NDIS user mode I/O driver

- T
- Tiago
  
  Contact options for registered users
posted
20 years ago

Fri, Jan 30, 2004 10:57 PM

I have Sygate firewall and this application (from windows xp) is always downloading from the internet. From several ip adresses and from diferent ports. If i block it in the firewall, it still keeps downloading but the traffic shows under incoming blocked. Outgoing traffic is zero. I did a few searches on the web and i still don't understand exactly what this "NDIS user mode I/O" is for. It's under this path C:\WINDOWS\System32\DRIVERS \ndisuio.sys

The description of this thing: "Internal Windows driver; performs internal communications tasks within Windows". Well that doesn't help much. The thing is my ISP has a monthly download cap, and this thing is downloading slowly but surely a few megabytes every day. Please, give me some hints how to resolve this problem. TIA.

Loading thread data ...

- W
- WazzoTheMartian
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Sun, Nov 1, 2009 10:52 PM

I had the same problem as Tiago. Thanks Duane for the solution. Here is some further info on my attack:

I was running my BitTorrent client when I noticed some unknown URL wanting to use LSASS. I told Sygate "no" and then it was asking me whether the same URL could use NDIS I said "no" again. This started to worry me so I looked at the Sygate traffic window and saw that despite being denied, NDIS was still importing traffic.

I then looked at my BitTorrent leeches and found the same URL there. Shortly after another BT URL was trying the same thing.

Clearly what was happening here is that a worm on infected machines is using BitTorrent protocol to find open ports ON REMOTE MACHINES and then using those ports with NDIS to infect further machines.

NASTY!

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.