Ntoskrnl.exe

Discussion in 'other firewalls' started by controler, May 18, 2003.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    I woke this morning to the warning screen from Sygate, telling me
    an outgoing attemp had been made by Ntoskrnl.exe. I do net have Windows XP set to autoupdate.
    What other program would be trying to connect to change my Kernel?




    Application has changed since the last time you opened it, process id: 4
    Filename: C:\WINDOWS\System32\ntoskrnl.exe
    The change was denied by user.

    ---- Modules changed: 1 ----
    C:\WINDOWS\System32\ntoskrnl.exe
    ---- New modules: 0 ----
     

    Attached Files:

  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi controler,

    when you trace this address you receive the following information:

    Resolve IP: 216.136.226.209
    Full name: cs30.msg.sc5.yahoo.com

    Any clues why it wants to connect to Yahoo? Ntoskrnl.exe is the most important file in Windows, it's the core. Normally only an update changes this file...

    Regards,

    Patrice
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi controler

    Do you have any more log details on the type of outbound ICMP? The destination IP comes back to Yahoo.

    Do you have existing rules for this .exe? Does Sygate provide you with details the last time that particular .exe was authenticated? Have you done any major system updates since then that could account for this prompt?

    Regards,

    CrazyM
     
  4. controler

    controler Guest

    Walwatcher diidn't log it and here is the info from the Sygate
    Packet viewer.
    I also posted all my system info on the NOD32 Beta thread yesterday, Since it was requested. I am having that same problem updating NOD.
    I did leave Yahoo IM on all night also.

    05/18/2003 09:53:36   scs.msg.yahoo.com [216.136.233.137]   80   192.168.1.100   2807   Outgoing   Allowed   C:\Program Files\Yahoo!\Messenger\YPager.exe
       
    05/18/2003 09:53:36   scs.msg.yahoo.com [216.136.233.137]   80   192.168.1.100   2807   Incoming   Allowed   C:\Program Files\Yahoo!\Messenger\YPager.exe

    05/18/2003 09:53:36   scs.msg.yahoo.com [216.136.233.137]   80   192.168.1.100   2807   Incoming   Allowed   C:\WINDOWS\System32\DRIVERS\ndisuio.sys

    all these allows of the ndisuio driver even though I had Sygate set to block , now I see it has been changed to none of the three, (allow, block or ask) I didn't change it either :( 
       
     
  5. controler

    controler Guest

    Now after resetting the driver to ask, I get the Sygate pop up telling me that that same IP wants to use the driver.
    05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 C:\WINDOWS\System32\DRIVERS\ndisuio.sys
    I had Yahoo pager set to not autoupdate before also.
    Something fishy going on here today.
     
  6. controler

    controler Guest

    These are the only entries I can find in my Walwatcher Log
     

    Attached Files:

  7. controler

    controler Guest

    Not sure how this came about but I now see Sygate is set to ALLOW
    Ypager.exe and yupdater.exe
    will change back to ask and see what happens. I see the Sygate
    popup for the driver stopped now also after resetting that to ask.
     
  8. controler

    controler Guest

    Now I get this popup but the whole thing that bothers me is the
    warning I got this morning with trying to use the NT Kernel.
    I don't think that is a normal part of Yahoo's updating system anyway, is it?

    File Version :      5, 5, 0, 1244
    File Description :   Yahoo! Messenger
    File Path :      C:\Program Files\Yahoo!\Messenger\YPager.exe
    Process ID :      BC0 (Heximal) 3008 (Decimal)

    Connection origin :   local initiated
    Protocol :      TCP
    Local Address :    192.168.1.100
    Local Port :      3466
    Remote Name :      shttp.msg.yahoo.com
    Remote Address :   216.136.173.183
    Remote Port :       80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 62)
       Destination:    00-20-78-db-f7-49
       Source:    00-02-3f-35-f0-b3
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
       Flags:
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 128
       Protocol: 0x6 (TCP - Transmission Control Protocol)
       Header checksum: 0xdb41 (Correct)
       Source: 192.168.1.100
       Destination: 216.136.173.183
    Transmission Control Protocol (TCP)
       Source port: 3466
       Destination port: 80
       Sequence number: 2039725813
       Acknowledgment number: 0
       Header length: 28
       Flags:
          0... .... = Congestion Window Reduce (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...0 .... = Acknowledgment: Not set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..1. = Syn: Set
          .... ...0 = Fin: Not set
       Checksum: 0x9fdd (Correct)
       Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 20 78 DB F7 49 00 02 : 3F 35 F0 B3 08 00 45 00 | . x..I..?5....E.
    0010: 00 30 70 A0 40 00 80 06 : 41 DB C0 A8 01 64 D8 88 | .0p.@...A....d..
    0020: AD B7 0D 8A 00 50 79 93 : BE F5 00 00 00 00 70 02 | .....Py.......p.
    0030: 16 D0 DD 9F 00 00 02 04 : 05 B4 01 01 04 02 | ..............
     
  9. controler

    controler Guest

    Google search of yahoo ntoskrnl

    http://www.winehq.com/hypermail/wine-devel/2002/09/0365.html

    http://www.softnews.ro/public/cat/13/9/13-9-1.shtml

    http://www.derkeiler.com/Newsgroups/microsoft.public.security/2002-10/6055.html

    ALTERNATIVE SMILEYS FOR YAHOO! MESSENGER I downloaded last week

    http://www.cyberproservices.com/yahoo/alternativesm.htm
     
  10. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi controler,

    Now I begin to understand. Actually I do believe that the Yahoo Messenger is responsible for this whole process. If you have done an update of it, it's quite possible that the ntoskrnl.exe has changed. So, then it's nothing to worry about.

    But actually I wouldn't leave the Messenger on all night long. What a nice platform to attack your system! :eek:

    Best regards,

    Patrice
     
Thread Status:
Not open for further replies.