John Hemming's Web Log John's Reference Website
Wednesday, August 05, 2009
  Fotos 27/07 Email Virus (hotmail)
This morning I received odd emails from two of my team with the heading Fotos 27/07. This was because they had both got a virus which has spread very quickly. That is because instead of having failed photos it links to an odd website.

I, therefore, went into the office to clean up the computers. There is some information around on the net about this, but it was not clear exactly what is going on so I have written this note.

To clean the computer.

1. Look for a directory c:\winnt_

2. In this directory you should find a number of files including id and various exe files eg winnt1.exe winnt2.exe etc.

3. Start task manager. Look at the processes. Cancel all of the processes whose names exist in the winnt_ directory. (there won't be one for id)

4. Delete all the files in winnt_

5. Remove the directory.

At that point as far as I can tell the virus has been removed. There will, however, be some registry entries that need cleaning up.

On the web there is a recommendation to download and run ccleaner version v2.21.940 or later. I have done this on one machine, but not the other. Both seem OK. I would be careful about ccleaner as it may install the Yahoo toolbar by default. Nothing wrong with Yahoo, but you may not want that.
  posted by John Hemming ¶ 10:17 am
Comments:
Hi John, Got one of these from E W-G this morning, as it wasn't in Emily's usual format I knew something dodgy was going on with it.

ah well fund and games as always.
# posted by Blogger Jerry : 10:49 am
 
Got the same email this morning. Purported to come from a friend in my email list. Called my friend and he said he didn't send me anything but that he also received the same email. CC showed the same email was sent to others from his contact list so apparently this virus is able to scan your contact list and send to others in the contact list.
# posted by Blogger Mark : 4:00 pm
 
HI John,
Thanks for your blog, its very helpful! when trying to delete the winnt files I get a box saying Destination Folder access denied - you need permisson to perform this action and it has a try again or cancel button, and advise on how I can actually delete these file?
If you could help that would be great!!
Thanks
# posted by Blogger Michelle : 12:53 pm
 
It is possible that some of the processes are still running. Probably, however, you need to sign on as an administrator.
# posted by Blogger john : 2:36 pm
 
great - now I just have to work out how to log on as administrator...lol! I'm not IT savvy!
# posted by Blogger Michelle : 2:47 pm
 
just wanted to say thank you- i couldnt figure out what the process' were that were running in task manager until i saw your note. Last night i went to send an email through hotmail and it said i had reached the max number of emails for the day (240) which was impossible, then started getting tons of post master failures, and went into my sent folder and there were hundreds of emails to my contact list- saying fotos 27, like i had sent it- the brilliant part is it was only sending the email to 5 contacts at a time so it didnt look like a mass emial. I ran all of my spyware programs and cc cleaner and it didnt pick up on anything. I came across your site and found all the files you said and deleted the directory, does that mean I am clean now? any idea how i would get something like this? i never open mail from people i dont know.. ever, i'm a bit confused where it came from and how they hijacked my account. thanks again!
# posted by Blogger TiTi : 5:05 pm
 
Thanks John, I got the same email and have tried your solution. Lets hope the solution works.
# posted by Blogger Mohamedsadiq : 10:03 am
 
Thanks for this message. I received a couple from colleagues in my address book! Your message really helped.
# posted by Blogger Noblese : 3:42 pm
 
I cannot locate C:\winnt on my directory. I am using Windows Vista. Please help...
# posted by Blogger Deepak : 7:09 pm
 
This, of course, could change. But you are missing an underscore from what you have posted.
# posted by Blogger john : 7:20 pm
 
have tried with underscore also, but still cannot find.
# posted by Blogger d-bo : 7:39 pm
 
Sorry, but I cannot really do that much Tech Support. I am a Member of Parliament in the UK and have a weekly advice bureau at 1772 Coventry Road, Birmingham B26 1PB. I suppose you could try to bring your computer there and if you are not a constituent I will see you after I have dealt with all my constituents.
# posted by Blogger john : 7:42 pm
 
Hi, Thank you John but I live in Ontario, Canada LOL so that wouldnt be possible! to anyone trying this you have to make sure all of the processes under task manager are ended wnnt and i think there were 6 of them running, then you go to C drive, the winnt folder was 4 folders below the Program Files folder- erased it and done, Thanks again!
# posted by Blogger TiTi : 1:09 am
 
oh, i want to ask something. does this virus only send e-mails from hotmail domains when the e-mail is opened?

