NDIS User mode I/O Driver

[sponge]

On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:

>No software installed when the new ISP service started. Just plugged
in
>modem, added my personal account info and connected fine.
>I'm using Sygate firewall and looked through the logs to find this
item. IP
>10.0.0.138 did back trace and reported this:

That IP is part of your local, private connection to the modem and/or
ISP.

As far as removal goes, try just finding the file that keeps trying to
connect and rename it or move it to another folder. Most of the ISP
parasites aren't smart enough to try to reinstall themselves. If they
do, try running HiJackThis and post the results here.

I take it the UDP is FROM your ISP's IP address TO those ports (local)
on YOUR machine? If so, your ISP is likely scanning you to see if
you're running a website, DNS server, etc. If that's not the case,
(or, actually, whether or not it's the case), have you disabled
NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
instead; if not, you should not be running anything except TCP/IP.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 et yahoo dot com

[BxP9]

NDIS User Mode I/O Driver has received an ICMP Type 0 (echo Reply) packet
from [10.0.0.138]. Do you want to allow this program to access the network?
Details:
File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : NDIS User mode I/O Driver
File Path : C:\WINDOWS\system32\drivers\ndisuio.sys
Connection origin : remote initiated
Protocol : ICMP
Local Address : 10.0.0.1
ICMP Type : 0 (Echo Reply)
ICMP Code : 0
Remote Name :
Remote Address : 10.0.0.138

Ethernet packet details:
Ethernet II (Packet Length: 102)
Destination: 00-a0-24-37-5f-c2
Source: 00-90-d0-05-93-3e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
..0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 255
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x6931 (Correct)
Source: 10.0.0.138
Destination: 10.0.0.1
Internet Control Message Protocol
Type: 0 (Echo Reply)
Code: 0
Data (64 bytes)
Binary dump of the packet:
0000: 00 A0 24 37 5F C2 00 90 : D0 05 93 3E 08 00 45 00 | ..$7_......>..E.
0010: 00 58 75 B1 00 00 FF 01 : 31 69 0A 00 00 8A 0A 00 | .Xu.....1i......
0020: 00 01 00 00 02 A1 00 04 : 08 D0 0C 8F 07 00 20 21 | .............. !
0030: 22 23 24 25 26 27 28 29 : 2A 2B 2C 2D 2E 2F 30 32 | "#$%&'()*+,-./02
0040: 33 34 35 36 37 38 39 3A : 3B 3C 3D 3E 3F 40 41 42 | 3456789:;<=>?@AB
0050: 43 44 45 46 47 48 49 4A : 4B 4C 4D 4E 4F 50 51 52 | CDEFGHIJKLMNOPQR
0060: 53 54 00 00 00 00 : | ST....

> "sponge" <yosponge@yahoo.com> wrote in message
> news:8d76ec03.0310202010.5c1d4862@posting.google.c om...
> > On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:
> >
> > >No software installed when the new ISP service started. Just plugged
> > in
> > >modem, added my personal account info and connected fine.
> > >I'm using Sygate firewall and looked through the logs to find this
> > item. IP
> > >10.0.0.138 did back trace and reported this:
> >
> > That IP is part of your local, private connection to the modem and/or
> > ISP.
> >
> > As far as removal goes, try just finding the file that keeps trying to
> > connect and rename it or move it to another folder. Most of the ISP
> > parasites aren't smart enough to try to reinstall themselves. If they
> > do, try running HiJackThis and post the results here.
> >
> > I take it the UDP is FROM your ISP's IP address TO those ports (local)
> > on YOUR machine? If so, your ISP is likely scanning you to see if
> > you're running a website, DNS server, etc. If that's not the case,
> > (or, actually, whether or not it's the case), have you disabled
> > NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
> > instead; if not, you should not be running anything except TCP/IP.
> >
> > Sponge
> > Sponge's Secure Solutions
> > www.geocities.com/yosponge
> > My new email: yosponge2 et yahoo dot com
>
>
"sponge" <yosponge@yahoo.com> wrote in message
news:8d76ec03.0310202010.5c1d4862@posting.google.c om...
> On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:
>
> >No software installed when the new ISP service started. Just plugged
> in
> >modem, added my personal account info and connected fine.
> >I'm using Sygate firewall and looked through the logs to find this
> item. IP
> >10.0.0.138 did back trace and reported this:
>
> That IP is part of your local, private connection to the modem and/or
> ISP.
>
> As far as removal goes, try just finding the file that keeps trying to
> connect and rename it or move it to another folder. Most of the ISP
> parasites aren't smart enough to try to reinstall themselves. If they
> do, try running HiJackThis and post the results here.
>
> I take it the UDP is FROM your ISP's IP address TO those ports (local)
> on YOUR machine? If so, your ISP is likely scanning you to see if
> you're running a website, DNS server, etc. If that's not the case,
> (or, actually, whether or not it's the case), have you disabled
> NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
> instead; if not, you should not be running anything except TCP/IP.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 et yahoo dot com

