ntoskml.exe Problem
in [Windows Viruses]
|
Prev: Sasser virus
Next: services.exe Application Error
From: David H. Lipman on 4 Feb 2007 07:42 From: "Irwin Greenwald" <oiwin(a)adelphia.net> Replies are inline... >> AVG often reports changes to files after you install a MS HotFix. It does so by taking a >> CRC value and recording it. If the value changes, the file has changed. >> >> It is always good practice to snipp extraneous data form a reply. >> | Is it likely that MS Hotfixes would change the Partition Table? Nothing indicated bt Sophos and McAfee indicates NO problem. | | I ran the following tests: | | 1. Normal mode | SOPHOS - Full Scan: detected three program iinstall files (2 in | Downloads; 1 in recycle) - all had been used to install programs from | known vendors. I suspect that they were false positives. I'll be the judge of that. Please post a log file extract. | | Trend Micro and Kapersky - Scan C:\Windows, no problems detected. | Kapersky log is available. | | 2. Safe Mode - all runs were Full Scan; all logs are available | Trend Micro - nothing detected | McAfee - deleted two programs from GRC: Dcombob.exe and Leaktest.exe. | Sophos - no problems detected -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Irwin Greenwald on 4 Feb 2007 14:21 On 2/4/2007 4:42 AM, David H. Lipman wrote: > From: "Irwin Greenwald" <oiwin(a)adelphia.net> > > > Replies are inline... > > >>> AVG often reports changes to files after you install a MS HotFix. It does so by taking a >>> CRC value and recording it. If the value changes, the file has changed. >>> >>> It is always good practice to snipp extraneous data form a reply. >>> > | Is it likely that MS Hotfixes would change the Partition Table? > > Nothing indicated bt Sophos and McAfee indicates NO problem. > > > | > | I ran the following tests: > | > | 1. Normal mode > | SOPHOS - Full Scan: detected three program iinstall files (2 in > | Downloads; 1 in recycle) - all had been used to install programs from > | known vendors. I suspect that they were false positives. > > > I'll be the judge of that. Please post a log file extract. The log file was overwritten by the Safe Mode tests.
From: Raffaello LOMARTIRE on 5 Feb 2007 12:33 "Irwin Greenwald" <oiwin(a)adelphia.net> ha scritto nel messaggio news:%23LJwMHxRHHA.4384(a)TK2MSFTNGP04.phx.gbl... > About once or twice a month my Sygate firewall asks if it is OK for kernel > service ntoskml.exe to access the internet via port 80 to connect to an IP > address that resolves to somewhere in the Czeck republic. I suspect that > I have some kind of virus or Trojan sitting aound in my machine but checks > using AdAware, Spybot, AVG virus scanner and Spyware Doctor have found > nothing of consequence. > > Anyone have any ideas? I got the same problems, here are more signs of possible infection not yet detected by any antivirus/spyware avaiable. When computer is left idle for hours sometimes connection drops (connected trough a isdn router). Sometimes there is the icon of updates but no downloads at all from some days. Ip number of connections vary from different countries. If I'm fast enough to type netstat -b it returns no name for application connected. Once I tried to reboot computer and restart router but again a fast connection to some strange ip that I traced with neotrace. Neotrace returns no name for that connections, just an ip number. Sorry for my english. Now trying to scan with multiav as suggested by David H. Lipman but I guess that this kind of malware is too new for be recognized. -- Lello
From: Irwin Greenwald on 5 Feb 2007 13:25
On 2/5/2007 9:33 AM, Raffaello LOMARTIRE wrote: > "Irwin Greenwald" <oiwin(a)adelphia.net> ha scritto nel messaggio > news:%23LJwMHxRHHA.4384(a)TK2MSFTNGP04.phx.gbl... >> About once or twice a month my Sygate firewall asks if it is OK for kernel >> service ntoskml.exe to access the internet via port 80 to connect to an IP >> address that resolves to somewhere in the Czeck republic. I suspect that >> I have some kind of virus or Trojan sitting aound in my machine but checks >> using AdAware, Spybot, AVG virus scanner and Spyware Doctor have found >> nothing of consequence. >> >> Anyone have any ideas? > > I got the same problems, here are more signs of possible infection not yet > detected by any antivirus/spyware avaiable. > When computer is left idle for hours sometimes connection drops (connected > trough a isdn router). > Sometimes there is the icon of updates but no downloads at all from some > days. > Ip number of connections vary from different countries. > If I'm fast enough to type netstat -b it returns no name for application > connected. > Once I tried to reboot computer and restart router but again a fast > connection to some strange ip that I traced with neotrace. > Neotrace returns no name for that connections, just an ip number. > Sorry for my english. > Now trying to scan with multiav as suggested by David H. Lipman but I guess > that this kind of malware is too new for be recognized. > Thanks for the information! It's nice to know I'm not the only one with this problem. Irwin |