btw, forgot to thank you for the guide.
# posted by Blogger Nikki-pon : 1:26 am
 
I also had difficulty locating the directory but then I searched for it using c:\winnt_ and the date I received the email. That worked. Good luck!
# posted by Blogger Sheila : 5:10 am
 
Thanks mate,
That fixed it
Cheers
# posted by Blogger Skimon : 9:09 am
 
this virus has deleted files from my computer! thank goodness for back ups.
# posted by Blogger century 21 : 12:12 pm
 
hey there so im totally computer illiterate but what i did was searched for C:\winnt_ and it came up under c files with a thing called id but that was it there wasnt anything else attached to it so i just deleted the whole winnt file was that right :s
thanx
# posted by Blogger emma : 8:44 am
 
Hello John,
Thanks so much for this - I was getting absolutely desperate and losing email buddies!
Only bit I didn't understand how to do from your instructions was 'cleaning up registry' stuff. I know I'm showing my total IT ignorance, but what is it, and how do I do it, please!!
Thanks again, Gabrielle
# posted by Blogger Gabrielle : 12:56 pm
 
Oh, sorry, one other question about this. Although I seem to have cleaned it up so it has stopped sending out the emails all the time, each time I'm logged into that email account, I get a little MSN pop up telling me that I am now signed on in two places and that my messages will be visible in both places....I only have one computer and am only signed on into that one account at the time...is this also part of the virus problem, and if so..do you have any idea how I get rid of it? I'm worried that someone else somewhere is getting to read all my emails!! Thanks again, Gabrielle
# posted by Blogger Gabrielle : 1:42 pm
 
You may need to change your password.

I think you can live without fixing the registry.
# posted by Blogger john : 2:26 pm
 
Thanks again, John - all seems to be well again now. What a relief! Oh and you can congratulate yourself as having worked out a 'fix' when it seems the techies at hotmail are struggling! Cheers.
# posted by Blogger Gabrielle : 10:25 am
 
Sorry bunch of losers. Get a Mac.
# posted by Blogger Jay Valambhia : 8:24 pm
 
thanks a mill john!!!!

Jay Valambhia's comment:

Sorry bunch of losers. Get a Mac.

How does having a PC make us losers?

its lame comment like yours that taint helpful threads.

Thanks again John
# posted by Blogger Mayhul : 7:49 pm
 
thank you...i had the same problem...i hope the virus is removd now..
# posted by Blogger dhaliwal_rav : 4:08 am
 
thanks a lot for this fella - much help!!
# posted by Blogger e yeti : 9:56 am
 
Thank you so much for your note!! It helped!!!!
Such an annoying virus!
Again thank you!
# posted by Blogger Rona : 8:26 am
 
Thanks so much for the fix... was driving me crazy!!
# posted by Blogger Jesspo : 2:22 am
 
Had a similar problem to this today. Someone downloaded a "foto.com" file on their computer and ran it... In the winnt_ folder it contained "winnt.exe" and "winntR1.exe".

I also had to remove these from starting up by going into the registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run ... and removed all instances of the virus there.
# posted by Blogger Chad : 6:24 am
 
Post a Comment

<< Home

Click Here for access to higher resolution versions of the photos The license for use allows use of the photos by media as long as they are attributed.

