W32:Kuang2 Help needed please

My computer started playing up - freezing, blue screen,error messages. I ran Avast and it has found the above virus in several locations and was not successful in removing it. What should I do? The computer is almost unuseable at present, (I am on my wife’s machine at the moment.) I have an IBM Netvista with Windows ME. My browser is Avant and virus protection is Avast 4.6 Home Edition.
Please help me! :cry:

Hi and welcome bill,
can you schedule a boot time scan? This will give you the best chance of moving /delting.
good luck

Thanks for the prompt reply. Sorry, but I don’t understand. What do you mean by ‘schedule a boot time scan’?

What is the exact location where the virus is reported?
I believe this may be relevant here: http://avast.com/eng/virus_detection_and.html#idt_1554

I suggest a forum search for W32:Kuang2 as there is a high possibility this could be a false positive detection, due to Panda’s on-line virus scanner (if you have used it?) not encrypting its virus signature files.

You can’t schedule a boot-time scan with WinME only NT based OSes, NT, w2k, WinXP. Within avast’s menu it is possible to schedule a scan before windows starts, so files that are either in use or protected by windows can be dealt with easier. However , it isn’t available to all OSes.

  • What was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?
  • What actions have you taken to try and resolve the problem?

I don’t have Panda or any other AV, just Avast.

The original virus report said it was in C:_Restore\Archives|fs2074.cab|A0302010.cpy
Malware name win32:Kuang2
VPS version 0547-4,24/11/2005

I am now back on my own computer and it has run for four hours without a problem. Go figure! During that period I ran a full online spyware/trojan/virus scan and it didn’t find the one Avast found but did find another - Eicar test file, in the Temp Internet Files folder. I have deleted that one. (Caused I assume by the Mcaffee test virus check that deliberately puts a bogus ‘virus’ on the computer to see if your AV protection is working which I ran just prior. Avast had kittens! Good to see it is effective! ;D )

I didn’t say you had panda installed, just that this can happen simply by using the panda on-line scanner, one to avoid for the future. However, this doesn’t appear to be the case here.

This is in a part of the windows protected storage for system restore and the infection is in a _Restore point (so if you did a system restore to that point you would be reinfected). What usually happens when a file is deleted from one of the windows system folders, windows in its wisdom saves the file in a restore point, not matter if that happens to be a virus.

avast can’t do anything within this storage area, so the only thing is to disable system restore, reboot, that should clear the restore points. You can now run another avast scan to confirm it has gone and if so enable system restore again.

Win XP-ME - How to disable System Restore

Thanks David. What you have said explains a couple of things I was puzzling over.
I am reluctant to disable System Restore if it can be avoided as I would lose earlier restore points and have nowhere to go if I need them. Since my last post the system continues to work faultlessly, so I may just leave disabling System Restore as an option to use if the problem is still lurking. What do you think?
(I haven’t mentioned this, but I did a system restore after I experienced the initial crashes and had run Avast in quick scan mode and it had found the reported virus in _Restore\Archive\ . The system still malfunctioned when I rebooted and Avast, in thorough mode this time, found it again. I then ran an online scan from TrendMicro and that found nothing except the Mcaffee bogus virus file I had run in the meantime to see if Avast was working OK. It didn’t find anything amiss in _Restore\Archive.)

You could disable your system restore feature when you know you’re clean and the system is stable.
You’ll lose the restore points but could make others, new ones.

Using System Restore to a point where you were infected could bring the infected files and viruses back to your computer.

It is a common problem and one that is well documented that to get rid of viruses in windows system folders you have to disable system restore otherwise they end up in the _Restore points. So your system is compromised when you use system restore to a point where the virus was in your system, the whole concept/idea of system restore is to go to a point where your system was stable and with a virus in a _Restore point that can’t be guaranteed.

The fact that you used an on-line scanner and it didn’t find anything in the system volume information could mean that it either avast got it wrong or the on-line scan didn’t scan the windows protected storage, or didn’t scan to the same levels, or because if it finds anything it can’t effectively deal with it. In any case there is still doubt as to the contents of a restore point and I would have a seconds hesitation in disabling it and clearing it out. Once clear after an other scan you can enable system restore and do a manual creation of a restore point then when you know things are clean.

System Restore is permanently disabled on my system, I take regular hard disk images and use that as my fall back position along with daily data file back-ups.

SYSTEM RESTORE - Info - Troubleshooting
There are many, many reasons why a System Restore may fail. For example, see “Why are previous restore points not working?” in the “Troubleshooting” section of this official Microsoft page:

There’s lots more on that page that’s worth reading too. Note especially the sections on “Does System Restore protect personal data files?” (the short answer: no); “What should I do if System Restore does not work?”; “Why are my restore points missing or deleted?”; “Why does the System Restore Wizard lockup?”; and so on. Just a few minutes on that page ought to convince just about anyone that System Restore is not intended for heavy-duty system protection!

More info:

Thanks Tech and David.
Some good insights into System Restore there!
I will run another scan and if Avast doesn’t find the virus now I will disable System Restore and start it afresh, so there is no likelihood of reintroducing it.
From earlier posts I found in this forum, (dated 2003) I suspect that Avast has ‘found’ a virus that isn’t present. Norton’s virus listings don’t mention a W32 Kuang2 either.
Still I would rather it found the odd one that isn’t there than misses ones that are!

Unfortunatelly, a well-known problem of Panda not encrypting its signatures and not an avast fault on detection :stuck_out_tongue:

Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).

OK… I ran Avast and it found the same virus, in Restore\Temp\A0304090.CPY this time. As before Avant wasn’t able to delete, fix or move the infected file.
So I disables System Restore, then rebooted. I immediately ran Avast and it didn’t find anything, so I re-enabled System Restore, rebooted and created a restore point. (The system had beaten me to it I later found. It had created a restore point 2 minutes before I did it manually.) I then ran Avast yet again. It still didn’t find anything, so I hope the problem is over. Thanks David and Tech in particular, but also others who contributed; I appreciate it.

Files in System Restore are blocked by Windows: can’t be accessed or deleted at that time except by Windows.
When you disabled System Restore, it was deleted with all other contents into System Restore folder.

Glad we could help and better that you have learned something in the process.

Thanks guys! (Yes David, a bit more knowledge added to my meagre supply.) ;D