ntoskml.exe Problem

About once or twice a month my Sygate firewall asks if it is OK for
kernel service ntoskml.exe to access the internet via port 80 to connect
to an IP address that resolves to somewhere in the Czeck republic. I
suspect that I have some kind of virus or Trojan sitting aound in my
machine but checks using AdAware, Spybot, AVG virus scanner and Spyware
Doctor have found nothing of consequence.

Anyone have any ideas?

From: "Irwin Greenwald" <oiwin@adelphia.net>

| About once or twice a month my Sygate firewall asks if it is OK for
| kernel service ntoskml.exe to access the internet via port 80 to connect
| to an IP address that resolves to somewhere in the Czeck republic. I
| suspect that I have some kind of virus or Trojan sitting aound in my
| machine but checks using AdAware, Spybot, AVG virus scanner and Spyware
| Doctor have found nothing of consequence.
|
| Anyone have any ideas?


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On 2/2/2007 2:20 PM, David H. Lipman wrote:
> From: "Irwin Greenwald" <oiwin@adelphia.net>
>
> | About once or twice a month my Sygate firewall asks if it is OK for
> | kernel service ntoskml.exe to access the internet via port 80 to connect
> | to an IP address that resolves to somewhere in the Czeck republic. I
> | suspect that I have some kind of virus or Trojan sitting aound in my
> | machine but checks using AdAware, Spybot, AVG virus scanner and Spyware
> | Doctor have found nothing of consequence.
> |
> | Anyone have any ideas?
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
Thanks for your reply. I am running the Sophos test now. I failed to
mention that AVG reported that the following had been changed:

Partition Table (MBR)
In C:\Windows\System32:
kernel32.dll
shell32.dll
ntoskrnl.exe

I don't know how AVG detects changes, so I don't know how to interpret
tese messages; however, I find the one about the Partition Table
particularly disturbing. will report back on test results when I
complete the tests.

BTW is snipping approved or disapproved in this newsgroup?

Irwin

From: "Irwin Greenwald" <oiwin@adelphia.net>


| Thanks for your reply. I am running the Sophos test now. I failed to
| mention that AVG reported that the following had been changed:
|
| Partition Table (MBR)
| In C:\Windows\System32:
| kernel32.dll
| shell32.dll
| ntoskrnl.exe
|
| I don't know how AVG detects changes, so I don't know how to interpret
| tese messages; however, I find the one about the Partition Table
| particularly disturbing. will report back on test results when I
| complete the tests.
|
| BTW is snipping approved or disapproved in this newsgroup?
|
| Irwin

AVG often reports changes to files after you install a MS HotFix. It does so by taking a CRC
value and recording it. If the value changes, the file has changed.

It is always good practice to snipp extraneous data form a reply.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On 2/2/2007 6:34 PM, David H. Lipman wrote:

<snip>

>
> AVG often reports changes to files after you install a MS HotFix. It does so by taking a CRC
> value and recording it. If the value changes, the file has changed.
>
> It is always good practice to snipp extraneous data form a reply.
>

Is it likely that MS Hotfixes would change the Partition Table?

I ran the following tests:

1. Normal mode
SOPHOS - Full Scan: detected three program iinstall files (2 in
Downloads; 1 in recycle) - all had been used to install programs from
known vendors. I suspect that they were false positives.

Trend Micro and Kapersky - Scan C:\Windows, no problems detected.
Kapersky log is available.

2. Safe Mode - all runs were Full Scan; all logs are available
Trend Micro - nothing detected
McAfee - deleted two programs from GRC: Dcombob.exe and Leaktest.exe.
Sophos - no problems detected

From: "Irwin Greenwald" <oiwin@adelphia.net>


Replies are inline...


>> AVG often reports changes to files after you install a MS HotFix. It does so by taking a
>> CRC value and recording it. If the value changes, the file has changed.
>>
>> It is always good practice to snipp extraneous data form a reply.
>>
| Is it likely that MS Hotfixes would change the Partition Table?

Nothing indicated bt Sophos and McAfee indicates NO problem.


|
| I ran the following tests:
|
| 1. Normal mode
| SOPHOS - Full Scan: detected three program iinstall files (2 in
| Downloads; 1 in recycle) - all had been used to install programs from
| known vendors. I suspect that they were false positives.


