Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Kuang2

Reply
Thread Tools

Kuang2

 
 
MoRdred
Guest
Posts: n/a
 
      11-11-2004
Protowall always warns me of packets being blocket from my machine to

"IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
blocked. [protocol: IGMP - src: -- / dst: --]

But i can't remove the virus with NAV.. Is there a way to clean the
infection?

MoR


 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      11-11-2004
1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt244.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
3) Reboot your PC into Safe Mode
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *

Dave




"MoRdred" <(E-Mail Removed)> wrote in message
news:L2Gkd.27856$(E-Mail Removed)...
| Protowall always warns me of packets being blocket from my machine to
|
| "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
| blocked. [protocol: IGMP - src: -- / dst: --]
|
| But i can't remove the virus with NAV.. Is there a way to clean the
| infection?
|
| MoR
|
|


 
Reply With Quote
 
 
 
 
MoRdred
Guest
Posts: n/a
 
      11-12-2004

"David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
news:KZJkd.56$nc.19@trnddc03...

> * * * Please report back your results * * *


It scanned my HD but found nothing.. And i'm still getting there outgoing
packets blocked..


> "MoRdred" <(E-Mail Removed)> wrote in message
> news:L2Gkd.27856$(E-Mail Removed)...
> | Protowall always warns me of packets being blocket from my machine to
> |
> | "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
> | blocked. [protocol: IGMP - src: -- / dst: --]
> |
> | But i can't remove the virus with NAV.. Is there a way to clean the
> | infection?
> |
> | MoR



 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      11-12-2004
That is still just a multicast IP address. There may be something using that other than a
virus such as the Kuang.

Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being loaded that uses the
IP multicast address of -239.255.255.250

Dave





"MoRdred" <(E-Mail Removed)> wrote in message
news:ms7ld.30051$(E-Mail Removed)...
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
| news:KZJkd.56$nc.19@trnddc03...
|
| > * * * Please report back your results * * *
|
| It scanned my HD but found nothing.. And i'm still getting there outgoing
| packets blocked..
|
|
| > "MoRdred" <(E-Mail Removed)> wrote in message
| > news:L2Gkd.27856$(E-Mail Removed)...
| > | Protowall always warns me of packets being blocket from my machine to
| > |
| > | "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
| > | blocked. [protocol: IGMP - src: -- / dst: --]
| > |
| > | But i can't remove the virus with NAV.. Is there a way to clean the
| > | infection?
| > |
| > | MoR
|
|


 
Reply With Quote
 
MoRdred
Guest
Posts: n/a
 
      11-13-2004

"David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
news:Cb8ld.510$GV5.112@trnddc04...

> Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being

loaded that uses the
> IP multicast address of -239.255.255.250


Seq Time ProcessID Action Protocol Local Address Remote Address Status
Bytes

4 12.48.06 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
SUCCESS 133
6 12.48.06 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
SUCCESS 133
9 12.48.10 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
SUCCESS 133
11 12.48.10 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
SUCCESS 133
15 12.48.13 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
SUCCESS 133
17 12.48.13 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
SUCCESS 133

This is what I get by filtering the list with the remote IP protowall
provides me..


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-13-2004
In article <Cb8ld.510$GV5.112@trnddc04>, David H. Lipman wrote:

>That is still just a multicast IP address. There may be something using
>that other than a virus such as the Kuang.
>
>Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being
>loaded that uses the IP multicast address of -239.255.255.250


Sigh... Dave, please make a note to read RFC2365 sometime. That
particular address has only been in use for several years now. The
particular virus is Microsoft Windows - and that is Universal PnP

Old guy
 
Reply With Quote
 
MoRdred
Guest
Posts: n/a
 
      11-13-2004

"Moe Trin" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed).. .
> In article <Cb8ld.510$GV5.112@trnddc04>, David H. Lipman wrote:


> Sigh... Dave, please make a note to read RFC2365 sometime. That
> particular address has only been in use for several years now. The
> particular virus is Microsoft Windows - and that is Universal PnP


So.. Nothing to worry about in particular? And could you explain me why does
it send those packets (it does as soon as I connect to internet) or show me
somewhere to find this information?

MoR


 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      11-13-2004
Thanks -- I will

Dave




"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed).. .

| Sigh... Dave, please make a note to read RFC2365 sometime. That
| particular address has only been in use for several years now. The
| particular virus is Microsoft Windows - and that is Universal PnP
|
| Old guy


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kuang2 question thund3rstruck_n0i Computer Security 0 07-29-2003 08:02 PM



Advertisments