NDIS User mode I/O Driver

[sponge]

"BxP9" <NOMAIL> wrote in message news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
> NDIS User mode I/O Driver is being connected by the remote machine [ip
> address] using local port xxxxx. Do you want to allow this program...
> Trying to connect every since I started using a new ISP.
>
> Safe? What is it?

It would help to know the IPs and ports, if you'd be willing to post
or email them, as well as the location of the application. However,
off the bat it looks very suspect. First because you may be using
ISP-provided software -- that's a big, big no-no. Second, NDIS
driver's shouldn't be user mode. the NDIS driver is what takes data
from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
uses to commumnication) and sends it out the hardware. It shouldn't be
user mode: it's a driver, and part of the system.

IOW, if you can connect to the Internet without it, then it is more
likely to be malicious or suspicious than anything useful.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 et yahoo dot com

[BxP9]

Will post them when the item pops-up again. Could it be the new DSL modem
for this ISP?

"sponge" <yosponge@yahoo.com> wrote in message
news:8d76ec03.0310191025.6cd66006@posting.google.c om...
> "BxP9" <NOMAIL> wrote in message
news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
> > NDIS User mode I/O Driver is being connected by the remote machine [ip
> > address] using local port xxxxx. Do you want to allow this program...
> > Trying to connect every since I started using a new ISP.
> >
> > Safe? What is it?
>
> It would help to know the IPs and ports, if you'd be willing to post
> or email them, as well as the location of the application. However,
> off the bat it looks very suspect. First because you may be using
> ISP-provided software -- that's a big, big no-no. Second, NDIS
> driver's shouldn't be user mode. the NDIS driver is what takes data
> from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
> uses to commumnication) and sends it out the hardware. It shouldn't be
> user mode: it's a driver, and part of the system.
>
> IOW, if you can connect to the Internet without it, then it is more
> likely to be malicious or suspicious than anything useful.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 et yahoo dot com

[-=ô;ö=-]

Possible that it is the "Help Desk" software bundled in, both BellSouth and Verizon have
the same thing and I just deinstalled them with no ill effects..


"BxP9" <NOMAIL> wrote in message
news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
| Will post them when the item pops-up again. Could it be the new DSL modem
| for this ISP?
|
| "sponge" <yosponge@yahoo.com> wrote in message
| news:8d76ec03.0310191025.6cd66006@posting.google.c om...
| > "BxP9" <NOMAIL> wrote in message
| news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
| > > NDIS User mode I/O Driver is being connected by the remote machine [ip
| > > address] using local port xxxxx. Do you want to allow this program...
| > > Trying to connect every since I started using a new ISP.
| > >
| > > Safe? What is it?
| >
| > It would help to know the IPs and ports, if you'd be willing to post
| > or email them, as well as the location of the application. However,
| > off the bat it looks very suspect. First because you may be using
| > ISP-provided software -- that's a big, big no-no. Second, NDIS
| > driver's shouldn't be user mode. the NDIS driver is what takes data
| > from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
| > uses to commumnication) and sends it out the hardware. It shouldn't be
| > user mode: it's a driver, and part of the system.
| >
| > IOW, if you can connect to the Internet without it, then it is more
| > likely to be malicious or suspicious than anything useful.
| >
| > Sponge
| > Sponge's Secure Solutions
| > www.geocities.com/yosponge
| > My new email: yosponge2 et yahoo dot com
|
|

[BxP9]

No software installed when the new ISP service started. Just plugged in
modem, added my personal account info and connected fine.
I'm using Sygate firewall and looked through the logs to find this item. IP
10.0.0.138 did back trace and reported this:

IANA (RESERVED-6)
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
US

Netname: RESERVED-10
Netblock: 10.0.0.0 - 10.255.255.255

Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
res-ip@iana.org
(310) 823-9358

Domain System inverse mapping provided by:

BLACKHOLE-1.IANA.ORG 192.0.32.18
BLACKHOLE-2.IANA.ORG 192.0.32.19

These blocks are reserved for special purposes.
Please see RFC 1918 for additional information.

Record last updated on 12-Oct-2001.
Database last updated on 23-Aug-2002 16:56:03 EDT.
The information in this WHOIS database is current as of August 23, 2002,
and has been retained for historical purposes only. For the most current
information, query whois.arin.net or visit http://whois.arin.net.

