ntoskrnl.exe keeps trying to access the internet

Discussion in 'other security issues & news' started by jhr76, Nov 1, 2008.

Thread Status:
Not open for further replies.
  1. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi. I don´t know if this is the right place to post this, so if it`s not please move it.
    Over the last couple of weeks or so my firewall (Sygate Personal Firewall Pro) keeps telling me that ntoskrnl.exe has changed since the last time I used it and is trying to access the internet. I always tell it not to and to remember that setting, but it keeps doing it, sometimes 2 or 3 times a day (but not every day).
    I have scanned my computer for viruses (NOD32 v3) and spyware (Spy Sweeper and Malwarebytes Anti-Malware) and they all come up clean. I did a little googling and some people said it was the FunLove virus, so I downloaded some specific removal tools (from Symantec) but they said the virus was not present. They also mentioned that if they allowed it access problems started (so far I haven`t noticed anything other than slower than normal torrent speeds).
    I have Windows XP Home SP3, fully updated. I know that ntoskrnl.exe can change after running Windows Update but in that case Sygate would only ask me once, not every single time and it is rather annoying and I`m not sure whether it is a security risk or not.
    I really don`t feel like re-formatting my computer again, I did it about a month ago...
    Any help would be greatly appreciated. Thanks a lot in advance.

    PS: here are the details from the Sygate alert:

    The executable has changed since the last time you used: C:\WINDOWS\system32\ntoskrnl.exe
    File Version : 5.1.2600.5657
    File Description : Sistema y núcleo de Windows NT
    File Path : C:\WINDOWS\system32\ntoskrnl.exe
    Process ID : 0x4 (Heximal) 4 (Decimal)

    Connection origin : local initiated
    Protocol : Raw Ethernet
    Local Address : 0.0.0.0
    Local Port : 0
    Remote Name :
    Remote Address : 0.0.0.0
    Remote Port : 0

    Ethernet packet details:
    Ethernet II (Packet Length: 56)
    Destination: ff-ff-ff-ff-ff-ff
    Source: 00-18-f3-65-44-fa
    Type: ARP (0x0806)
    Address Resolution Protocol (ARP)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: Request
    Sender hardware address: 00-18-f3-65-44-fa
    Sender IP address: 201.213.222.24
    Target hardware address: 00-00-00-00-00-00
    Target IP address: 201.213.222.1

    Binary dump of the packet:
    0000: FF FF FF FF FF FF 00 18 : F3 65 44 FA 08 06 00 01 | .........eD.....
    0010: 08 00 06 04 00 01 00 18 : F3 65 44 FA C9 D5 DE 18 | .........eD.....
    0020: 00 00 00 00 00 00 C9 D5 : DE 01 68 87 02 59 50 10 | ..........h..YP.
    0030: EE 38 E2 E5 00 00 01 01 : | .8......

    http://img353.imageshack.us/img353/531/sygatexn0.jpg
     
    Last edited: Nov 1, 2008
  2. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Probably noting to worry about, like you say, mostly Windows updates and/or security patches cause that behavior. And because your system is clean, antimalware programs have nothing unusual to report:)

    To avoid this specific FW alert please make a custom rule in your firewall.

    Regards,

    Smokey
     
  3. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    I created a special rule to block it on all protocols today, so I guess I`ll just have to wait and see if it stops asking me all the time after this, though even if it does I find it very unusual that it only started recently even though I always run Windows Update... o_O
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    jhr76, perhaps you should find that ntoskrnl.exe, right click it to open its Properties and see when it was last modified. Then, go to Windows Update history and see if any Microsoft updates match that modification date. That could tell you if the recent change was due to MS. You could also upload it VirusTotal or Jotti's Malware Scan for a second opinion.

    I found this thread: C:\Windows\System32\ntoskrnl.exe is missing or corrupt, error message in windows Xp which says "ntoskrnl.exe is a system file that contains the boot screen image, that is, the image that is displayed while booting in windows Xp." Did you try to replace the boot screen image lately?
     
