"Ntoskrnl.exe" has changed since the last time you opened it' - ?

[ms13381]

I keep on getting the following message from my firewall (Sygate 5.6) at startup:

"Ntoskrnl.exe" has changed since the last time you opened it. This could be
because you have updated it recently. Do you want to allow it access to the
network?

Detailed information from the firewall:

The executable has changed since the last time you used: C:\WINDOWS\System32\ntoskrnl.exe
File Version : 5.1.2600.1634
File Description : Jądro i system NT
File Path : C:\WINDOWS\System32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 10.0.0.26
Local Port : 138
Remote Name :
Remote Address : 10.0.0.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 244)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-15-f2-9e-42-0a
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0xd723 (Correct)
Source: 10.0.0.26
Destination: 10.0.0.255
User Datagram Protocol
Source port: 138
Destination port: 138
Length: 8
Checksum: 0xaf57 (Correct)
Data (196 Bytes)
Binary dump of the packet:
0000: FF FF FF FF FF FF 00 15 : F2 9E 42 0A 08 00 45 00 | ..........B...E.
0010: 00 D8 01 26 00 00 80 11 : 23 D7 0A 00 00 1A 0A 00 | ...&....#.......
0020: 00 FF 00 8A 00 8A 00 C4 : 57 AF 11 02 80 0D 0A 00 | ........W.......
0030: 00 1A 00 8A 00 AE 00 00 : 20 45 4E 45 42 46 43 46 | ........ ENEBFCF
0040: 45 45 42 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | EEBCACACACACACAC
0050: 41 43 41 43 41 43 41 41 : 41 00 20 45 4E 46 44 45 | ACACACAAA. ENFDE
0060: 49 45 50 45 4E 45 46 43 : 41 43 41 43 41 43 41 43 | IEPENEFCACACACAC
0070: 41 43 41 43 41 43 41 43 : 41 42 4F 00 FF 53 4D 42 | ACACACACABO..SMB
0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 14 | ................
00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0: 00 00 00 14 00 56 00 03 : 00 01 00 01 00 02 00 25 | .....V.........%
00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0: 45 00 08 01 20 0F 01 10 : 1A 5C 00 00 00 00 00 00 | E... ....\......
00E0: 4D 41 52 54 41 00 20 4D : 6F 7A 69 6C 6C 61 2F 34 | MARTA. Mozilla/4
00F0: 2E 30 20 28 : | .0 (

I also used to have random BSOD's and restarts and minidump files refer to ntoskrnl.exe as well. I've just done a full reinstalation of Win Xp and I had one restart so far and keep getting this message from the firewall at startup.

Could anyone explain what it means?

 

[Vigilante]

Have you been doing any updates? Especial a service pack? If you just reloaded, and are doing updates, you might just allow it.
As far as I know, that file isn't supposed to change. If you suspect virus activity already, try running an online scan from www.bitdefender.com.

 

[ms13381]

Hello,
I've just installed my XP yesterday and done some critical updates (no SP2 yet), but it appears each time I turn on my computer. I also checked and found 6 (!) files called "ntoskrnl.exe" in my computer - could there be a virus that pretends to be ntoskrnl.exe?

I keep on having BSODs or restarts connected somehow with ntoskrnl.exe (even after formatting my HD and reinstalling WinXP) so I have no idea what it is..

 

[Vigilante]

That picture is to small to read.

Please attach a ZIP of your 5 or so recent minidumps. It is normal to have a few copies of any particular system file, for backups and restore data etc...

Also a crash might blame ntoskrnl even though it's really something else. Such as bad RAM or hard drive.

Scan your RAM with memtest86, and run the hard drive test from your hard drive manufacturer's web site.

 

[ms13381]

Dumps from before the re-install are here (I kept copies):
http://rapidshare.de/files/33974478/Minidump.zip.html

Sorry about the picture, it looked ok..I attached it to this post.

I scanned my RAM (memtest, Prime95) and no errors were found. I checked the hard drive but only with checkdisk so I'll try with something else...

 

[Vigilante]

The copies of ntoskrnl look legit. The system32 version is the real one. The Driver Cache one is for Windows File Protection backup. The other 4 look like their indeed from patches. Unless I'm missing something, I think you're fine there.

Next, I only had time to check one minidump, for now. But make sure your CPU is running at a good temperature and not getting hot. Then look for a newer BIOS upgrade from your motherboard manufacturer. Specifically if a new BIOS has a "microcode" update.

 

[ms13381]

Hi,
I updated my bios to the newest version 2 days ago. The temperature of my CPU is 40-45 degrees (C), I don't know if it's ok?

Another strange thing is that I'm getting a new message with the one about ntoskrnl.exe that another file (ndis.sys or ndisio.sys) also changed. I think that file was also mentioned in my BSOD error messages and in the minidumps.. So could it mean something or is it just a coincidence?

 

[Vigilante]

45c is alright, 10 more and it would be getting hot.

Coincidence or not, well, you should not be getting BSODs in the first place!

I have rarely ever seen these core Windows system files become compromised, very rare indeed. It is more likely a fault somewhere else, that filters into these files because they are the last in the chain.
In other words, a lot of crashes with these system files either means you have a really messed up copy of Windows, or some kind of hardware problem. It is quite likely not the fault of these files specifically.

Hopefully Howard or CPC can check these minidumps, I won't be able to until tonight. Continue to scan all your hardware for errors as much as you can, try to see if the BSODs are predictable, can you MAKE one happen by doing certain things? What things?