Virus Destroyed files in System32 folder

[w7zr]

Computer (1.3ghz) started running very slow. Found 12 virus affected files in Windows\system32\sysnugg folder. The affected files were:
Mon1423.bud w32.lxd.mirc virus
icmp.vbs hacktool.flooder virus
igmp.exe backdoor.subseven.virus
igmp.vbs hacktool.flooder.virus
info.vbs trojan generator virus
mirc2.ini irc.companion virus
mirc3.ini irc trojan virus
pepsi.exe backdoor sub seven virus
pepsi.vbs hacktool.flooder virus
startup.vbs trojan generator virus
temp.scr backdoor.irc.flood virus
whvlxd.exe backdoor.trojan virus

Norton isolated these but was unable to repair so they were quarantined.

The system is still running slowly with cpu usage when a program is being accessed runs 95-100% flat line.

I ran sfc /purgecache but it appeared that it never asked for or got any new copies of either missing or corrupted files from the cd.

Any ides as to what I can do SHORT of a format?

Thanks

 

[w7zr]

Further on this problem. In looking at the /system32 folder I see that the only file that remains from above is a mirc.ini with some strange entry.

nick=ED
anick=GgOuDJ
host=nugg.wakamoles.comSERVER:nugg.wakamoles.com:4563

So why shouldn't I and how can I just extract an older version of mirc.ini from the win2k cd?

Thanks

 

[FaiTHLeSS]

I suggest you format your system, then you will know you have got rid of all the virii. Another thing mirc.ini is not generally located in the system32 but in the mIRC root folder.

 

[w7zr]

Ok, I got the bullet out and ready to bite. So I had a ERD that I created. Tried to boot with it and got an error like no NTLDR. There are only 3 files on the ERD. Autoexec.nt, config.nt, and setup.log.

I tried making another copy and got the same results. I am creating the ERD from Backup. So luckily I had the cd that got me in. But if I want to format the hd and start fresh from my cd I am going to need more than the 3 files it puts on the erd.

 

[FaiTHLeSS]

If you want to reinstall all you need todo is put the Win2k CD in the CDROM and boot from it, it will give you the options to format. Make sure u backup data that you need and having copies of need drivers for your devices to.

 

[Mojocream]

a note about IRC Backdoor Virus...

I obtain this thing and had to deal with it myself. Here's what I did and not sure if it relates to this, but you can use it as a guideline, I guess..

It installs MIRC on your computer. remove it. here is a list of files that the virus installed for me:
all contained in C:\WINNT\SYSTEM32close.dll
del.bat
EXPL32.EXE <IRC Program>
hideapp.exe
ipservers.txt
libparse.exe
moo.dll
nhtml.dll
nicks.txt
psexec.exe
reg.xpl
remote.ini
server.txt
syn.exe
empavms.exe (guess it tries to EMP anti-virus software?)
impvms.dll
mirc.ini
msccct~1.ocx
script1.dll
secure.bat
smurf.exe
spig.txt
wincmd34.bat
aliases.ini
bnc.dll
config.hfg

there maybe some #.bat files in there... 10.bat 11.bat 12.bat 13.bat etc etc look for .bat files!!! delete those or quarantine the ones in question.. I backed up my entire system32 files before I started deleting any file in question.

I also did this:
had to endtask MSMNGR32.EXE and delete it.
I think its in c:\winnt\system32\windowsupdate folder


went into regitry:
HKLM/software/microsoft/windows/curentversion/run
delete the registry that ran msmngr32..

I also did a search in the registry for MIRC and WUPD (seperate search), and deleted. I think I should also have did a search for all bat and exe virus files it found in the registry and removed those.

When I wasnt able to remove it at 1st.. I stopped it from running by going into safe mode.. going to the directory of the virus.. removing the exe virus file and creating a direcory called whatevervirusfileis.exe(eg: a FOLDER, not a file, named msmngr32.exe) in order to stop the virus in creating those damn virus files. but after i did all above, i didnt need to do that.

Hope this information helps.

Mojo

 

[Mojocream]

at a closer look.. I never heard of
Windows\system32\sysnugg

I would do this. IF it is all virus files, and for a temporary fix.
boot into safe mode.
delete that sysnugg folder.
make a file and not a folder called sysnugg. <notice no file extention.
The virus will not be able to create files in the folder sysnugg since its a file and not a folder. it cannot create a folder called sysnugg since a name duplication would occur.

also, Like I said before, you may want a hard copy of all the exe/bat files in the folder and do a search in the registry for anything having to do with those files and the folder sysnugg.. especially the sysnugg..