Crocodile
- 16 Dec 2002 03:59
Mr Wonderful
- 14 May 2003 00:01
- 472 of 11003
I have just purchased sygate firewall pro and am being prompted wether i would like to allow something in through the fire wall(details posted below).
I use windows2000 and yesterday downloaded a load of updates.
Do i let it in?
details pasted below:
he executable has changed since the last time you used: C:\WINNT\System32\ntoskrnl.exe
File Version : 5.00.2195.6159
File Description : NT Kernel & System
File Path : C:\WINNT\System32\ntoskrnl.exe
Process ID : 8 (Heximal) 8 (Decimal)
Connection origin : local initiated
Protocol : UDP
Local Address : 81.96.80.139
Local Port : 138
Remote Name :
Remote Address : 81.96.80.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)
Ethernet packet details:
Ethernet II (Packet Length: 216)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-50-22-b1-78-1e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x6e0 (Correct)
Source: 81.96.80.139
Destination: 81.96.80.255
User Datagram Protocol
Source port: 138
Destination port: 138
Length: 8
Checksum: 0x8302 (Correct)
Data (182 Bytes)
Binary dump of the packet:
0000: FF FF FF FF FF FF 00 50 : 22 B1 78 1E 08 00 45 00 | .......P".x...E.
0010: 00 CA 15 D2 00 00 80 11 : E0 06 51 60 50 8B 51 60 | ..........Q`P.Q`
0020: 50 FF 00 8A 00 8A 00 B6 : 02 83 11 02 83 7B 51 60 | P............{Q`
0030: 50 8B 00 8A 00 A0 00 00 : 20 45 46 46 46 46 43 45 | P....... EFFFFCE
0040: 50 43 4E 45 49 44 4A 45 : 4A 45 4E 45 4F 46 46 45 | PCNEIDJEJENEOFFE
0050: 50 46 4B 44 41 45 4D 41 : 41 00 20 46 48 45 50 46 | PFKDAEMAA. FHEPF
0060: 43 45 4C 45 48 46 43 45 : 50 46 46 46 41 43 41 43 | CELEHFCEPFFFACAC
0070: 41 43 41 43 41 43 41 43 : 41 42 4E 00 FF 53 4D 42 | ACACACACABN..SMB
0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 06 | ................
00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0: 00 00 00 06 00 56 00 03 : 00 01 00 01 00 02 00 17 | .....V..........
00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0: 45 00 09 04 2E 00 00 00 : | E.......
Seymour Clearly
- 14 May 2003 06:51
- 473 of 11003
Neil / robber, it's
http://www.matrox.com/mga/news/demos_downloads/parhelia_wallpapers.cfm
enjoy!
leo1
- 14 May 2003 08:37
- 474 of 11003
Mr W
I think it's 'normal' netbios/tcp/ip behaviour and local to your own machine (or network segment).
Connection origin : local initiated
Protocol : UDP
Local Address : 81.96.80.139
Local Port : 138
Remote Name :
Remote Address : 81.96.80.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)
If you're not on a network I doubt whether it matters if it's blocked but it's certainly nothing to worry about (IMO).
If you're running a standalone PC then I'd try disabling netbios over tcp/ip.
You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties. Next, click on Internet Protocol (TCP/IP) and Properties.
Now click Advanced, and select the WINS tab
There you can enable or disable NetBIOS over TCP/IP.
DocProc
- 14 May 2003 09:19
- 475 of 11003
Mr W
When you get another file like this and want to check out what it is, just look up the file name on Google using all of the file name itself as the search word:
If you do that for
C:\WINNT\System32\ntoskrnl.exe
you'll come across a web site called "littlewhitedog.com" which is quite educational and has a good section on this particular file.
Kayak
- 14 May 2003 09:50
- 476 of 11003
Mr W
The reference to ntoskrnl is no doubt because of the updates you downloaded: they replaced the file with a newer version which your firewall spotted. In any case Windows 2000 has protection against system files changing, it reloads them from a backup copy, so it's very unlikely to be suspect.
As for the UDP packet, it looks as though NETBIOS is enabled over the link with your ISP. This, if true, is a security risk as it potentially exposes your files to the world and you should disable it.
Mr Wonderful
- 14 May 2003 11:21
- 477 of 11003
thanks everyone.
How do i disable the netbios,is it complicated for a dimwit?
cheers
glenn
Mr Wonderful
- 14 May 2003 14:02
- 478 of 11003
leo1
just noticed you gave me the instruction to disable the netbios
thank you
DocProc
- 14 May 2003 23:14
- 479 of 11003
I found this on my computer. Can someone tell me what it means?
