Win32:Kuang2 virus

[nekonomeno]

Please Help! I cannot get rid of this virus. Here is what my antivirus software says:

Wednesday, March 20, 2002 2:59:09 AM

File "C:\System Volume Information\_restore{957C0F68-3CE5-4475-886D-C7F4756C4224}\RP29\A0003390.dll" is infected by "Win32:Kuang2" virus.

I search for that driver and find nothing. Searched the web for info on this virus and find little to nothing. I think it's a trojan but I cannot find it to delete it. Help is appreciated.

[Conf1rm3d_K1ll]

What anti virus software are you using? What OS are you running?



It appears that Kuang2 is just a simple trojan so therefore it comes in two parts. The client comes with the "anti virus".....Get your hands on the client part of the program and your done!


Here's a little cut and paste from ISS X-Force Database-

To clean the local system, leave the IP address field in the program blank. The antivirus cleaning process copies the infected version of EXPLORER.EXE to EXPLORER.WK2, and removes the virus. The program places the cleaned version of the file back to EXPLORER.EXE, when you shut down and restart your computer. The antivirus process also scans the hard drive, looking for any other infected files. The readme file included in the distribution of the backdoor recommends running the antivirus scan twice to ensure that the backdoor is removed.


Hope that helps.............

[nekonomeno]

Originally posted here by Conf1rm3d_K1ll
What anti virus software are you using? What OS are you running?

Running Avast antivirus on Windows XP pro. I use Sygate personal firewall pro as well.

[Conf1rm3d_K1ll]

I've had a very quick look around for somewhere to download the program with no success. Perhaps someone else can be of more help?


Give The Cleaner a try......You can download it here...

[Euclid]

You could go the above routes to fix this problem but what i would do (maybe alittle easier)
would be to go to www.tweakxp.com and find out how to delete your restore points.

"C:\System Volume Information\_restore{957C0F68-3CE5-4475-886D-C7F4756C4224}\RP29\A0003390.dll

Sounds like a system restore point to me.

[nekonomeno]

I did find the client side of this virus and will run the scan command. That should do it. Thanks a lot for all of the help!

[Euclid]

here is the exact link to the solution http://www.tweakxp.com/tweakxp/display.asp?id=330

Another thing may be to make a restore point for today and then go threw your other restore points and then for each one that you restore to then run the virus protection again. When you get to the correct restore point it should find the virus is a different directory and then you can delete the virus using your anti-virus and then go back to the restore point that you made for today and run your scan again...should come up viri free

again this is the long and painfull way.. I would just delete all the restore points...Also just to be safe as soon as i deleted them i would make another one quick

[Conf1rm3d_K1ll]

Me thinks someone has been playing with trojans and got them self all infected.......

[cwk9]

Did a little searching and came up with this from the Symantec web site. Note this is about Kuang not kuang2 so i'm not sure if this helps.

Kuang
Aliases: None Area of Infection: .COM Files No additional information. This threat is detected by the latest Virus Definitions. All computer users should employ safe computing...
http://securityresponse.symantec.com...dyn/16953.html <-- link to virus info

[nekonomeno]

Originally posted here by Conf1rm3d_K1ll
Me thinks someone has been playing with trojans and got them self all infected.......

Again I do appreciate all the help. But I have yet to realize the purpose of playing with trojans and sending people virii. I never thought something like that was fun or cool and can't figure out why some do.