"-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
news:AyWkb.16137$Ee6.8787@nwrddc01.gnilink.net...
> Possible that it is the "Help Desk" software bundled in, both BellSouth
and Verizon have
> the same thing and I just deinstalled them with no ill effects..
>
>
> "BxP9" <NOMAIL> wrote in message
> news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
> | Will post them when the item pops-up again. Could it be the new DSL
modem
> | for this ISP?
> |
> | "sponge" <yosponge@yahoo.com> wrote in message
> | news:8d76ec03.0310191025.6cd66006@posting.google.c om...
> | > "BxP9" <NOMAIL> wrote in message
> | news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
> | > > NDIS User mode I/O Driver is being connected by the remote machine
[ip
> | > > address] using local port xxxxx. Do you want to allow this
program...
> | > > Trying to connect every since I started using a new ISP.
> | > >
> | > > Safe? What is it?
> | >
> | > It would help to know the IPs and ports, if you'd be willing to post
> | > or email them, as well as the location of the application. However,
> | > off the bat it looks very suspect. First because you may be using
> | > ISP-provided software -- that's a big, big no-no. Second, NDIS
> | > driver's shouldn't be user mode. the NDIS driver is what takes data
> | > from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
> | > uses to commumnication) and sends it out the hardware. It shouldn't be
> | > user mode: it's a driver, and part of the system.
> | >
> | > IOW, if you can connect to the Internet without it, then it is more
> | > likely to be malicious or suspicious than anything useful.
> | >
> | > Sponge
> | > Sponge's Secure Solutions
> | > www.geocities.com/yosponge
> | > My new email: yosponge2 et yahoo dot com
> |
> |
>
>

[Moon]

On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:

>No software installed when the new ISP service started. Just plugged in
>modem, added my personal account info and connected fine.
>I'm using Sygate firewall and looked through the logs to find this item. IP
>10.0.0.138 did back trace and reported this:
>
>IANA (RESERVED-6)
> Internet Assigned Numbers Authority
> 4676 Admiralty Way, Suite 330
> Marina del Rey, CA 90292-6695
> US
>
> Netname: RESERVED-10
> Netblock: 10.0.0.0 - 10.255.255.255
>
> Coordinator:
> Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
>res-ip@iana.org
> (310) 823-9358
>
> Domain System inverse mapping provided by:
>
> BLACKHOLE-1.IANA.ORG 192.0.32.18
> BLACKHOLE-2.IANA.ORG 192.0.32.19
>
> These blocks are reserved for special purposes.
> Please see RFC 1918 for additional information.
>
> Record last updated on 12-Oct-2001.
> Database last updated on 23-Aug-2002 16:56:03 EDT.
>The information in this WHOIS database is current as of August 23, 2002,
>and has been retained for historical purposes only. For the most current
>information, query whois.arin.net or visit http://whois.arin.net.
>
>"-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
>news:AyWkb.16137$Ee6.8787@nwrddc01.gnilink.net. ..
>> Possible that it is the "Help Desk" software bundled in, both BellSouth
>and Verizon have
>> the same thing and I just deinstalled them with no ill effects..
>>
>>
>> "BxP9" <NOMAIL> wrote in message
>> news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
>> | Will post them when the item pops-up again. Could it be the new DSL
>modem
>> | for this ISP?
>> |
>> | "sponge" <yosponge@yahoo.com> wrote in message
>> | news:8d76ec03.0310191025.6cd66006@posting.google.c om...
>> | > "BxP9" <NOMAIL> wrote in message
>> | news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
>> | > > NDIS User mode I/O Driver is being connected by the remote machine
>[ip
>> | > > address] using local port xxxxx. Do you want to allow this
>program...
>> | > > Trying to connect every since I started using a new ISP.
>> | > >
>> | > > Safe? What is it?
>> | >
>> | > It would help to know the IPs and ports, if you'd be willing to post
>> | > or email them, as well as the location of the application. However,
>> | > off the bat it looks very suspect. First because you may be using
>> | > ISP-provided software -- that's a big, big no-no. Second, NDIS
>> | > driver's shouldn't be user mode. the NDIS driver is what takes data
>> | > from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
>> | > uses to commumnication) and sends it out the hardware. It shouldn't be
>> | > user mode: it's a driver, and part of the system.
>> | >
>> | > IOW, if you can connect to the Internet without it, then it is more
>> | > likely to be malicious or suspicious than anything useful.
>> | >
>> | > Sponge
>> | > Sponge's Secure Solutions
>> | > www.geocities.com/yosponge
>> | > My new email: yosponge2 et yahoo dot com
>> |
>> |
>>
>>
>
My system has been doing this same thing for awhile now, I have never
let it access the net, it pops up every 2 minutes, how do you
uninstall it??? Thanks, Moon