better brent chart

ARCHIVES
12/01/2003 - 01/01/2004 / 07/01/2004 - 08/01/2004 / 12/01/2004 - 01/01/2005 / 01/01/2005 - 02/01/2005 / 02/01/2005 - 03/01/2005 / 03/01/2005 - 04/01/2005 / 04/01/2005 - 05/01/2005 / 05/01/2005 - 06/01/2005 / 06/01/2005 - 07/01/2005 / 07/01/2005 - 08/01/2005 / 08/01/2005 - 09/01/2005 / 09/01/2005 - 10/01/2005 / 10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 / 12/01/2005 - 01/01/2006 / 01/01/2006 - 02/01/2006 / 02/01/2006 - 03/01/2006 / 03/01/2006 - 04/01/2006 / 04/01/2006 - 05/01/2006 / 05/01/2006 - 06/01/2006 / 06/01/2006 - 07/01/2006 / 07/01/2006 - 08/01/2006 / 08/01/2006 - 09/01/2006 / 09/01/2006 - 10/01/2006 / 10/01/2006 - 11/01/2006 / 11/01/2006 - 12/01/2006 / 12/01/2006 - 01/01/2007 / 01/01/2007 - 02/01/2007 / 02/01/2007 - 03/01/2007 / 03/01/2007 - 04/01/2007 / 04/01/2007 - 05/01/2007 / 05/01/2007 - 06/01/2007 / 06/01/2007 - 07/01/2007 / 07/01/2007 - 08/01/2007 / 08/01/2007 - 09/01/2007 / 09/01/2007 - 10/01/2007 / 10/01/2007 - 11/01/2007 / 11/01/2007 - 12/01/2007 / 12/01/2007 - 01/01/2008 / 01/01/2008 - 02/01/2008 / 02/01/2008 - 03/01/2008 / 03/01/2008 - 04/01/2008 / 04/01/2008 - 05/01/2008 / 05/01/2008 - 06/01/2008 / 06/01/2008 - 07/01/2008 / 07/01/2008 - 08/01/2008 / 08/01/2008 - 09/01/2008 / 09/01/2008 - 10/01/2008 / 10/01/2008 - 11/01/2008 / 11/01/2008 - 12/01/2008 / 12/01/2008 - 01/01/2009 / 01/01/2009 - 02/01/2009 / 02/01/2009 - 03/01/2009 / 03/01/2009 - 04/01/2009 / 04/01/2009 - 05/01/2009 / 05/01/2009 - 06/01/2009 / 06/01/2009 - 07/01/2009 / 07/01/2009 - 08/01/2009 / 08/01/2009 - 09/01/2009 / 09/01/2009 - 10/01/2009 / 10/01/2009 - 11/01/2009 / 11/01/2009 - 12/01/2009 / 12/01/2009 - 01/01/2010 / 01/01/2010 - 02/01/2010 / 02/01/2010 - 03/01/2010 / 03/01/2010 - 04/01/2010 / 04/01/2010 - 05/01/2010 / 05/01/2010 - 06/01/2010 / 06/01/2010 - 07/01/2010 / 07/01/2010 - 08/01/2010 / 08/01/2010 - 09/01/2010 / 09/01/2010 - 10/01/2010 / 10/01/2010 - 11/01/2010 / 11/01/2010 - 12/01/2010 / 12/01/2010 - 01/01/2011 / 01/01/2011 - 02/01/2011 / 02/01/2011 - 03/01/2011 / 03/01/2011 - 04/01/2011 / 04/01/2011 - 05/01/2011 / 05/01/2011 - 06/01/2011 / 06/01/2011 - 07/01/2011 / 07/01/2011 - 08/01/2011 / 08/01/2011 - 09/01/2011 / 09/01/2011 - 10/01/2011 / 10/01/2011 - 11/01/2011 / 11/01/2011 - 12/01/2011 / 12/01/2011 - 01/01/2012 / 01/01/2012 - 02/01/2012 / 02/01/2012 - 03/01/2012 / 03/01/2012 - 04/01/2012 / 04/01/2012 - 05/01/2012 / 05/01/2012 - 06/01/2012 / 06/01/2012 - 07/01/2012 / 07/01/2012 - 08/01/2012 / 08/01/2012 - 09/01/2012 / 09/01/2012 - 10/01/2012 / 10/01/2012 - 11/01/2012 / 11/01/2012 - 12/01/2012 / 12/01/2012 - 01/01/2013 / 01/01/2013 - 02/01/2013 / 02/01/2013 - 03/01/2013 / 03/01/2013 - 04/01/2013 / 04/01/2013 - 05/01/2013 / 05/01/2013 - 06/01/2013 /


Powered by Blogger

Published, promoted, and printed (well not really printed I suppose, more like typed) by John Hemming, 1772 Coventry Road, Birmingham B26 1PB. Hosted by blogspot.com part of Google.com 1600 Amphitheatre Parkway Mountain View, CA 94043, United States of America. This blog is posted by John Hemming in his personal capacity as an individual.

Site Feed

If you want me to respond to any comment please either comment only on the past few entries or put something in your comment to make it clear what you are commenting on (the URL would help). Otherwise I will not be able to find the comment quickly and will not respond.

Links
Links (c) Peter Black (mainly Lib Dem)
Site Meter eXTReMe Tracker