - 12/01/2007 / 12/01/2007 - 01/01/2008 / 01/01/2008 - 02/01/2008 / 02/01/2008 - 03/01/2008 / 03/01/2008 - 04/01/2008 / 04/01/2008 - 05/01/2008 / 05/01/2008 - 06/01/2008 / 06/01/2008 - 07/01/2008 / 07/01/2008 - 08/01/2008 / 08/01/2008 - 09/01/2008 / 09/01/2008 - 10/01/2008 / 10/01/2008 - 11/01/2008 / 11/01/2008 - 12/01/2008 / 12/01/2008 - 01/01/2009 / 01/01/2009 - 02/01/2009 / 02/01/2009 - 03/01/2009 / 03/01/2009 - 04/01/2009 / 04/01/2009 - 05/01/2009 / 05/01/2009 - 06/01/2009 / 06/01/2009 - 07/01/2009 / 07/01/2009 - 08/01/2009 / 08/01/2009 - 09/01/2009 / 09/01/2009 - 10/01/2009 / 10/01/2009 - 11/01/2009 / 11/01/2009 - 12/01/2009 / 12/01/2009 - 01/01/2010 / 01/01/2010 - 02/01/2010 / 02/01/2010 - 03/01/2010 / 03/01/2010 - 04/01/2010 / 04/01/2010 - 05/01/2010 / 05/01/2010 - 06/01/2010 / 06/01/2010 - 07/01/2010 / 07/01/2010 - 08/01/2010 / 08/01/2010 - 09/01/2010 / 09/01/2010 - 10/01/2010 / 10/01/2010 - 11/01/2010 / 11/01/2010 - 12/01/2010 / 12/01/2010 - 01/01/2011 / 01/01/2011 - 02/01/2011 / 02/01/2011 - 03/01/2011 / 03/01/2011 - 04/01/2011 / 04/01/2011 - 05/01/2011 / 05/01/2011 - 06/01/2011 / 06/01/2011 - 07/01/2011 / 07/01/2011 - 08/01/2011 / 08/01/2011 - 09/01/2011 / 09/01/2011 - 10/01/2011 / 10/01/2011 - 11/01/2011 / 11/01/2011 - 12/01/2011 / 12/01/2011 - 01/01/2012 / 01/01/2012 - 02/01/2012 / 02/01/2012 - 03/01/2012 / 03/01/2012 - 04/01/2012 / 04/01/2012 - 05/01/2012 / 05/01/2012 - 06/01/2012 / 06/01/2012 - 07/01/2012 / 07/01/2012 - 08/01/2012 / 08/01/2012 - 09/01/2012 / 09/01/2012 - 10/01/2012 / 10/01/2012 - 11/01/2012 / 11/01/2012 - 12/01/2012 / 12/01/2012 - 01/01/2013 / 01/01/2013 - 02/01/2013 / 02/01/2013 - 03/01/2013 / 03/01/2013 - 04/01/2013 / 04/01/2013 - 05/01/2013 / 05/01/2013 - 06/01/2013 / 06/01/2013 - 07/01/2013 / 07/01/2013 - 08/01/2013 / 08/01/2013 - 09/01/2013 / 09/01/2013 - 10/01/2013 / 10/01/2013 - 11/01/2013 / 11/01/2013 - 12/01/2013 / 12/01/2013 - 01/01/2014 / 01/01/2014 - 02/01/2014 / 02/01/2014 - 03/01/2014 / 03/01/2014 - 04/01/2014 / 04/01/2014 - 05/01/2014 / 05/01/2014 - 06/01/2014 / 06/01/2014 - 07/01/2014 / 07/01/2014 - 08/01/2014 /


Powered by Blogger

Published, promoted, and printed (well not really printed I suppose, more like typed) by John Hemming, 1772 Coventry Road, Birmingham B26 1PB. Hosted by blogspot.com part of Google.com 1600 Amphitheatre Parkway Mountain View, CA 94043, United States of America. This blog is posted by John Hemming in his personal capacity as an individual.

Site Feed

If you want me to respond to any comment please either comment only on the past few entries or put something in your comment to make it clear what you are commenting on (the URL would help). Otherwise I will not be able to find the comment quickly and will not respond.

Links
Links (c) Peter Black (mainly Lib Dem)
Site
Meter eXTReMe Tracker