  5. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi. No, I did not modify that image, and the warning just came up again even though I created a special rule to block all access to it.
    I really doubt that this is because of a Windows update, because if it were then the firewall would only notify me that it changed ONCE not over and over again... :(
    I`ll probably try the online scans later. Thanks for the input.
    If anyone else can think of something I`d appreciate it
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    jhr76, you're welcome. At the very least, the 2 online scans will let you know if that .exe might be a false positive or not.

    What's funny (not to you, of course) is that most of what I read on the Internet about this.exe, is happening with the Sygate firewall so perhaps someone else, who has this firewall, will reply to you soon. Take care.
     
  7. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Sygate has been giving me that pop up forever. Don't worry about it. Theres probably not virus. You might make a special rule to block ports udp 135-139 Net Bios.
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Actually, I think this belongs more to "other firewalls", but it doesn't matter...

    Since you're speaking in singular here, I assume you don't have a LAN. But can you please confirm this first?
     
  9. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    To answer your questions:
    I do not have a LAN
    I created a special rule to block ntoskrnl.exe on all protocols. Should I make a new rule blocking udp 135-139 Net Bios?
    Sygate never used to give me this pop up, but even if it is safe, it is really annoying to have it ask 2 or 3 times a day since I am telling it to block it and to remember the setting
    And from what I could find while googling for this, most (if not all) of the people who reported problems with ntoskrnl.exe had Panda AV/firewall...
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    No, disable NetBios as explained, for example, here.

    EDIT: jhr76, I have to go now, but I will return to help. This is very interesting to me.

    Cheers,
     
  11. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    jhr76, no special firewall rules are needed to stop this comms if you don't have a LAN, they can be stopped natively.
    If you disabled NetBios through your NIC properties, you would now also need to close the port 445 to stop SMB and completely disable NetBios over TCP/IP. Here's how you do this.
    Now no comms are made by the System (ntoskrnl.exe) and you can safely delete the blocking rule you previously created for ntoskrnl.

    Please note that no LAN is available after you do this, and if you ever need it, you would have to undo all these changes.

    Cheers,
     
  12. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi Seer. Thank you for all of that info. Excuse my ignorance but by LAN I assume you mean having more than one computer set up in a network, correct? I do not have that, I only have the one computer connected thru cablemodem (3 megs), so all of these changes should not affect my ability to browse, use P2P programs or play online games, right? (I do not currently play any online games but I am eagerly waiting for the release of Battlefield Heroes :D )
    Thanks again to everyone.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    For what it's worth, I think I recall seeing this also, years ago when I used Sygate. I had a clean system at the time, fresh reformat, so I assumed it was ok and just something Sygate felt it needed to report, no other firewall ever mentioned it. So I told it to Allow it, and remember, and that was the end of it. I believe it is harmless and there is nothing wrong...

    Google "sygate ntoskrnl" and you'll get literally tons of others seeing the same thing, so it's not anything wrong on your system:

    http://www.google.com/search?hl=en&...um=0&ct=result&cd=1&q=sygate ntoskrnl&spell=1

    Edit: To add link.
     
    Last edited: Nov 2, 2008
  14. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    Yes. 2 or more PCs that "see" each other.

    No, these settings will in no way affect your internet usage. I have just explained how to disable file-sharing and LAN so no more comms are made by ntoskrnl.exe. On Vista, there are multicast comms made by ntoskrnl (System) needed for utorrent, but not on XP. I have never used Sygate, but I assume that you won't be asked from Sygate on anything regarding ntoskrnl after these changes, as this is same with every firewall/system. It is just a matter of how Sygate interpretes this. If you have any doubts, make an image of your system forehand (you do have imaging strategy, don't you?)... You can restore it if anything goes wrong.

