Discussion in 'other firewalls' started by blackcatz, Apr 15, 2005.

Thread Status:
Not open for further replies.
  1. blackcatz

    blackcatz Registered Member

    Apr 15, 2005
    I am a nod32 user and this is my First post on the forum and I am looking for some advice regarding a firewall issue with Sygate.

    Since around 3 days ago, each time I boot my pc and then connect to the net, sygate tells me ntoskrnl.exe has changed since the last time I have used it and is trying to gain accesss to the internet.

    The exact log is as follows:

    The executable has changed since the last time you used: D:\WINDOWS\system32\ntoskrnl.exe
    File Version : 5.1.2600.2622
    File Description : NT Kernel & System
    File Path : D:\WINDOWS\system32\ntoskrnl.exe
    Process ID : 0x4 (Heximal) 4 (Decimal)

    Connection origin : remote initiated
    Protocol : TCP
    Local Address :
    Local Port : 445 (CIFS - Common Internet File System)
    Remote Name :
    Remote Address :
    Remote Port : 4335

    Ethernet packet details:
    Ethernet II (Packet Length: 62)
    Destination: 00-00-01-00-00-00
    Source: 01-00-20-00-01-00
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 126
    Protocol: 0x6 (TCP - Transmission Control Protocol)
    Header checksum: 0xf898 (Correct)
    Transmission Control Protocol (TCP)
    Source port: 4335
    Destination port: 445
    Sequence number: 3632350111
    Acknowledgment number: 0
    Header length: 28
    0... .... = Congestion Window Reduce (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Checksum: 0x608c (Correct)
    Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 00 01 00 00 00 01 00 : 20 00 01 00 08 00 45 00 | ........ .....E.
    0010: 00 30 9B B5 40 00 7E 06 : 98 F8 50 2C B7 48 50 2C | .0..@.~...P,.HP,
    0020: 70 79 10 EF 01 BD D8 81 : 43 9F 00 00 00 00 70 02 | py......C.....p.
    0030: FF FF 8C 60 00 00 02 04 : 05 8C 01 01 04 02 | ...`..........

    I have back traced the ip and it is an ip associated with my isp and I am desperate to know why ntoskrnl.exe changes each time I boot up and also why is it being contacted remotely?

    Does anyone have any suggestions on what is going on?

    Thanks - John
  2. ronjor

    ronjor Global Moderator

    Jul 21, 2003

    You hijack log was removed.

    Unfortunately, Wilders no longer provides support for Hijack This logs, and as such you will need to post your HijackThis Log at one of the forums found at A-SAP.

    The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.
  3. blackcatz

    blackcatz Registered Member

    Apr 15, 2005
    I am not concerned about my hijackthis log as I only posted it to assist with my original question.

    If anyone has any suggestions in response to my question then that would be appreciated.
  4. Arup

    Arup Guest

    Have you given ntoskrnl act as server rights under Sygate? If so, please uncheck to see if this happens again.
  5. blackcatz

    blackcatz Registered Member

    Apr 15, 2005
    Thanks for the reply but I have solved the problem.

    I created an advanced rule to block ntoskrnl.exe but said yes to allow ntoskrnl.exe when sygate asked me upon boot up.

    As the advanced rule overrides my choice, this meant ntoskrnl.exe was not granted access and sygate stopped asking me if I wanted to allow it access.
  6. Arup

    Arup Guest

    Funny, I too am running Sygate on Win2K SP4 but never get this request at all.
  7. Kerodo

    Kerodo Registered Member

    Oct 5, 2004
    Haven't seen that problem either...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.