Something weird going on....

[rothen]

Somehow there is something going on inside my pc

I would really appreciate your help on this....

I use W2000 with Symantec AV + Sygate Firewall. At start-up Sygate reports "NT Kernel System has changed" with file identifier ntoskrnl.exe. Sygate asks whether that can access the internet and I say no. All seems fine but after five minutes or so IE denies I am connected. Mozilla the same. Outlook still runs as if nothing is the matter. Restart and the same happens again.

I ran spybot-search and for good measure installed Spyware blaster. No use. I uninstalled about everything not essential. No use. There still is something weird going on...

Any hint will help.

Hi rothen,

Welcome to Wilders'

ntoskrnl.exe is a critical process in the boot-up cycle of your computer

Note: ntoskrnl.exe can be altered by the w32.bolzano and variants.

Info on : w32.bolzano -> http://securityresponse.symantec.com...2.bolzano.html

Quote:

W32.Bolzano has the chance to patch ntoskrnl.exe, the Windows NT kernel, located in the WINNT\SYSTEM32 directory. The virus modifies only 2 bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to give full access to all users to each file regardless of its protection, whenever the machine is booted with the modified kernel.

Norton will detect it ... try running an AV scan in "Safe" mode ... Tap F8 while booting ... Select option 1 "Safe Mode" ... When Norton finds it select "Repair"

Steve

[Blackspear]

Hi Rothen, welcome to Wilders. If what Dog suggested doesn't work, I would suggest following the comprehensive steps found in General Cleaning.

If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum. Once your system is clean, please don’t hesitate to ask further about using these and other security software to protect your computer.

Hope this helps...

Let us know how you go.

Cheers

[rothen]

The treatment suggested, running Symantec AV in safe mode, worked wonders. I am eternally in debt.

What I do not know is how that little bugger got into my PC. I have a router making me invisible to the world (I hope), I have Sygate, Symantec AV and Spywareblaster running, I do a regular check with Spybot and yet I appear to be as vulnerable as the next guy.

Make me long for the good old EARN days...

Keep up the good work, you have been a real help.

Regards from the Dutch outback.

[Blackspear]

Good to see Rothen, and thanks for keeping us up-to-date with your progress, You may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

This is what works really well for me, very simple to use and maintain.

Let us know how you go…

Cheers

[rothen]

Blackspear,

That seems a fairly comprehensive list of which I have at least half a dozen running. I will try the rest. Meanwhile Spybot found more W32.Bolzano's (That town has been a difficult place to live even in the best of times). Time to start making a donation to these guys !

And another little problem I have is that someone out there seems to be sending emails riddled with viruses under my email address (at least that's what I think is going on: unknown postmasters are sending me refusal notifications).

This really is a new world for me.

[Blackspear]

Quote:

Originally Posted by rothen

That seems a fairly comprehensive list of which I have at least half a dozen running.

It is there as a guide, my system is set up like a fortress

Quote:

Originally Posted by rothen

Meanwhile Spybot found more W32.Bolzano's

I would suggest another run through General Cleaning until your system is clean, and if it keeps returning then download and run “Hijack This” found here and post your log at one of the forums found at A-SAP.

Quote:

Originally Posted by rothen

I have is that someone out there seems to be sending emails riddled with viruses under my email address (at least that's what I think is going on: unknown postmasters are sending me refusal notifications).

Once your system is clean you can safely ignore these sort of messages, but until then let’s work on confirming your system is actually clean

Cheers