    I have also searched for a few keywords, but none of these links provide a satisfying answer. They either suggest a malware (lol) or creating some unnecessary rules to block or bypass this comms. Anything that can be stopped natively (properly) should never be blocked by a firewall as this is not what firewalls are meant for.

    I would also like to see more opinions on this one, especially from Sygate users.

    Cheers,
     
    Last edited: Nov 2, 2008
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, I know it's not malware or any problem. I think it is some normal part of the system doing something, and somehow Sygate hooks into it and picks it up. As mentioned, I allowed it and made a rule, and never had any problems, and this on a fresh install, so I am sure it's just part of the OS doing it's thing so to speak. Could also just be Sygate doing some sort of loopback checking, although that was a problem for Sygate in general.

    Anyway, I'd not worry, but as you say, let's hear more from Sygate users..

    It's a shame the old Sygate Forums are not around anymore, I'm sure this has been discussed there plenty in the past....
     
  16. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Thank you all for your input. I should have waited until I got a reply from Seer but I didn´t, and I have turned a minor annoyance into a major issue.
    When Seer mentioned disabling NET Bios I remembered I had recently downloaded a small program called Windows Worm Door Cleaner (I had seen it mentioned somewhere in these forums I believe) which, among other things, disabled NET Bios, so I decided to use that instead. It also had the option to disable DCOM, RPC Locator, UPnP and the Messenger service (these last 2 were already disabled), so I disabled NET Bios, RPC Locator and DCOM and restarted.
    Once the computer came back up I no longer had internet access and Network Connections would not open (I have a Scientific Atlanta cablemodem connected thru ethernet).
    I went back to the program I tried to enable them again but the only one that did (or at least it said it did) was DCOM and that didn´t fix the issue. I keeps saying that RPC Locator will be re-enabled on the next reboot but it never does and everytime I click to re-enable NET Bios and restart the system hangs while shutting down and after manually restarting it it still the same way.
    I tried all I could think of to no avail, so I will end up re formatting after all. Once everything is back to normal and Windows is fully updated I will disable NET Bios as Seer instructed and only then I will install Sygate and see what´s what.
    However, like several of you mentioned I would like to hear any input from other Sygate users. Once again thank you all.

    http://img230.imageshack.us/img230/7329/wwdczf9.jpg
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    jhr76,

    tread very carefully and disable only one thing at a time. Disabling DCOM will stop Remote Procedure Call service to listen on port 135. This service acts as a service controller and is crucial for proper functioning of other services. Practically everything depends on it. There are registry fixes that will return RPC service in it's default state but I have never used them so I cannot tell if they do the job.
    You would first need to disable NetBios by closing ports 137-139 and see if this solves your issue.
     
  18. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi Seer. Thanks for te quick reply.
    Yeah, I found that out the hard way and I am determined to re format now and do a clean start and will disable NET Bios following the instructions in the links you provided.
    Since I will be starting anew I wanted to know for sure, does svchost need access to the internet? I know it is a generic service that controls a ton of stuff (and I have no way of knowing exactly which of the many services that use it is actually attempting the communication) but once Sygate warned me that it was trying to access the web and since I could find no reason for it to do so I blocked it, apparently with no ill results. Also, does explorer need to be allowed access (it also prompted me to once and I blocked it). Thanks again.
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Two important services will connect to the net through svchost - DHCP and DNS. DHCP will connect localy though ports 67 and 68 and DNS will connect to your ISP DNS servers on port 53. It is possible to disable DNS client (svchost) to connect to your ISP. Whether it's possible or not to disable DHCP and use a fixed IP address will depend on your connection. There are also other services like UPnP and SSDP (ports 1900 and 5000 if I am not mistaken), NTP (port 123) and possibly some others which I can't remember at the moment, I would need to refresh my memory. But let us not be hasty here. First thing first, let's sort out this issue with LAN for now.

