Interesting... I wonder why it was downloading so much data in kenshin's situation though.

If kenshin removed 130 spyware files, no telling what's still there. Some of that junk gets so embedded in the system it may have to be removed manually. Plus, he said he didn't want to get rid of Wild Tangent.

there is a added benifit to useing more then one spyware detecting program.

kevin on the screensavers at techtv the other week did review of different programs free and purchess versions of all the ones he could find.

he found that if you buy the ad watch from the ad aware people it did not work and he said to use the free adaware as that did work.

he did say to get spybot search and destroy free version or the purchess one. both worked.

he said he found that ad aware's free version found some things that spybot s&d could not find and that spybot s&d found some things that ad aware could not find.

so running both would be more benifical then using one.


I also have and use the free verison of " Swatit " trojon and bot remover from the millinuim lockdown comapny it is good as it only looks for trojons and bots.

Hmm, my grandma always plays on pogo.com, that's probably why her computer is always full of junk!

This is a good, free program to keep spyware from being loaded on your pc.

http://www.javacoolsoftware.com/spywareblaster.html

I'm just curious to know what alice has to say about this.

ok, let's try that again.

I wonder what alice has to say about this.

Once more? How do you usually introduce yourself?

Take it easy. ou are curious about what alice has to say about this.

the file you speak of[ ndis] blah blah blha user i/o driver blah blah blah is the wireless zero config service in you local services its for wireless roUters N mice and such, disable that service, the driveR goes away and the packets you see that are being downloaded and goin nowhere are rf packets such as 811-b so forth etc blah blah blah the file really known as ndisuio.sys or ndis,user i/o driver its a basic part of the nt kernel and cannot be deleted or removed and has nothing to do with downloading sp2 its just a mini port that is used for wireless products and bluetooth
have fun you are not being HACKED THAT IS UNLESS YA HAVE A COLD

This post has been edited by meee on Nov 21 2003, 04:12 PM

I dont have wireless ANYTHING, and I still have that file trying to do stuff.
I also JUST did a fresh install of XP less than 3 hours ago and havent used any web sites other than Soyo, HP, and Epson. (And of course Google, to find this site)

And Im constantly seeing this ndisuio.sys trying to get by my firewall.

well it seem like its a windows xp file lol someone should ask microsoft about it ... altho thay probly dont even know about it cuz ms sux ... anyways my sisters computer has it to but she has no firewall so i had to search for it

I HATE MICROSOFT HEHEHEHE

kenshin... go to Control Panel> Adm.Tools> Services. Scroll down to Wireless Zero Configuration, double click, which will bring up a window to disable.

This is really getting interesting. Given this is Windows XP and because of the whole DMCA thing, it could maybe be some kind of "big brother" or something. There's hardly anything on google about it, except for this thread . Where is it trying to connect? That could get us somewhere.

By the way welcome to the forum Jax

thank you so much meee for finally providing an answer to this problem! this had been bugging me for weeks. it all started after i temporarily used a wireless connection, but i never put the two incidents together. for anyone interested, this is what the problem looks like:

http://home.swfla.rr.com/pataphysician/ndis.png

pretty much all incoming data appears to be doubled, and sygate's packet log reports that half of it is going to ndisuio.sys.

you can tell that it's something local within the machine - not "hackers" or spyware or even microsoft spying on us - because the apparent incoming traffic will far exceed anything your connection is actually capable of (see the screenshot). in other words, this is all occuring locally within the computer, and is nothing to worry about.

This post has been edited by pataphysician on Nov 29 2003, 08:18 AM

tnx for the help, I had the same thing, with traffic doubled during transfers to that ****** file, well now it's gone and I'm happy that I didn't have to reinstall XP.

But I havn't had any cordless things to my computer so I still wanna know the cause of this problem.

i don't think you need to have any wireless devices attached at any time. as long as the wireless config service is running, this will happen.

fwiw, this applies to both 2k and xp.

Well,
Let me tell you my experience with this problem.
I run windowsXP with Sygate. I have Linksys wireless drivers installed on my computer(Although the device is not used anymore). Program being in C:\WINDOWS\System32\drivers\ndisuio.sys. I used my logs to check out who this program was contacting. I did some tracing and found that it connected to companies like Comcast, RoadRunner, Verizon, TimeWarner and so on. It also contacted this company called Brandenburg Telephone Company. I got their contact information. I called them up to ask what they knew(more for amusement) and ofcourse they gave me a blank answer, kinda funny. Anyway, on the other hand. I called up Microsoft and asked. After spending about 2 hours on the phone, they said they would email me(like all up companies with bad tech support say). My conclusion for this problem is not that it is trying to hog all your bandwidth, but it is trying to download certain files from seperate sources. Like KaZaA grabs parts of files from different users. THIS IS A WIRELESS PROBLEM. It does not mean that you are using wireless, it means that one of your programs on your computer is calling for this driver.
I went to Administration Tools in Control Panel and then to Services. Down to Wireless Zero Configuration. I looked at the "Path to executable" and noticed that it was "C:\WINDOWS\System32\svchost.exe -k netsvcs" I know from previous expererience that svchost.exe is a RPC(Remote Procedure Call) service which allow users to exploit your Windows system and run any code of the hacker's choice. As for a solution to this, you are able to patch this up: Here
Other RPC exploits can be searched for on the Microsoft website and patches can be downloaded.
Now that you have RPC patched and more secure(notice the *more* in there, Windows will never be secure, switch to `nix ), disableing the service is your best option(read above). Do not delete this file!
Also, this file often attatches to your network device so go to Control Panel, then Network Connections, then right click on your active network devices. Go to Proporties. Make sure that you do not have any unusuall(I only stick to unusual because it varies depending on what you have installed for Windows, generally, anything not signed by Mircosoft and your device's company).
Another thing that is highly recommended is enableing the firewalll on your device. While still in the Proporties for your network device, click on the "Advanced" tab and check the tab to enable your firewall.

hmm interesting... Sounds like a big brother thing to me. But what makes this strange is that pataphysician mentioned that it's local traffic, but maybe it's only partially local. I don't have this problem so I can't investigate it, but it sounds like quite a suspicious file that is up to no good, but yet not a virus.

no offense, but i think this is a little paranoid. when you're seeing this stuff going to ndisuio.sys, what i suspect is happening is that all of the data coming in to your computer is duplicated, internally, and then sent to the process. you'll see it connected to all of these companies probably because you've connected to them yourself, on kazaa or irc or whatever.

again, at least in my experience, it's obvious that nothing is coming from outside of the machine itself because the apparent incoming data rate is so ridiculously high that it would be impossible. if you run a packet sniffer you can analyze the data "coming in" to ndisuio and compare it to all of your other incoming data. you'll see that it's the exact same thing, not some clandestine program. it's just a duplicate of all of your other network activity. furthermore, if it was downloading some massive program (this was happening to me for weeks), where is it being stored? a final test: unplug your modem from the router. grab a large file from another machine on your LAN. you'll see that ndisuio is still receiving massive amounts of data. all of the incoming data is still being duplicated, and obviously none of it is coming from the internet.

svchost.exe is not just for RPC services. it's a host-process for all services that launch from .dll files. that's why you have 3,4,5... svchosts running at once. 75% of 2k's/xp's services use svchost as a, well, host.

svchost always crashes at our school (our network is filled with viruses) and it usually stops us from copying and pasting.. very ennoying. It takes about 5 minutes to reboot those computers.