I am a nod32 user and this is my First post on the forum and I am looking for some advice regarding a firewall issue with Sygate. Since around 3 days ago, each time I boot my pc and then connect to the net, sygate tells me ntoskrnl.exe has changed since the last time I have used it and is trying to gain accesss to the internet. The exact log is as follows: The executable has changed since the last time you used: D:\WINDOWS\system32\ntoskrnl.exe File Version : 5.1.2600.2622 File Description : NT Kernel & System File Path : D:\WINDOWS\system32\ntoskrnl.exe Process ID : 0x4 (Heximal) 4 (Decimal) Connection origin : remote initiated Protocol : TCP Local Address : 80.44.112.121 Local Port : 445 (CIFS - Common Internet File System) Remote Name : Remote Address : 80.44.183.72 Remote Port : 4335 Ethernet packet details: Ethernet II (Packet Length: 62) Destination: 00-00-01-00-00-00 Source: 01-00-20-00-01-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 126 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xf898 (Correct) Source: 80.44.183.72 Destination: 80.44.112.121 Transmission Control Protocol (TCP) Source port: 4335 Destination port: 445 Sequence number: 3632350111 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x608c (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 00 00 01 00 00 00 01 00 : 20 00 01 00 08 00 45 00 | ........ .....E. 0010: 00 30 9B B5 40 00 7E 06 : 98 F8 50 2C B7 48 50 2C | .0..@.~...P,.HP, 0020: 70 79 10 EF 01 BD D8 81 : 43 9F 00 00 00 00 70 02 | py......C.....p. 0030: FF FF 8C 60 00 00 02 04 : 05 8C 01 01 04 02 | ...`.......... I have back traced the ip and it is an ip associated with my isp and I am desperate to know why ntoskrnl.exe changes each time I boot up and also why is it being contacted remotely? Does anyone have any suggestions on what is going on? Thanks - John
John, You hijack log was removed. Unfortunately, Wilders no longer provides support for Hijack This logs, and as such you will need to post your HijackThis Log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.
I am not concerned about my hijackthis log as I only posted it to assist with my original question. If anyone has any suggestions in response to my question then that would be appreciated.
Have you given ntoskrnl act as server rights under Sygate? If so, please uncheck to see if this happens again.
Thanks for the reply but I have solved the problem. I created an advanced rule to block ntoskrnl.exe but said yes to allow ntoskrnl.exe when sygate asked me upon boot up. As the advanced rule overrides my choice, this meant ntoskrnl.exe was not granted access and sygate stopped asking me if I wanted to allow it access.