[-=ô;ö=-]

Is that IP below also the same as your ISP???


"BxP9" <NOMAIL> wrote in message
news:8536bb3ed7e0ca9d90fdfaf65ba08530@news.teranew s.com...
| No software installed when the new ISP service started. Just plugged in
| modem, added my personal account info and connected fine.
| I'm using Sygate firewall and looked through the logs to find this item. IP
| 10.0.0.138 did back trace and reported this:
|
| IANA (RESERVED-6)
| Internet Assigned Numbers Authority
| 4676 Admiralty Way, Suite 330
| Marina del Rey, CA 90292-6695
| US
|
| Netname: RESERVED-10
| Netblock: 10.0.0.0 - 10.255.255.255
|
| Coordinator:
| Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
| res-ip@iana.org
| (310) 823-9358
|
| Domain System inverse mapping provided by:
|
| BLACKHOLE-1.IANA.ORG 192.0.32.18
| BLACKHOLE-2.IANA.ORG 192.0.32.19
|
| These blocks are reserved for special purposes.
| Please see RFC 1918 for additional information.
|
| Record last updated on 12-Oct-2001.
| Database last updated on 23-Aug-2002 16:56:03 EDT.
| The information in this WHOIS database is current as of August 23, 2002,
| and has been retained for historical purposes only. For the most current
| information, query whois.arin.net or visit http://whois.arin.net.
|
| "-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
| news:AyWkb.16137$Ee6.8787@nwrddc01.gnilink.net...
| > Possible that it is the "Help Desk" software bundled in, both BellSouth
| and Verizon have
| > the same thing and I just deinstalled them with no ill effects..
| >
| >
| > "BxP9" <NOMAIL> wrote in message
| > news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
| > | Will post them when the item pops-up again. Could it be the new DSL
| modem
| > | for this ISP?
| > |
| > | "sponge" <yosponge@yahoo.com> wrote in message
| > | news:8d76ec03.0310191025.6cd66006@posting.google.c om...
| > | > "BxP9" <NOMAIL> wrote in message
| > | news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
| > | > > NDIS User mode I/O Driver is being connected by the remote machine
| [ip
| > | > > address] using local port xxxxx. Do you want to allow this
| program...
| > | > > Trying to connect every since I started using a new ISP.
| > | > >
| > | > > Safe? What is it?
| > | >
| > | > It would help to know the IPs and ports, if you'd be willing to post
| > | > or email them, as well as the location of the application. However,
| > | > off the bat it looks very suspect. First because you may be using
| > | > ISP-provided software -- that's a big, big no-no. Second, NDIS
| > | > driver's shouldn't be user mode. the NDIS driver is what takes data
| > | > from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
| > | > uses to commumnication) and sends it out the hardware. It shouldn't be
| > | > user mode: it's a driver, and part of the system.
| > | >
| > | > IOW, if you can connect to the Internet without it, then it is more
| > | > likely to be malicious or suspicious than anything useful.
| > | >
| > | > Sponge
| > | > Sponge's Secure Solutions
| > | > www.geocities.com/yosponge
| > | > My new email: yosponge2 et yahoo dot com
| > |
| > |
| >
| >
|
|

[BxP9]

Yes, I went to that IP to setup my account.