[BxP9]

Another one:
NDIS User mode I/O Driver is being connected by the remote machine
rs2.arin.net [192.149.252.22] using local port 1042. Do you want to
allow......
Details:

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : NDIS User mode I/O Driver
File Path : C:\WINDOWS\system32\drivers\ndisuio.sys
Connection origin : remote initiated
Protocol : TCP
Local Address : 10.0.0.1
Local Port : 1042
Remote Name : rs2.arin.net
Remote Address : 192.149.252.22
Remote Port : 43

Ethernet packet details:
Ethernet II (Packet Length: 60)
Destination: 00-a0-24-37-5f-c2
Source: 00-90-d0-05-93-3e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 238
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xc55c (Correct)
Source: 192.149.252.22
Destination: 10.0.0.1
Transmission Control Protocol (TCP)
Source port: 43
Destination port: 1042
Sequence number: 3994717303
Acknowledgment number: 1430784813
Header length: 24
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xeccf (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 A0 24 37 5F C2 00 90 : D0 05 93 3E 08 00 45 00 | ..$7_......>..E.
0010: 00 2C 69 59 40 00 EE 06 : 5C C5 C0 95 FC 16 0A 00 | .,iY@...\.......
0020: 00 01 00 2B 04 12 EE 1A : 8C 77 55 48 0B 2D 60 12 | ...+.....wUH.-`.
0030: 22 38 CF EC 00 00 02 04 : 05 B4 00 00 | "8..........

"BxP9" <NOMAIL> wrote in message
news:4a4f86e801fa7cb8d1cfb6f226cf4642@news.teranew s.com...
> NDIS User mode I/O Driver is being connected by the remote machine [ip
> address] using local port xxxxx. Do you want to allow this program...
> Trying to connect every since I started using a new ISP.
>
> Safe? What is it?
>

"sponge" <yosponge@yahoo.com> wrote in message
news:8d76ec03.0310202010.5c1d4862@posting.google.c om...
> On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:
>
> >No software installed when the new ISP service started. Just plugged
> in
> >modem, added my personal account info and connected fine.
> >I'm using Sygate firewall and looked through the logs to find this
> item. IP
> >10.0.0.138 did back trace and reported this:
>
> That IP is part of your local, private connection to the modem and/or
> ISP.
>
> As far as removal goes, try just finding the file that keeps trying to
> connect and rename it or move it to another folder. Most of the ISP
> parasites aren't smart enough to try to reinstall themselves. If they
> do, try running HiJackThis and post the results here.
>
> I take it the UDP is FROM your ISP's IP address TO those ports (local)
> on YOUR machine? If so, your ISP is likely scanning you to see if
> you're running a website, DNS server, etc. If that's not the case,
> (or, actually, whether or not it's the case), have you disabled
> NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
> instead; if not, you should not be running anything except TCP/IP.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 et yahoo dot com

[Jay T. Blocksom]

On Mon, 20 Oct 2003 19:29:29 GMT, in <alt.privacy.spyware>, "BxP9" <NOMAIL>
wrote:
>
> No software installed when the new ISP service started. Just plugged in
> modem, added my personal account info and connected fine.
> I'm using Sygate firewall and looked through the logs to find this item.
> IP 10.0.0.138 did back trace and reported this:
>
[snip]

<http://www.ietf.org/rfc/rfc1918.txt>

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[Jay T. Blocksom]

On Wed, 22 Oct 2003 19:19:51 GMT, in <alt.privacy.spyware>, "BxP9" <NOMAIL>
wrote:
>
> Another one:
> NDIS User mode I/O Driver is being connected by the remote machine
> rs2.arin.net [192.149.252.22]
[snip]

Somehow, I *really* doubt that ARIN is spying on you.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net


"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -