cancel
Showing results for 
Search instead for 
Did you mean: 

Pop up request

metbury
Grafter
Posts: 25
Registered: 30-07-2007

Pop up request

The following pop up keeps appearing when I am on line can you tell me please if I should allow it to access the Internet? I have recently gone on Broadband and it is since then that the message has appeared:-
TIA, Eileen

The executable has changed since the last time you used: C:\WINDOWS\system32\ntoskrnl.exe
File Version : 5.1.2600.2622
File Description : NT Kernel & System
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : remote initiated
Protocol : TCP
Local Address : 84.92.230.55
Local Port : 445 (CIFS - Common Internet File System)
Remote Name :
Remote Address : 84.92.106.224
Remote Port : 3791

Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: 00-00-01-00-00-00
Source: 01-00-20-00-01-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 127
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x8ccd (Correct)
Source: 84.92.106.224
Destination: 84.92.230.55
Transmission Control Protocol (TCP)
Source port: 3791
Destination port: 445
Sequence number: 282380629
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x995e (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 00 01 00 00 00 01 00 : 20 00 01 00 08 00 45 00 | ........ .....E.
0010: 00 30 34 6B 40 00 7F 06 : CD 8C 54 5C 6A E0 54 5C | .04k@.....T\j.T\
0020: E6 37 0E CF 01 BD 10 D4 : C9 55 00 00 00 00 70 02 | .7.......U....p.
0030: 40 00 5E 99 00 00 02 04 : 05 B4 01 01 04 02 | @.^...........
3 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Pop up request

IP 84.92.106.224 resolves to a plusnet dynamically allocated IP address (possibly a dialup uone) so I don't know why ntoskrnl.exe should want to try and contact that address. Does this process exist in your task manager (right click on the bottom task bar and select task manager). If so there is something wrong as it is only used for booting up your system and should terminate itself when the startup is completed.

This does look suspicious.

ntoskrnl.exe can be affected by the w32.bolzano and variants virus so I would make sure you have a virus scanenr with update virus definitions and do a full disk visus scan to make sure. Alternatively do an on-line virus scan using Trend Micro Housecall.

Moderators note by John (johnessex) BBcode for link fixed
N/A

Pop up request

Reading a little more into that output, shows this is a remote initiated connections. In in english, somebody attempting to connect to you.

I suggest blocking port 135 & 445 inbound.

If you have a LAN, you should place an exception for your LAN.

There is no need for anybody to be connecting to you, and certainly not on this port. However, this could be common internet noise, or a virus infection attempting to infect you.
metbury
Grafter
Posts: 25
Registered: 30-07-2007

Pop up request

Many thanks for your replies. I ran the Trend Micro Housecall as you suggested and the computer was given a clean bill of health. I also ran AVG which is set to run every day and that showed there was no infection too. I updated the virus database on AVG yesterday.

Please can you tell me in which program I can do as you suggest and block port 135 & 445 inbound. I have searched the Windows Help files and was not able to find anything about this. Please be aware that I do not understand computer terms except common ones but am able to follow instructions with the greatest care. TIA Eileen