    EDIT:

    explorer.exe - does NOT need to connect to net in no way. As far as I am aware, there is one case where explorer ask to connect to microsoft - when you perform a search (for files/folders). This cannot be stopped natively and is an exaple of a connection that should be stopped with a firewall. This is valid for XP only, on Vista that has been changed.

    Cheers,
     
    Last edited: Nov 3, 2008
  20. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi Seer. I re-formatted yesterday and did most of the updates but didn´t get a change to finish them all last night, but I should be able to finish them today when I get back from work. Like I mentioned before I will then create a system restore point, disable Net Bios following the instructions you provided and only then I will install Sygate and see if it continues to bug me with ntoskrnl.exe...
    I wanted to ask you something. I always tweak my system by disabling as many unnecessary services as possible in order to improve performance/boot times as well as security (who needs to allow remote access to their registry?) and I came across a program called Safe XP that was mentioned in another topic in this same sub forum ( https://www.wilderssecurity.com/showthread.php?t=224340 ) that allows you to "harden" Windows security by disabling some services, options and making other tweaks. I was wondering if you are familiar with it and if so which settings would you recommend (it has the option to disable RPC Locator but I won´t be doing THAT again any time soon...) Here is a screenshot of the program´s main (and only) wndow:
    http://www.theorica.net/download/safeXPscr.gif
     
  21. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello jhr76.

    It is OK, just take your time, I will be around.

    I am familiar with SafeXP, I have used it in the past. I can recommend some options from this app, but you may also wish to take a look at the ongoing thread that also deals with hardening.

    Cheers,
     
  22. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Well, so far so good. It´s been several days now and ntoskrnl.exe has not yet asked me for internet access (or at least Sygate hasn´t prompted me to allow or deny it, but it does show up in the firewall´s list of processes http://img58.imageshack.us/img58/75/sygate1qy9.jpg -my Windows is in Spanish in case you´re wondering-)
    As far as svchost.exe goess and I am allowing or denying it on a case by case basis. If it´s trying to connect to some Microsoft address while running updates or the like I allow it; when it tries to connect to something else (address or IP) or says that it is being contacted by something or other I deny it.
    I did disable Net Bios following the instructions on the 2 links you provided me with.
     
  23. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I am glad to hear this jhr76. I was beginning to think that you'll never show up and that we seriously messed something up, but it appears that my assumptions were correct. BTW, I wouldn't post the things I posted out of thin air, I actually recreated your issue and tried my suggestions out in a VM forehand.
    The remaining ntoskrnl process will belong to RPC's port 135 if I am not mistaken.

    As for the svchost connections, yes, I forgot to mention that Windows Updates will also use this host. Basically, with this, you would need to allow svchost a browser access as it will connect to many different IPs on ports 80 and 443 so creating a restrictive/tight rule is almost impossible. Regarding Windows Updates, I would suggest that you completely disable the automation. Windows Updates are now packed as Patch Tuesdays and will occur (almost exclusively) only every second tuesday in month. And there are few updates now for XP since it's a very mature OS. You can always fire up your Update process on this date and do your updating manually. It is not such a hassle as it is only once a month and it will provide better security with less unneeded connections.

    Do remember what I said on explorer.exe in post #19. This, while I personally find it a no-issue, should nevertheless be blocked - for good if possible, until officially clarified.

    On any further questions you may have regarding svchost network connections, feel free to start a new thread with appropriate name and I will gladly assist.

    Cheers,
     
  24. jhr76

    jhr76 Registered Member

    Joined:
    May 15, 2008
    Posts:
    40
    Location:
    Argentina
    Hi Seer. Once again thanks for all the help.
    BTW, I only run Windows Update manually once a week, just to be on the safe side (I always update my security software -antivirus, antispyware- manually once a week)
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    You're most welcome, jhr76.

    Excellent approach. I pretty much do the same.
    See you around.

    Cheers,
     
Loading...
Thread Status:
Not open for further replies.