// Set cookie lifetime to 57600 Minutes function zedo_lifetime(){ var zedo_expire = new Date(); zedo_expire.setTime(zedo_expire.getTime() + (57600*60*1000)); return zedo_expire.toUTCString();}function zedo_getCookie() { var zedo_cookieval = document.cookie.match(/ZEDOPOP=(\d+)/ ); if ( zedo_cookieval != null && zedo_cookieval.length > 0 ) { return parseInt(zedo_cookieval[1]); } else { return 0; }}var zflag_nid=140; var zflag_cid="9002"; var zflag_sz=15; var zflag_width=1; var zflag_height=1; var zedo_cap = 2;var zedo_pub_cookie = zedo_getCookie(); // ZEDOPOP cookievar zedo_cookies_supported = true;// Detect for cookies on IE4+ and NS6if ( (document.getElementById || document.all) && !navigator.cookieEnabled ) { zedo_cookies_supported = false;}if ( zedo_cookies_supported && ( zedo_pub_cookie '); zedo_pub_cookie++; document.cookie="ZEDOPOP=" +zedo_pub_cookie +";expires="+zedo_lifetime()+ ";domain=.advfn.com;path=/";}
robber
- 14 May 2003 23:26
- 480 of 11003
Bob, thats the cookie that sends copies of everything you post here to Clem ;-)
But seriously have you been banned by ADVFN?
Neil
DocProc
- 14 May 2003 23:34
- 481 of 11003
No. What ever makes you think that? ;-)
I reckon the above looks a bit like a zedo pub cookie, don't you think?
I must have had a dirty glass - or some cookieval beer with a drop of zedopop in it.
Kayak
- 14 May 2003 23:35
- 482 of 11003
DocProc, there was a problem at ADVFN a few months ago which sent users copies of their php software rather than running it and giving them the results. I have a copy of the whole thread.php3 file :-) Is the file dated 14th December 2002? Zedo are the people they use for ad delivery (http://www.zedo.com), although apparently the cookie is also used to stop banned users from using a different username to log in with.
DocProc
- 14 May 2003 23:45
- 483 of 11003
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=zedo_pub_cookie&btnG=Google+Search
also gives a few clues on Google
Kayak
Thankyou
I remember it now. I pasted the above into a Word document to save it on my machine and yes, it is dated 14.12.02. I found the Word document looking for something else and wondered what on earth it was.
By the way, thank you also for your support on ADVFN's 'Downgrade' thread.
Harassment indeed!
Kayak
- 14 May 2003 23:54
- 484 of 11003
lol Doc, I know, butter wouldn't melt in your mouth! :-)
mbbcat
- 15 May 2003 04:57
- 485 of 11003
?? does anyone know where & how xp stores its routing table??
TIA
axdpc
- 15 May 2003 16:48
- 486 of 11003
Just for your info, in case someone else has received the same email...
Received unsolicited email from 03hillaj@reeds.surrey.sch.uk at 4:33pm.
The attached file colby598.com has virus W32.HLLW.Fizzer@mm.
Email removed.
Does anyone know how to track down the user?
axdpc
- 15 May 2003 17:29
- 487 of 11003
mbbcat,
not in my basic book on XP
try
www.winguides.com
communities.msn.com/windowsxpforrealpeople
www.windows-help.net/windowsxp
Kayak
- 15 May 2003 20:55
- 489 of 11003
axdpc, the user probably does not know he's infected...
Mr Wonderful
- 15 May 2003 22:34
- 490 of 11003
My pc freezes on average twice a day(mouse freezes normally)sometimes more ,especialy when i run a certain programme called hotcomlite but another 40odd people who use the same programme do not have a problem.
This freezing problem still happens even when i am not running this programme,my computer expert has given up on it.
what can you do, i have had this problem for months but it has got better since i changed from xp to 2000.(i have a dual processor)
I am considering taking it in to PC world where i understand they keep it for a good few days which is a complete pain but i have got to do something.
Do you think their is any point in taking it in their,would one pc boffin do anything different from my usual guy who seems to be an expert.
very frustrating
any advice
Robb
- 19 May 2003 15:30
- 491 of 11003
Mayday Mayday Mayday
My second m/c has just said "unable to write to drive c:". When I rebooted it gets to a message saying "unable to locate operating system" and goes no further. The c drive obviously didn't boot up so I'm guessing I'm fooked!! Would a computer repair shop be able to copy the disk onto a new one or is it totally irretrievable? Would it do this if it overheated? Anyone got any pointers as to my next move, pleeeeeease.
Looks like I am about to get taught the lesson about keeping back ups up to date :-(