I'll be the judge of that. Please post a log file extract.


|
| Trend Micro and Kapersky - Scan C:\Windows, no problems detected.
| Kapersky log is available.
|
| 2. Safe Mode - all runs were Full Scan; all logs are available
| Trend Micro - nothing detected
| McAfee - deleted two programs from GRC: Dcombob.exe and Leaktest.exe.
| Sophos - no problems detected


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On 2/4/2007 4:42 AM, David H. Lipman wrote:
> From: "Irwin Greenwald" <oiwin@adelphia.net>
>
>
> Replies are inline...
>
>
>>> AVG often reports changes to files after you install a MS HotFix. It does so by taking a
>>> CRC value and recording it. If the value changes, the file has changed.
>>>
>>> It is always good practice to snipp extraneous data form a reply.
>>>
> | Is it likely that MS Hotfixes would change the Partition Table?
>
> Nothing indicated bt Sophos and McAfee indicates NO problem.
>
>
> |
> | I ran the following tests:
> |
> | 1. Normal mode
> | SOPHOS - Full Scan: detected three program iinstall files (2 in
> | Downloads; 1 in recycle) - all had been used to install programs from
> | known vendors. I suspect that they were false positives.
>
>
> I'll be the judge of that. Please post a log file extract.

The log file was overwritten by the Safe Mode tests.

"Irwin Greenwald" <oiwin@adelphia.net> ha scritto nel messaggio
news:%23LJwMHxRHHA.4384@TK2MSFTNGP04.phx.gbl...
> About once or twice a month my Sygate firewall asks if it is OK for kernel
> service ntoskml.exe to access the internet via port 80 to connect to an IP
> address that resolves to somewhere in the Czeck republic. I suspect that
> I have some kind of virus or Trojan sitting aound in my machine but checks
> using AdAware, Spybot, AVG virus scanner and Spyware Doctor have found
> nothing of consequence.
>
> Anyone have any ideas?

I got the same problems, here are more signs of possible infection not yet
detected by any antivirus/spyware avaiable.
When computer is left idle for hours sometimes connection drops (connected
trough a isdn router).
Sometimes there is the icon of updates but no downloads at all from some
days.
Ip number of connections vary from different countries.
If I'm fast enough to type netstat -b it returns no name for application
connected.
Once I tried to reboot computer and restart router but again a fast
connection to some strange ip that I traced with neotrace.
Neotrace returns no name for that connections, just an ip number.
Sorry for my english.
Now trying to scan with multiav as suggested by David H. Lipman but I guess
that this kind of malware is too new for be recognized.

--
Lello

On 2/5/2007 9:33 AM, Raffaello LOMARTIRE wrote:
> "Irwin Greenwald" <oiwin@adelphia.net> ha scritto nel messaggio
> news:%23LJwMHxRHHA.4384@TK2MSFTNGP04.phx.gbl...
>> About once or twice a month my Sygate firewall asks if it is OK for kernel
>> service ntoskml.exe to access the internet via port 80 to connect to an IP
>> address that resolves to somewhere in the Czeck republic. I suspect that
>> I have some kind of virus or Trojan sitting aound in my machine but checks
>> using AdAware, Spybot, AVG virus scanner and Spyware Doctor have found
>> nothing of consequence.
>>
>> Anyone have any ideas?
>
> I got the same problems, here are more signs of possible infection not yet
> detected by any antivirus/spyware avaiable.
> When computer is left idle for hours sometimes connection drops (connected
> trough a isdn router).
> Sometimes there is the icon of updates but no downloads at all from some
> days.
> Ip number of connections vary from different countries.
> If I'm fast enough to type netstat -b it returns no name for application
> connected.
> Once I tried to reboot computer and restart router but again a fast
> connection to some strange ip that I traced with neotrace.
> Neotrace returns no name for that connections, just an ip number.
> Sorry for my english.
> Now trying to scan with multiav as suggested by David H. Lipman but I guess
> that this kind of malware is too new for be recognized.
>

Thanks for the information! It's nice to know I'm not the only one with
this problem.

Irwin