Hi and congrats about this great service. I have used it recently re- 'Windows XP help' and you are really helpful.

My other problem is:

I have a new PC with Windows XP Pro and for security i have installed McAfee SecurityCenter with McAfee Virus scan:
Version 9.1
Engine 4.4.00
DAT version 4.0.4682

and McAfee Firewall:
Build: 6.1.6144

As my PC is new and I am a simple humble user, today I decided to play around with my Firewall settings. So, I went to 'Test my Firewall' option of the McAfee center. I went online and looked at the results...and froze when at the port 17300 instead of a technical description of some kind I got the message:
'Kuang2 The Virus XXX'.



I had a search on this site about this but nothing.
I had a search with google, and I got plenty of general results, but nothing right down to the point and conclusive as how to get rid of it.

Basically it seems to be an old virus (1999) that my Mcafee should have detected I suppose. McAfee's web site advises, though, that before any virus scan one must turn off the 'System restore' option in Windows XP because viruses may hide in 'backups' and the antivirus will not get them. I did not know it, so I did as told. I scanned my PC (subfolders and all). Nothing found. No infection.

McAfee's site also has a pack of DATs for downloading but I wonder: shouldn't I have them already since I update my Virus Scan all the time? And which package of DATs should I use? for "Windows and Netwares' or "Windows and Intel"? McAfee is usually very helpful, but the pages about Kuang virus are not user friendly.

Searching the net I found no other solution towards removal of Kuang2 and variants, but it is interesting that many users complain that although they see the message about Kuang2 via their Firewall, when they scan their computers with McAfee, Norton and a whole list of antivirus, they simply get no results of any infection.

I have also tested my internet security with an independent site ('Shields UP') and it seems my ports are completely stealth and secure. So, i don't understand what's going on.

Sby suggested that maybe our PCs are not really infected with it but that the Firewall for some reason detects the activity on the Net. ????

I have spent 5 hours searching about this and I am still almost at point 0.

This is likely a false positive report. If that port is indeed active, it should show up in the following listing:

Go to a command prompt (Start>Run>cmd (or command for older operating system).
Enter the following line text: NETSTAT -an
Press ENTER key.


[Active ports are shown in bold, below]

C:\WINDOWS\Profiles\_vop\Desktop>NETSTAT -an

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1036 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5900 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1190 127.0.0.1:1027 TIME_WAIT
TCP 127.0.0.1:1192 127.0.0.1:1027 TIME_WAIT
TCP 192.168.0.101:137 0.0.0.0:0 LISTENING
TCP 192.168.0.101:138 0.0.0.0:0 LISTENING
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING
TCP 192.168.0.101:1191 206.47.199.40:110 TIME_WAIT
TCP 192.168.0.101:1193 206.47.199.40:110 TIME_WAIT
UDP 127.0.0.1:1036 *:*
UDP 192.168.0.101:137 *:*
UDP 192.168.0.101:138 *:*

Thanks for the prompt and down-to-the-point reply.
I did the check and no, the port does not appear anywhere. I feel much better now.

Just for info to all members and users out there, it seems that the Kuang2 virus (actually it seems to be half-virus half-trojan) is on the rise again and it is 'probing' our computer ports. I found the link http://www.virused101.com/trojanhorse.html where, if you scroll down the page quite a bit, you will find a useful 'list of ports trojans will "sniff" out'. So, get yourselves protected!!

Addendum to VirusEd101:


In addition to a software (SW) firewall it is very advantageous to use a hardware (HW) firewall (router) if you are using a high-speed connection.


Accordingly, when you test your firewalls, a lot less ports will/should be visible to the outside world when a HW firewall is in place - and lower port visibility should be actively managed as a risk factor. That also means a lot less INCOMING log items hitting your SW firewall. Furthermore, a HW firewall is a lot more consistent and reliable for INCOMING traffic than a SW firewall since a SW firewall can be more easily disabled both intentionally or unintentionally. You still want and need a SW firewall for controlling OUTGOING traffic attempts.

I am using a simple dial-up connection, but as i am planning to upgrade to a broadband connection, THANKS for your advice.

Shop employees rarely take the little time needed to explain such things, plus, at least in my country, they look at me with a snorty snobbish attitude - obviously because I am female and 'girls know nothing about computers'. This is where I lose my patience and politeness.