Skip to main content

Fotos 27/07 Email Virus (hotmail)

This morning I received odd emails from two of my team with the heading Fotos 27/07. This was because they had both got a virus which has spread very quickly. That is because instead of having failed photos it links to an odd website.

I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.

To clean the computer.

1. Look for a directory c:\winnt_

2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.

3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)

4. Delete all the files in winnt_

5. Remove the directory.

At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.

On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.


Jerry said…
Hi John, Got one of these from E W-G this morning, as it wasn't in Emily's usual format I knew something dodgy was going on with it.

ah well fund and games as always.
Mark said…
Got the same email this morning. Purported to come from a friend in my email list. Called my friend and he said he didn't send me anything but that he also received the same email. CC showed the same email was sent to others from his contact list so apparently this virus is able to scan your contact list and send to others in the contact list.
Michelle said…
HI John,
Thanks for your blog, its very helpful! when trying to delete the winnt files I get a box saying Destination Folder access denied - you need permisson to perform this action and it has a try again or cancel button, and advise on how I can actually delete these file?
If you could help that would be great!!
john said…
It is possible that some of the processes are still running. Probably, however, you need to sign on as an administrator.
Michelle said…
great - now I just have to work out how to log on as! I'm not IT savvy!
TiTi said…
just wanted to say thank you- i couldnt figure out what the process' were that were running in task manager until i saw your note. Last night i went to send an email through hotmail and it said i had reached the max number of emails for the day (240) which was impossible, then started getting tons of post master failures, and went into my sent folder and there were hundreds of emails to my contact list- saying fotos 27, like i had sent it- the brilliant part is it was only sending the email to 5 contacts at a time so it didnt look like a mass emial. I ran all of my spyware programs and cc cleaner and it didnt pick up on anything. I came across your site and found all the files you said and deleted the directory, does that mean I am clean now? any idea how i would get something like this? i never open mail from people i dont know.. ever, i'm a bit confused where it came from and how they hijacked my account. thanks again!
Mohamedsadiq said…
Thanks John, I got the same email and have tried your solution. Lets hope the solution works.
Noblese said…
Thanks for this message. I received a couple from colleagues in my address book! Your message really helped.
Deepak said…
I cannot locate C:\winnt on my directory. I am using Windows Vista. Please help...
john said…
This, of course, could change. But you are missing an underscore from what you have posted.
d-bo said…
have tried with underscore also, but still cannot find.
john said…
Sorry, but I cannot really do that much Tech Support. I am a Member of Parliament in the UK and have a weekly advice bureau at 1772 Coventry Road, Birmingham B26 1PB. I suppose you could try to bring your computer there and if you are not a constituent I will see you after I have dealt with all my constituents.
TiTi said…
Hi, Thank you John but I live in Ontario, Canada LOL so that wouldnt be possible! to anyone trying this you have to make sure all of the processes under task manager are ended wnnt and i think there were 6 of them running, then you go to C drive, the winnt folder was 4 folders below the Program Files folder- erased it and done, Thanks again!
Nikki-pon said…
oh, i want to ask something. does this virus only send e-mails from hotmail domains when the e-mail is opened?

btw, forgot to thank you for the guide.
Sheila said…
I also had difficulty locating the directory but then I searched for it using c:\winnt_ and the date I received the email. That worked. Good luck!
Skimon said…
Thanks mate,
That fixed it
century 21 said…
this virus has deleted files from my computer! thank goodness for back ups.
emma said…
hey there so im totally computer illiterate but what i did was searched for C:\winnt_ and it came up under c files with a thing called id but that was it there wasnt anything else attached to it so i just deleted the whole winnt file was that right :s
Gabrielle said…
Hello John,
Thanks so much for this - I was getting absolutely desperate and losing email buddies!
Only bit I didn't understand how to do from your instructions was 'cleaning up registry' stuff. I know I'm showing my total IT ignorance, but what is it, and how do I do it, please!!
Thanks again, Gabrielle
Gabrielle said…
Oh, sorry, one other question about this. Although I seem to have cleaned it up so it has stopped sending out the emails all the time, each time I'm logged into that email account, I get a little MSN pop up telling me that I am now signed on in two places and that my messages will be visible in both places....I only have one computer and am only signed on into that one account at the this also part of the virus problem, and if you have any idea how I get rid of it? I'm worried that someone else somewhere is getting to read all my emails!! Thanks again, Gabrielle
john said…
You may need to change your password.

