Another one:
NDIS User mode I/O Driver is being connected by the remote machine
rs2.arin.net [192.149.252.22] using local port 1042. Do you want to
allow......
Details:

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : NDIS User mode I/O Driver
File Path : C:\WINDOWS\system32\drivers\ndisuio.sys
Connection origin : remote initiated
Protocol : TCP
Local Address : 10.0.0.1
Local Port : 1042
Remote Name : rs2.arin.net
Remote Address : 192.149.252.22
Remote Port : 43

Ethernet packet details:
Ethernet II (Packet Length: 60)
Destination: 00-a0-24-37-5f-c2
Source: 00-90-d0-05-93-3e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 238
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xc55c (Correct)
Source: 192.149.252.22
Destination: 10.0.0.1
Transmission Control Protocol (TCP)
Source port: 43
Destination port: 1042
Sequence number: 3994717303
Acknowledgment number: 1430784813
Header length: 24
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xeccf (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 A0 24 37 5F C2 00 90 : D0 05 93 3E 08 00 45 00 | ..$7_......>..E.
0010: 00 2C 69 59 40 00 EE 06 : 5C C5 C0 95 FC 16 0A 00 | .,iY@...\.......
0020: 00 01 00 2B 04 12 EE 1A : 8C 77 55 48 0B 2D 60 12 | ...+.....wUH.-`.
0030: 22 38 CF EC 00 00 02 04 : 05 B4 00 00 | "8..........

"BxP9" <NOMAIL> wrote in message
news:4a4f86e801fa7cb8d1cfb6f226cf4642@news.teranew s.com...
> NDIS User mode I/O Driver is being connected by the remote machine [ip
> address] using local port xxxxx. Do you want to allow this program...
> Trying to connect every since I started using a new ISP.
>
> Safe? What is it?
>

"sponge" <yosponge@yahoo.com> wrote in message
news:8d76ec03.0310202010.5c1d4862@posting.google.c om...
> On Mon, 20 Oct 2003 19:29:29 GMT, "BxP9" <NOMAIL> wrote:
>
> >No software installed when the new ISP service started. Just plugged
> in
> >modem, added my personal account info and connected fine.
> >I'm using Sygate firewall and looked through the logs to find this
> item. IP
> >10.0.0.138 did back trace and reported this:
>
> That IP is part of your local, private connection to the modem and/or
> ISP.
>
> As far as removal goes, try just finding the file that keeps trying to
> connect and rename it or move it to another folder. Most of the ISP
> parasites aren't smart enough to try to reinstall themselves. If they
> do, try running HiJackThis and post the results here.
>
> I take it the UDP is FROM your ISP's IP address TO those ports (local)
> on YOUR machine? If so, your ISP is likely scanning you to see if
> you're running a website, DNS server, etc. If that's not the case,
> (or, actually, whether or not it's the case), have you disabled
> NetBIOS over TCP/IP? If you are running a home network, use NetBEUI
> instead; if not, you should not be running anything except TCP/IP.
>
> Sponge
> Sponge's Secure Solutions
> www.geocities.com/yosponge
> My new email: yosponge2 et yahoo dot com