NDIS User Mode I/O Driver Question

That driver is just an intermediate level between the user and kernal modes.  Some other program must be using it.

ToolKoolKris
Thanks for the reponsse. So is it harmless? How can I determine what application is trying to use it?

Thank you,

Tom

You can download a copy of fport from the link below it will tell you the .exe that is using each port. It's a free program as well. Have fun.

http://www.foundstone.com/knowledge/intrusion_detection.html

TooKoolKris
MCSE+I, CCNA, A+

I don't think Fport works on XP.  Great tool though.

Yes you will need to make sure that the psapi.dll file exists on the pc and that it is in the system folder. If not you need to install fport in the same directory as the .dll file or change your environmental settings by adding a path statement for the directory that the .dll is in.

TooKoolKris
MCSE+I, CCNA, A+

Are you saying that you have been able to get fport to produce results on XP?  I an run the app but I does not enmuerate ports and services.  I have repro'd this on multiple systems.

No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+

I have the .dll, and it doesn't work.  Neither does Vision.  

No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+

Oh well then, at any rate it's a harmless system file communicating within the IP stack.

TooKoolKris
MCSE+I, CCNA, A+

firstly I just tried the fport program on XP in a random directory and it does work...

secondly being that I have just gone through this same scenario with this file and warning I have a concern about your answer. You did not ask if there was also communication from an external IP. This would be important as it would signal that it obviously is not merely internal network communication.

The reason I am replying is because there very well could be more to it.

Use this site as a reference
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

This gives you a listing of some ports that are commonly used for trojan activity. The port listed on my attempted communication is 65432. You can see there is a trojan that is affiliated with that port. While it does not signify that I surely have a trojan which has infected my computer...nonetheless it is a possibility.

I still have not been able to find why someone is trying to communicate to that port and sys file as I used a trojan cleaning program and it did not find anything. Perhaps another program installed it and it is affiliated with that program I am not sure.

Hope this helps

yes I also  have sygate which I like very much. yeah I have the same popup that says the same thing ,BUT when I look up the traffic log it is connecting to my ISP's DNS server. Plus i just formated and installed the firewall right after my hardware drivers (no virus's on the machine at this time) and it shows up on every formate so I really believe WE have nothing to worry about.

I think this is the answer to your original question...

The following applications may need to be set to allow with in the running applications list "mpsrv", "kernel32", "ntoskrnl", "svchost", "NetBeui", and possibly "tcpsvcs", "nwlnkipx.sys", "ndisuio.sys" and "ssdpsrv". These settings will need to be applied to all systems running SPF that require F&P sharing.


On all of the systems you have running Sygate, you will need to change your settings to allow this file.
Goto the Applications tab and allow

ndisuio.sys          <----- bingo!



You will all find http://www.whitehat-security.com/SPF.htm very helpful. =) hope that helps

Force Accepted

SpideyMod
Community Support Moderator @Experts Exchange

I know this is an old topic but that might not be the problem either...  My ndisuio.sys was constantly dowloading 2-4k and after time it adds up to a lot.  Thats 56k speed downloading all day, every day!  I also did a clean install but that was after I was using the cable modem without a decent firewall like Sygate so something must have gotten in and screwed up my ip status from "secure" to "come on all you hackers, lets have some fun".  I had to go into safe mode and rename the file and now it doesnt download all day.  I still get numerous ping attacks and minor things that the firewall blocks which I assume is all related to my ip getting passed around because it was vulnerable.  I still get pinging from all around the world but now I guess the ndisuio.sys file isn't accessable to intruders anymore....not sure if i'll need it one day either.

Just in case anyone is still watching this:

http://www.iceteks.com/forums/index.php?s=0c61cc87365c1408753b008c8ca04d4c&showtopic=1290&view=findpost&p=14302

I've been looking for an answer for this for ages. Disabling the wireless configuration service stops all of this excess traffic. Doesn't really explain why it was happening in the first place, but at least we know how to kill it now.