Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help On Windowsxp Startup


  • Please log in to reply
4 replies to this topic

#1 lucas

lucas

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 26 March 2006 - 05:04 PM

I get the message that follows. I dont understand if it is normal getting this windows NT message since I use windowsxp. I wonder if this can be a virus..... etc.

The executable has changed since the last time you used: C:\WINDOWS\system32\ntoskrnl.exe
File Version : 5.1.2600.2622
File Description : Sistema y núcleo de Windows NT
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 200.126.243.179
Local Port : 138
Remote Name :
Remote Address : 200.126.243.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 229)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-a0-d1-d0-98-9d
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x47c1 (Correct)
Source: 200.126.243.179
Destination: 200.126.243.255
User Datagram Protocol
Source port: 138
Destination port: 138
Length: 8
Checksum: 0x3558 (Correct)
Data (181 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 A0 : D1 D0 98 9D 08 00 45 00 | ..............E.
0010: 00 C9 00 2C 00 00 80 11 : C1 47 C8 7E F3 B3 C8 7E | ...,.....G.~...~
0020: F3 FF 00 8A 00 8A 00 B5 : 58 35 11 02 80 0A C8 7E | ........X5.....~
0030: F3 B3 00 8A 00 9F 00 00 : 20 46 41 45 44 43 41 43 | ........ FAEDCAC
0040: 41 43 41 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | ACACACACACACACAC
0050: 41 43 41 43 41 43 41 41 : 41 00 20 45 44 45 42 46 | ACACACAAA. EDEBF
0060: 44 45 42 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | DEBCACACACACACAC
0070: 41 43 41 43 41 43 41 43 : 41 42 4E 00 FF 53 4D 42 | ACACACACABN..SMB
0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 05 | ................
00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0: 00 00 00 05 00 56 00 03 : 00 01 00 01 00 02 00 16 | .....V..........
00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0: 45 00 02 00 50 43 00 58 : 34 2F 53 79 62 77 75 4D | E...PC.X4/SybwuM
00E0: 49 37 41 46 39 : | I7AF9

BC AdBot (Login to Remove)

 


#2 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:12:56 PM

Posted 04 April 2006 - 11:08 PM

Mod Bump
Posted Image

#3 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:12:56 PM

Posted 05 April 2006 - 12:00 AM

Update and then run your anti-virus ap using safe mode.

Use Internet Explorer to run the following web based anti-virus and anti-malware scans:

Web based online Antivirus and anti-malware scans: (these can be run regardless of whatever else you are using. You must use Internet Explorer to run these as they require ActiveX to function.)
Kaspersky Anti-Virus Web Scanner
http://www.kaspersky.com/service?chapter=161739400#betatest
and
File scanner and virus scanner
http://www.kaspersky.com/scanforvirus


Panda Activescan
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://www.pandasoftware.com/products/activescan.htm

Trend Micro antivirus and malware scan:
http://housecall-beta.trendmicro.com/en/st...orp.asp?id=scan

Etrust Anti-virus web scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx.

Avast Online scan
http://onlinescan.avast.com/

F Secure online scan
http://support.f-secure.com/ols/start.html


Trojan scans –
Sygate Trojanscan
http://scan.sygatetech.com/pretrojanscan.html


Windows Security Trojanscan
http://windowsecurity.com/trojanscan
See instructions for it here:
http://www.windowsecurity.com/trojanscan/trojanscan.asp

ntoskrnl.exe is a critical process in the boot-up cycle of your computer although it can be altered by the w32.bolzano and variants of it.

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:11:56 AM

Posted 05 April 2006 - 12:29 AM

Have you tried a System Restore?
Are you, by any chance, using Sygate's firewall?
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:56 PM

Posted 05 April 2006 - 12:00 PM

NT messages are OK on XP - it is based on NT.

It appears that this is a firewall message saying that something has changed this file: C:\WINDOWS\system32\ntoskrnl.exe since the last time that you used it. It is a core file for Windows and it's important that you be sure that nothing bad has corrupted it.

Notice that the source and destination belong to the same network: Source: 200.126.243.179
Destination: 200.126.243.255

A reverse DNS search shows this to be located here: Argentina [City: Buenos Aires, Buenos Aires] and that the addresses are owned by: http://www.lacnic.net/

UDP Port 138 is used for NetBIOS name resolution.

If these IP addresses are a part of your local network, I'd suspect that you have a NetBIOS problem. Removing and reinstalling the NetBIOS protocol might help.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users