"-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
news:OZZkb.19661$Ee6.15110@nwrddc01.gnilink.net...
> Is that IP below also the same as your ISP???
>
>
> "BxP9" <NOMAIL> wrote in message
> news:8536bb3ed7e0ca9d90fdfaf65ba08530@news.teranew s.com...
> | No software installed when the new ISP service started. Just plugged in
> | modem, added my personal account info and connected fine.
> | I'm using Sygate firewall and looked through the logs to find this item.
IP
> | 10.0.0.138 did back trace and reported this:
> |
> | IANA (RESERVED-6)
> | Internet Assigned Numbers Authority
> | 4676 Admiralty Way, Suite 330
> | Marina del Rey, CA 90292-6695
> | US
> |
> | Netname: RESERVED-10
> | Netblock: 10.0.0.0 - 10.255.255.255
> |
> | Coordinator:
> | Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
> | res-ip@iana.org
> | (310) 823-9358
> |
> | Domain System inverse mapping provided by:
> |
> | BLACKHOLE-1.IANA.ORG 192.0.32.18
> | BLACKHOLE-2.IANA.ORG 192.0.32.19
> |
> | These blocks are reserved for special purposes.
> | Please see RFC 1918 for additional information.
> |
> | Record last updated on 12-Oct-2001.
> | Database last updated on 23-Aug-2002 16:56:03 EDT.
> | The information in this WHOIS database is current as of August 23, 2002,
> | and has been retained for historical purposes only. For the most current
> | information, query whois.arin.net or visit http://whois.arin.net.
> |
> | "-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
> | news:AyWkb.16137$Ee6.8787@nwrddc01.gnilink.net...
> | > Possible that it is the "Help Desk" software bundled in, both
BellSouth
> | and Verizon have
> | > the same thing and I just deinstalled them with no ill effects..
> | >
> | >
> | > "BxP9" <NOMAIL> wrote in message
> | > news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
> | > | Will post them when the item pops-up again. Could it be the new DSL
> | modem
> | > | for this ISP?
> | > |
> | > | "sponge" <yosponge@yahoo.com> wrote in message
> | > | news:8d76ec03.0310191025.6cd66006@posting.google.c om...
> | > | > "BxP9" <NOMAIL> wrote in message
> | > | news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
> | > | > > NDIS User mode I/O Driver is being connected by the remote
machine
> | [ip
> | > | > > address] using local port xxxxx. Do you want to allow this
> | program...
> | > | > > Trying to connect every since I started using a new ISP.
> | > | > >
> | > | > > Safe? What is it?
> | > | >
> | > | > It would help to know the IPs and ports, if you'd be willing to
post
> | > | > or email them, as well as the location of the application.
However,
> | > | > off the bat it looks very suspect. First because you may be using
> | > | > ISP-provided software -- that's a big, big no-no. Second, NDIS
> | > | > driver's shouldn't be user mode. the NDIS driver is what takes
data
> | > | > from an upper-layer protocol (I.E. TCP/IP, which is what the
Internet
> | > | > uses to commumnication) and sends it out the hardware. It
shouldn't be
> | > | > user mode: it's a driver, and part of the system.
> | > | >
> | > | > IOW, if you can connect to the Internet without it, then it is
more
> | > | > likely to be malicious or suspicious than anything useful.
> | > | >
> | > | > Sponge
> | > | > Sponge's Secure Solutions
> | > | > www.geocities.com/yosponge
> | > | > My new email: yosponge2 et yahoo dot com
> | > |
> | > |
> | >
> | >
> |
> |
>
>

[Moon]

On Mon, 20 Oct 2003 23:12:46 GMT, "-=ô;ö=-" <Not.Telling@nowhere.com>
wrote:

