I am a nod32 user and this is my First post on the forum and I am looking for some advice regarding a firewall issue with Sygate.

Since around 3 days ago, each time I boot my pc and then connect to the net, sygate tells me ntoskrnl.exe has changed since the last time I have used it and is trying to gain accesss to the internet.

The exact log is as follows:

The executable has changed since the last time you used: D:\WINDOWS\system32\ntoskrnl.exe
File Version : 5.1.2600.2622
File Description : NT Kernel & System
File Path : D:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : remote initiated
Protocol : TCP
Local Address : 80.44.112.121
Local Port : 445 (CIFS - Common Internet File System)
Remote Name :
Remote Address : 80.44.183.72
Remote Port : 4335

Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: 00-00-01-00-00-00
Source: 01-00-20-00-01-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 126
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xf898 (Correct)
Source: 80.44.183.72
Destination: 80.44.112.121
Transmission Control Protocol (TCP)
Source port: 4335
Destination port: 445
Sequence number: 3632350111
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x608c (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 00 01 00 00 00 01 00 : 20 00 01 00 08 00 45 00 | ........ .....E.
0010: 00 30 9B B5 40 00 7E 06 : 98 F8 50 2C B7 48 50 2C | .0..@.~...P,.HP,
0020: 70 79 10 EF 01 BD D8 81 : 43 9F 00 00 00 00 70 02 | py......C.....p.
0030: FF FF 8C 60 00 00 02 04 : 05 8C 01 01 04 02 | ...`..........


I have back traced the ip and it is an ip associated with my isp and I am desperate to know why ntoskrnl.exe changes each time I boot up and also why is it being contacted remotely?

Does anyone have any suggestions on what is going on?

Thanks - John

John,

You hijack log was removed.

Unfortunately, Wilders no longer provides support for Hijack This logs, and as such you will need to post your HijackThis Log at one of the forums found at A-SAP (http://a-sap.org/).

The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com (http://www.spywareinfoforum.com/index.php) and CastleCops.com (http://castlecops.com/forums.html). Be sure to read their posting policy in the links at their log review forum sections prior to posting.

I am not concerned about my hijackthis log as I only posted it to assist with my original question.

If anyone has any suggestions in response to my question then that would be appreciated.

Have you given ntoskrnl act as server rights under Sygate? If so, please uncheck to see if this happens again.

-{ Quote: "Have you given ntoskrnl act as server rights under Sygate? If so, please uncheck to see if this happens again." }-

Thanks for the reply but I have solved the problem.

I created an advanced rule to block ntoskrnl.exe but said yes to allow ntoskrnl.exe when sygate asked me upon boot up.

As the advanced rule overrides my choice, this meant ntoskrnl.exe was not granted access and sygate stopped asking me if I wanted to allow it access.

Funny, I too am running Sygate on Win2K SP4 but never get this request at all.

Haven't seen that problem either...