I think you can live without fixing the registry.
Gabrielle said…
Thanks again, John - all seems to be well again now. What a relief! Oh and you can congratulate yourself as having worked out a 'fix' when it seems the techies at hotmail are struggling! Cheers.
Jay Valambhia said…
Sorry bunch of losers. Get a Mac.
Mayhul said…
thanks a mill john!!!!

Jay Valambhia's comment:

Sorry bunch of losers. Get a Mac.

How does having a PC make us losers?

its lame comment like yours that taint helpful threads.

Thanks again John
dhaliwal_rav said…
thank you...i had the same problem...i hope the virus is removd now..
e yeti said…
thanks a lot for this fella - much help!!
Rona said…
Thank you so much for your note!! It helped!!!!
Such an annoying virus!
Again thank you!
Jesspo said…
Thanks so much for the fix... was driving me crazy!!
Chad said…
Had a similar problem to this today. Someone downloaded a "" file on their computer and ran it... In the winnt_ folder it contained "winnt.exe" and "winntR1.exe".

I also had to remove these from starting up by going into the registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run ... and removed all instances of the virus there.

Popular posts from this blog

Statement re false allegations from Esther Baker

Statement by John Hemming
I am pleased that the Police have now made it clear that there has been a concerted effort to promote false criminal allegations against me and that the allegations had no substance whatsoever.
I would like to thank Emily Cox, my children, Ayaz Iqbal (my Solicitor), my local lib dem team and many others who supported me through this dreadful experience. There are many worse things that happen to people, but this was a really bad experience.
It is bad enough to have false allegations made about yourself to the police, but to have a concerted campaign involving your political opponents and many others in public creates an environment in which it is reasonable to be concerned about ill founded vigilante attacks on your family and yourself. Luckily there was a more substantial lobby to the contrary as well, which included many people who were themselves real survivors of abuse, which has helped.
I am normally someone who helps other people fight injustice. …

R v SUSSEX JUSTICES ex p McCARTHY [1924] 1 KB 256

I have only just found this one which I think is accurately reported below (but if it is not please give me an accurate report).


R v SUSSEX JUSTICES ex p McCARTHY [1924] 1 KB 256

November 9 1923

Editor’s comments in bold.

Here, the magistrates’ clerk retired with the bench when they were considering a charge of dangerous driving. The clerk belonged to a firm of solicitors acting in civil proceedings for the other party to the accident. It was entirely irrelevant that there had been no evidence of actual influence brought to bear on the magistrates, and the conviction was duly quashed.

It is clear that the deputy clerk was a member of the firm of solicitors engaged in the conduct of proceedings for damages against the applicant in respect of the same collision as that which gave rise to the charge that the justices were considering. It is said, and, no doubt, truly, that when that gentleman retired in the usual way with the justices, taking with him the…

Service launched to reduce the pain of calling a call centre.

Click here to try the beta test call entre phoning service"John Hemming, who has created an internet Startup called Cirrostratus since he ceased being an MP, is launching a free online service to make life easier for people phoning call centres.   The service is provided by Cirrostratus, but the SIP backbone is provided by the multi-award winning business VoIP solution, Soho66." John said, "Many people find phoning call centres a real pain.  Our service is aiming to make things a lot easier.   One click on alink or the bookmarks list and our server will phone up the call centre and get through all the menus.  This is a lot faster than when people have to phone up and is less irritating." "Additionally the system uses WebRtc and the internet to make the call. This means that people don't find their normal phone system being blocked whilst they hang on the line waiting to speak to a human being." Marketing Manager from Soho66, David McManus, said: &q…