cancel
Showing results for 
Search instead for 
Did you mean: 

Suspected Virus/spyware Need help please

N/A

Suspected Virus/spyware Need help please

Hey all, A few days ago I started to notice a lot of packets trying to be sent on port 137 and port 520. I use protowall to block undesirable scans and have noticed this:

Packet to "IANA - Multicast, Kuang2thevirus, IANA Reserved" (255.255.255.255) [protocol: UDP / destport: 137]

and packet to "IANA - Multicast, Kuang2TheVirus, IANA Reserved (224.0.0.9) [protocol: UDP / destport: 520]

I keep having these scans/packets sent every few minutes and especially when I first connect to the internet. It does affect my speed of my computer and internet connection at times. My virus scan doesn't pick up anything (mcafee) and I have several anti spyware programs which haven't picked anything up either.

Anyone got any suggestions? I'm just about fed up enough to reformat.

Regards

Andy
9 REPLIES
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

Suspected Virus/spyware Need help please

Have you had a look under "msconfig" to see whats being started up when you first start the PC?
You may find something in there relating to the IANA - Multicast, Kuang2thevirus, IANA message you are seeing.
If so you should be able to stop it running.
N/A

Suspected Virus/spyware Need help please

Yes, I've tried that. All the other things that startup are ok. Nothing suspicious there.

I've also looked at process running on task manager. No joy there either.
N/A

Suspected Virus/spyware Need help please

They are as they suggest Multicast packets, which by themselves, should be perfectly harmless.

Have you tried checking the support sections for the firewall, to see if it has an issue with dealing with multi-cast traffic?
N/A

Suspected Virus/spyware Need help please

Are you using an ADSL router to connect to the internet? Do you have two or more PCs networked together?

The destport 137 is one of the ports used by NetBIOS to transmit information about computer names etc. to other PCs on a peer-to-peer network. If you or any of the PCs on your network have file sharing enabled you may well get data coming in on ports 137 and 138.

The address 224.0.0.9 is used by the Routing Information Protocol (RIP) version 2. RIP allows gateways to exchange routing information with other gateways, hence why I asked if you have an ADSL router. RIP periodically broadcasts routing information using multicast address 224.0.0.9 i.e. an IP address reserved for this very purpose. Read more about RIP 2 here if you are interested.

In both cases the most interesting piece of information you haven't given is remote IP address. With this information it's easier to determine if the incoming packets are from a local network or somewhere on the internet. If either of these incoming packets is from a local network it is likely they are harmless.

Regards,
Scott
N/A

Suspected Virus/spyware Need help please

I've had a look on Mcafee's site for multicast traffic and there's not much there. I've also done a search and it seems that people have had problems with kuang2 but on port 13700.
N/A

Suspected Virus/spyware Need help please

One other thing I forgot to mention is that my firewall keeps on popping up asking me to reconnect to the internet (Connection window)

At this time I get a lot of packets trying to be sent out.
N/A

Suspected Virus/spyware Need help please

Firstly do you have UPnP enabled on your machine? Since UPnP uses an IP mask which can cover 255.255.255.255.

I use Protowall, and blocklist manager. I got the same warnings as you did and I lost my lan connection if 255.255.255.255 was blocked. I found my PC wouldn't reconnect and would self assign a new IP address, rather than use the reserved IP address from the router, and thus I'd lose my internet connection as well.

To resolve the problem I changed it to be allowed within blocklist manager and I've had no further problems since.

It's worth also mentioning that a Plus Net address is actually within the blocklists and when running you'll find some people's avatar won't display as a result of this.
N/A

Suspected Virus/spyware Need help please

hmm interesting. I'll give that a go and let you know how I get on. Thanks for your help guys Cheesy
N/A

Suspected Virus/spyware Need help please

Works fine now. Thanks for your help guys Cheesy

Very friendly people on these forums Cheesy