WINDOWS XP!!! i have issues

[GQ19]

ok.. this is the strangest problem i've ever encountered.. mind you im a very experienced pc user and know my fair share.. but check this out.. my windows\system32\config folder DELETES itself like everyday.. i have to replace the files almost everyday by copying thme from the windows\repair\ folder in windows repair console.. i scanned for viruses and it turned up a w.95\kuang.gen virus which is some dumb macro virus.. but that was 3 or 4 instances ago.. what could be causing this madness? please help :cry: :cry:

[GQ19]

ok.. this is the strangest problem i've ever encountered.. mind you im a very experienced pc user and know my fair share.. but check this out.. my windows\system32\config folder DELETES itself like everyday.. i have to replace the files almost everyday by copying thme from the windows\repair\ folder in windows repair console.. i scanned for viruses and it turned up a w.95\kuang.gen virus which is some dumb macro virus.. but that was 3 or 4 instances ago.. what could be causing this madness? please help :cry: :cry:

[Steven Cedrone]

Quote:

Originally Posted by McAFee

W95/Kuang.gen is a virus that drops a backdoor program. The backdoor has several components: server (Kuang.svr), client program (Kuang.cli), password stealing plugin (Kuang.pws) and one more plugin (Kuang.plugin). There also exists a small tool (W95/Kuang.dr) which can be used for infecting any Win32 file with a virus. When an infected file is run, the backdoor server is copied to the WINDOWS (or WINNT) directory under a random name. This file is hidden.
The virus copies EXPLORER.EXE file with the name EXPLORER.A. This copy is infected and will replace the original after the next restart.

The backdoor server program hides its own presence (neither visible as a task, nor visible in registry or loaded via WIN.INI) but it does run permanently in background awaiting commands coming from the client (on remote attacker's computer) and infecting one after one the Win32 EXE files on all fixed disks. Virus doesn't change time or date of infected files which grow in size by approximately 11 KBytes.

After the backdoor server is installed on a computer, the person controlling it has remote control over infected machine. This requires both machines to be connected to the INTERNET. This control includes upload, download, or delete a remote file. It is also possible to run plugin addon (Kuang.pws is a password stealin plugin and Kuang.plugin can display messages, play with taskbar, buttons, desktop and CD-ROM tray, can run WAV files and shutdown Windows.

The server program includes also a cleaner which seems to be able to clean an infected station (you leave the IP address field blank and you click on the "Anti-Virus"). During this process a copy of EXPLORER.EXE (infected) is made and named EXPLORER.WK2. This file is cleaned and the user must reboot the machine. During the reboot (through WININIT.INI) a cleaned EXPLORER.EXE is restituted.

After reboot, this same procedure will scan the whole hard disk and clean the EXE files.

W95/Kuang.GR is able to infect files on NT/Windows2000 machines too. Kuang family carries in the code the message "Coded by Weird".

Not just some "dumb macro" virus...

I would rescan again, chances are you did not remove it completely from your system...

Steve