>Is that IP below also the same as your ISP???
>
>
>"BxP9" <NOMAIL> wrote in message
>news:8536bb3ed7e0ca9d90fdfaf65ba08530@news.terane ws.com...
>| No software installed when the new ISP service started. Just plugged in
>| modem, added my personal account info and connected fine.
>| I'm using Sygate firewall and looked through the logs to find this item. IP
>| 10.0.0.138 did back trace and reported this:
>|
>| IANA (RESERVED-6)
>| Internet Assigned Numbers Authority
>| 4676 Admiralty Way, Suite 330
>| Marina del Rey, CA 90292-6695
>| US
>|
>| Netname: RESERVED-10
>| Netblock: 10.0.0.0 - 10.255.255.255
>|
>| Coordinator:
>| Internet Corporation for Assigned Names and Numbers (IANA-ARIN)
>| res-ip@iana.org
>| (310) 823-9358
>|
>| Domain System inverse mapping provided by:
>|
>| BLACKHOLE-1.IANA.ORG 192.0.32.18
>| BLACKHOLE-2.IANA.ORG 192.0.32.19
>|
>| These blocks are reserved for special purposes.
>| Please see RFC 1918 for additional information.
>|
>| Record last updated on 12-Oct-2001.
>| Database last updated on 23-Aug-2002 16:56:03 EDT.
>| The information in this WHOIS database is current as of August 23, 2002,
>| and has been retained for historical purposes only. For the most current
>| information, query whois.arin.net or visit http://whois.arin.net.
>|
>| "-=ô;ö=-" <Not.Telling@nowhere.com> wrote in message
>| news:AyWkb.16137$Ee6.8787@nwrddc01.gnilink.net...
>| > Possible that it is the "Help Desk" software bundled in, both BellSouth
>| and Verizon have
>| > the same thing and I just deinstalled them with no ill effects..
>| >
>| >
>| > "BxP9" <NOMAIL> wrote in message
>| > news:0d5f7b9ffad498b146078eafae90b1f3@news.teranew s.com...
>| > | Will post them when the item pops-up again. Could it be the new DSL
>| modem
>| > | for this ISP?
>| > |
>| > | "sponge" <yosponge@yahoo.com> wrote in message
>| > | news:8d76ec03.0310191025.6cd66006@posting.google.c om...
>| > | > "BxP9" <NOMAIL> wrote in message
>| > | news:<4a4f86e801fa7cb8d1cfb6f226cf4642@news.terane ws.com>...
>| > | > > NDIS User mode I/O Driver is being connected by the remote machine
>| [ip
>| > | > > address] using local port xxxxx. Do you want to allow this
>| program...
>| > | > > Trying to connect every since I started using a new ISP.
>| > | > >
>| > | > > Safe? What is it?
>| > | >
>| > | > It would help to know the IPs and ports, if you'd be willing to post
>| > | > or email them, as well as the location of the application. However,
>| > | > off the bat it looks very suspect. First because you may be using
>| > | > ISP-provided software -- that's a big, big no-no. Second, NDIS
>| > | > driver's shouldn't be user mode. the NDIS driver is what takes data
>| > | > from an upper-layer protocol (I.E. TCP/IP, which is what the Internet
>| > | > uses to commumnication) and sends it out the hardware. It shouldn't be
>| > | > user mode: it's a driver, and part of the system.
>| > | >
>| > | > IOW, if you can connect to the Internet without it, then it is more
>| > | > likely to be malicious or suspicious than anything useful.
>| > | >
>| > | > Sponge
>| > | > Sponge's Secure Solutions
>| > | > www.geocities.com/yosponge
>| > | > My new email: yosponge2 et yahoo dot com
>| > |
>| > |
>| >
>| >
>|
>|
>
Mine are all UDP ports 53, 137, 138, from my ISP adresss, hitting my
Nat/Firewall.. Note, I did not have this problem until I got MS
Service Pack 1, am running Win XP currently....Moon

[Moon]

P.S. I almost forgot, I CAN connect to the internet w/o any
interference in connecting to the net...the packet hits me every 2
minutes also...... Moon
>>| > |
>>| > |
>>| >
>>| >
>>|
>>|
>>
>Mine are all UDP ports 53, 137, 138, from my ISP adresss, hitting my
>Nat/Firewall.. Note, I did not have this problem until I got MS
>Service Pack 1, am running Win XP currently....Moon

[sponge]

On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:

>No software installed when the new ISP service started. Just plugged
in
>modem, added my personal account info and connected fine.
>I'm using Sygate firewall and looked through the logs to find this
item. IP
>10.0.0.138 did back trace and reported this:

That IP is part of your local, private connection to the modem and/or
ISP.

As far as removal goes, try just finding the file that keeps trying to
connect and rename it or move it to another folder. Most of the ISP
parasites aren't smart enough to try to reinstall themselves. If they
do, try running HiJackThis and post the results here.

I take it the UDP is FROM your ISP's IP address TO those ports (local)
on YOUR machine? If so, your ISP is likely scanning you to see if
you're running a website, DNS server, etc. If that's not the case,
(or, actually, whether or not it's the case), have you disabled
NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
instead; if not, you should not be running anything except TCP/IP.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 et yahoo dot com