I woke this morning to the warning screen from Sygate, telling me an outgoing attemp had been made by Ntoskrnl.exe. I do net have Windows XP set to autoupdate. What other program would be trying to connect to change my Kernel? Application has changed since the last time you opened it, process id: 4 Filename: C:\WINDOWS\System32\ntoskrnl.exe The change was denied by user. ---- Modules changed: 1 ---- C:\WINDOWS\System32\ntoskrnl.exe ---- New modules: 0 ----
Hi controler, when you trace this address you receive the following information: Resolve IP: 216.136.226.209 Full name: cs30.msg.sc5.yahoo.com Any clues why it wants to connect to Yahoo? Ntoskrnl.exe is the most important file in Windows, it's the core. Normally only an update changes this file... Regards, Patrice
Hi controler Do you have any more log details on the type of outbound ICMP? The destination IP comes back to Yahoo. Do you have existing rules for this .exe? Does Sygate provide you with details the last time that particular .exe was authenticated? Have you done any major system updates since then that could account for this prompt? Regards, CrazyM
Walwatcher diidn't log it and here is the info from the Sygate Packet viewer. I also posted all my system info on the NOD32 Beta thread yesterday, Since it was requested. I am having that same problem updating NOD. I did leave Yahoo IM on all night also. 05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 2807 Outgoing Allowed C:\Program Files\Yahoo!\Messenger\YPager.exe 05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 2807 Incoming Allowed C:\Program Files\Yahoo!\Messenger\YPager.exe 05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 2807 Incoming Allowed C:\WINDOWS\System32\DRIVERS\ndisuio.sys all these allows of the ndisuio driver even though I had Sygate set to block , now I see it has been changed to none of the three, (allow, block or ask) I didn't change it either
Now after resetting the driver to ask, I get the Sygate pop up telling me that that same IP wants to use the driver. 05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 C:\WINDOWS\System32\DRIVERS\ndisuio.sys I had Yahoo pager set to not autoupdate before also. Something fishy going on here today.
Not sure how this came about but I now see Sygate is set to ALLOW Ypager.exe and yupdater.exe will change back to ask and see what happens. I see the Sygate popup for the driver stopped now also after resetting that to ask.
Now I get this popup but the whole thing that bothers me is the warning I got this morning with trying to use the NT Kernel. I don't think that is a normal part of Yahoo's updating system anyway, is it? File Version : 5, 5, 0, 1244 File Description : Yahoo! Messenger File Path : C:\Program Files\Yahoo!\Messenger\YPager.exe Process ID : BC0 (Heximal) 3008 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 192.168.1.100 Local Port : 3466 Remote Name : shttp.msg.yahoo.com Remote Address : 216.136.173.183 Remote Port : 80 (HTTP - World Wide Web) Ethernet packet details: Ethernet II (Packet Length: 62) Destination: 00-20-78-db-f7-49 Source: 00-02-3f-35-f0-b3 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xdb41 (Correct) Source: 192.168.1.100 Destination: 216.136.173.183 Transmission Control Protocol (TCP) Source port: 3466 Destination port: 80 Sequence number: 2039725813 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x9fdd (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 00 20 78 DB F7 49 00 02 : 3F 35 F0 B3 08 00 45 00 | . x..I..?5....E. 0010: 00 30 70 A0 40 00 80 06 : 41 DB C0 A8 01 64 D8 88 | .0p.@...A....d.. 0020: AD B7 0D 8A 00 50 79 93 : BE F5 00 00 00 00 70 02 | .....Py.......p. 0030: 16 D0 DD 9F 00 00 02 04 : 05 B4 01 01 04 02 | ..............
Google search of yahoo ntoskrnl http://www.winehq.com/hypermail/wine-devel/2002/09/0365.html http://www.softnews.ro/public/cat/13/9/13-9-1.shtml http://www.derkeiler.com/Newsgroups/microsoft.public.security/2002-10/6055.html ALTERNATIVE SMILEYS FOR YAHOO! MESSENGER I downloaded last week http://www.cyberproservices.com/yahoo/alternativesm.htm
Hi controler, Now I begin to understand. Actually I do believe that the Yahoo Messenger is responsible for this whole process. If you have done an update of it, it's quite possible that the ntoskrnl.exe has changed. So, then it's nothing to worry about. But actually I wouldn't leave the Messenger on all night long. What a nice platform to attack your system! Best regards, Patrice
