I am experiencing an apparent virus attack on my Window 2K. An program

called `mfcid32.exe` is eating out my cpu circles constantly. Once it is

killed, it

will spawn another copy of itself automatically. The whole system is brought

down because of this. The only temparory remedy is to SUSPEND it.



Anyone has seen this as well? Help will be greatly appreciated.

wgong wrote:

> I am experiencing an apparent virus attack on my Window 2K. An program

> called `mfcid32.exe` is eating out my cpu circles constantly. Once it is

> killed, it

> will spawn another copy of itself automatically. The whole system is brought

> down because of this. The only temparory remedy is to SUSPEND it.

>

> Anyone has seen this as well? Help will be greatly appreciated.

Beginning of standard canned reply.



Update Windows. Use a firewall.

Use an Anti-Virus of your choice and keep it updated.

In Windows Explorer, set Folder Options to “show all files”.

Clean out all temp, cache, ect. files.

Download BeClean here:

http://boozet.xepher.net/beclean/



Download Sysclean from here:

http://www.trendmicro.com/ftp/products/tsc/sysclean.com

Read this(it tells you how to use it!):

http://www.trendmicro.com/ftp/products/tsc/readme.txt

Reboot into safe mode and run Sysclean, write down results, then reboot

normally.

If offending file is in “restore” read this:

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam



Download AdAware from here:

http://www.majorgeeks.com/download506.html

Read the help files,download the winsock fix, and then Update and run

AdAware.

If you lose your Internet connection after running AdAware run the fix.

Winsock Fix here:

http://www.tacktech.com/display.cfm?ttid=257



Download Spybot Search+Destroy here:

http://www.safer-networking.org/en/download/index.html

Read this:

http://www.safer-networking.org/en/tutorial/index.html

Update and run Spybot (enable all protection).



Download Spyware Blaster here: (enable all protection)

http://www.javacoolsoftware.com/spywareblaster.html



Run a couple of online scanners (pick a different one than your main AV):



BitDefender:

http://www.bitdefender.com/scan/licence.php



Norton:

http://security.symantec.com/sscv6/h...YYTZXPE&bhcp=1



Panda:

http://www.pandasoftware.com/actives..._principal.htm



eTrust:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx



House Call:

http://housecall.trendmicro.com/hous...start_corp.asp



If the previous do not solve your problems:

Download Bazooka here:

http://www.kephyr.com/spywarescanner/



Download SwatIt here:

http://swatit.org/



Download KL-Detector here

http://dewasoft.com/privacy/kldetector.htm



Download CWShredder here

http://www.intermute.com/spysubtract..._download.html



Download HijackThis here:

http://www.majorgeeks.com/download3155.html

Install, run and save the log that is created. Don’t let it fix anything

yet!

You can find forums to post the log to have it analyzed here:

http://tomcoyote.org/hjt/



Download Stinger here:

http://vil.nai.com/vil/stinger/



Download eScan here:

http://www.mwti.net/antivirus/free_utilities.asp

Rename the downloaded file escan.zip and extract (with a zip program) to

C:\Downloads, which you will have to create. Run the updater

(kavupd.exe) and then run eScan (mwavscan.exe).



End of standard canned reply.



--

Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html

Virus Cleaning+Fixes:  http://www.geocities.com/maxpro4u/TechPros

Change nomail.afraid.org to neo.rr.com so you can reply by e-mail

(nomail.afraid.org has been set up specifically for

use in Usenet. Feel free to use it yourself.)

DISABLE ACTIVE X CONTROLS IMMEDIATELY!!!

it_exprt wrote:



>

> DISABLE ACTIVE X CONTROLS IMMEDIATELY!!!

>

I really hope you do not think this is expert advice. Also, please quote

something of the original post for clarity.



Original Post:



"I am experiencing an apparent virus attack on my Window 2K. An program

called `mfcid32.exe` is eating out my cpu circles constantly. Once it is

killed, it will spawn another copy of itself automatically. The whole

system is brought down because of this. The only temparory remedy is to

SUSPEND it."



To the OP: Since you haven't said what antivirus/anti-malware

troubleshooting you have done, start with running TrendMicro's Sysclean

and then continue cleaning your machine with the general removal steps

that follow. Do everything with updated tools in Safe Mode.



TrendMicro's Sysclean is an extensive antivirus tool which has the

advantage of not needing to be installed. It requires two parts - the

scanning engine and the virus pattern files.



1. Create a new folder on your Desktop or the C: drive named something

useful like "Sysclean".



2. Go here and download the two parts of the program to that folder:



http://www.trendmicro.com/download/dcs.asp - Sysclean

http://www.trendmicro.com/download/pattern.asp - virus pattern files



The pattern files will be zipped - extract them with your unzipper (like

WinZip) or if you have XP, you can just open the folder. You need to

put the extracted files in the Sysclean folder you made.



3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly

tapping the F8 key as the computer is starting up to get to the proper

menu.



4. Go to the Sysclean folder you made and double-click on sysclean.com.

Start the scan. After the scan is finished, look at the log. You may

need to make a note of where any viruses were found if they were not

able to be removed so you can manually delete them.



Now continue cleaning your computer:



1) Scan in Safe Mode with a full-featured current version (not earlier

than 2003) antivirus using updated definitions.



2) Remove spyware with Spybot Search & Destroy and Ad-aware. These

programs are free, so use them both since they complement each other.

There is a new version of CWShredder from Intermute. I would not

install the other Intermute programs, however. Alternately, there are

CoolWebSearch malware removal steps at SilentRunners.



Be sure to update these programs before running, and it is a good idea

to do virus/spyware scans in Safe Mode. Make sure you are able to see

all hidden files and extensions (View tab in Folder Options).



HijackThis is an excellent tool to discover and disable hijackers, but

it requires expert skill. See below for HijackThis links. A combination

of HijackThis and about:Buster works well in removing the about:Blank

homepage hijacker. Again, this is an expert tool and novices should get

help with it.



3) If you are running Windows ME or XP, you should disable/enable System

Restore because malware will be in the Restore Points. With ME, you

must disable System Restore completely. With XP, you can delete all but

the most recent (presumably clean) System Restore point from the More

Options section of Disk Cleanup (Run>cleanmgr).



4) Make sure you've visited Windows Update and applied all security

patches. Do not install driver updates from Windows Update.



5) Run a firewall.



Links to help with malware:



Software/Methods:

http://www.safer-networking.org - Spybot Search & Destroy

http://www.lavasoftusa.com - Ad-aware

http://www.majorgeeks.com - good download site

http://www.intermute.com/spysubtract..._download.html

http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners



HijackThis:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim

Eshelman

http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis

forum

http://www.wilderssecurity.com/

http://forums.tomcoyote.org/

http://www.spywareinfo.com/forums/



General:

http://forum.aumha.org/ - look under "Security" for various forums

http://rgharper.mvps.org/cleanit.htm

http://mvps.org/winhelp2002/unwanted.htm

http://www.aumha.org/a/parasite.htm - The Parasite Fight

http://www.spywarewarrior.com/rogue_anti-spyware.htm



Malke

--

MS MVP - Windows Shell/User

Elephant Boy Computers

www.elephantboycomputers.com

"Don't Panic!"