ntoskml.exe Problem
in [Windows Viruses]
|
Prev: Sasser virus
Next: services.exe Application Error
From: Irwin Greenwald on 2 Feb 2007 16:33 About once or twice a month my Sygate firewall asks if it is OK for kernel service ntoskml.exe to access the internet via port 80 to connect to an IP address that resolves to somewhere in the Czeck republic. I suspect that I have some kind of virus or Trojan sitting aound in my machine but checks using AdAware, Spybot, AVG virus scanner and Spyware Doctor have found nothing of consequence. Anyone have any ideas?
From: David H. Lipman on 2 Feb 2007 17:20 From: "Irwin Greenwald" <oiwin(a)adelphia.net> | About once or twice a month my Sygate firewall asks if it is OK for | kernel service ntoskml.exe to access the internet via port 80 to connect | to an IP address that resolves to somewhere in the Czeck republic. I | suspect that I have some kind of virus or Trojan sitting aound in my | machine but checks using AdAware, Spybot, AVG virus scanner and Spyware | Doctor have found nothing of consequence. | | Anyone have any ideas? Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm Additional Instructions: http://pcdid.com/Multi_AV.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Irwin Greenwald on 2 Feb 2007 21:15 On 2/2/2007 2:20 PM, David H. Lipman wrote: > From: "Irwin Greenwald" <oiwin(a)adelphia.net> > > | About once or twice a month my Sygate firewall asks if it is OK for > | kernel service ntoskml.exe to access the internet via port 80 to connect > | to an IP address that resolves to somewhere in the Czeck republic. I > | suspect that I have some kind of virus or Trojan sitting aound in my > | machine but checks using AdAware, Spybot, AVG virus scanner and Spyware > | Doctor have found nothing of consequence. > | > | Anyone have any ideas? > > > Download MULTI_AV.EXE from the URL -- > http://www.ik-cs.com/programs/virtools/Multi_AV.exe > > To use this utility, perform the following... > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } > Choose; Unzip > Choose; Close > > Execute; C:\AV-CLS\StartMenu.BAT > { or Double-click on 'Start Menu' in C:\AV-CLS } > > NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your > FireWall to allow it to download the needed AV vendor related files. > > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} > This will bring up the initial menu of choices and should be executed in Normal Mode. > This way all the components can be downloaded from each AV vendor's web site. > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. > > You can choose to go to each menu item and just download the needed files or you can > download the files and perform a scan in Normal Mode. Once you have downloaded the files > needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key > during boot] and re-run the menu again and choose which scanner you want to run in Safe > Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. > > When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help > file. http://www.ik-cs.com/multi-av.htm > > Additional Instructions: > http://pcdid.com/Multi_AV.htm > > > * * * Please report back your results * * * > > Thanks for your reply. I am running the Sophos test now. I failed to mention that AVG reported that the following had been changed: Partition Table (MBR) In C:\Windows\System32: kernel32.dll shell32.dll ntoskrnl.exe I don't know how AVG detects changes, so I don't know how to interpret tese messages; however, I find the one about the Partition Table particularly disturbing. will report back on test results when I complete the tests. BTW is snipping approved or disapproved in this newsgroup? Irwin
From: David H. Lipman on 2 Feb 2007 21:34 From: "Irwin Greenwald" <oiwin(a)adelphia.net> | Thanks for your reply. I am running the Sophos test now. I failed to | mention that AVG reported that the following had been changed: | | Partition Table (MBR) | In C:\Windows\System32: | kernel32.dll | shell32.dll | ntoskrnl.exe | | I don't know how AVG detects changes, so I don't know how to interpret | tese messages; however, I find the one about the Partition Table | particularly disturbing. will report back on test results when I | complete the tests. | | BTW is snipping approved or disapproved in this newsgroup? | | Irwin AVG often reports changes to files after you install a MS HotFix. It does so by taking a CRC value and recording it. If the value changes, the file has changed. It is always good practice to snipp extraneous data form a reply. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Irwin Greenwald on 3 Feb 2007 22:50
On 2/2/2007 6:34 PM, David H. Lipman wrote: <snip> > > AVG often reports changes to files after you install a MS HotFix. It does so by taking a CRC > value and recording it. If the value changes, the file has changed. > > It is always good practice to snipp extraneous data form a reply. > Is it likely that MS Hotfixes would change the Partition Table? I ran the following tests: 1. Normal mode SOPHOS - Full Scan: detected three program iinstall files (2 in Downloads; 1 in recycle) - all had been used to install programs from known vendors. I suspect that they were false positives. Trend Micro and Kapersky - Scan C:\Windows, no problems detected. Kapersky log is available. 2. Safe Mode - all runs were Full Scan; all logs are available Trend Micro - nothing detected McAfee - deleted two programs from GRC: Dcombob.exe and Leaktest.exe. Sophos - no problems detected |