NDIS user mode I/O driver

[Ascetica]

Since installing Sygate Personal Firewall i have found that it keeps on downloading something from internet. It carries out its downloading process even when i block the ipaddress from where it tries to download. I see incoming traffic as blocked and out going traffic as zero. I am not able to make out what exactly is the role of NDIS user mode I/O driver, its there in C:\WINDOWS\System32\DRIVERS\ndisuio.sys. It description says "It performs internal communications tasks within Windows". I will like to know what exactly is it and what the hell it keeps on downloading???

[Mr. Boo Bear]

I guess Wireless Zero Configuation service might be using ndisuio.sys. There are possibilities that a spyware might be using it as well. In that case Go to Administrative Tools/Services chekc out for "Wireless Zero Configuration" and disable it fro there. If you are having a wireless setup on the machine than there is no need of keeping Wireless Zero Configuration running. Other than these you should also inspect the processes that might be running from task manager.

[Ascetica]

Disabling Wireless Zero Configuration was helpful, i wanted to share that some days back i came across "[181] DCE BIND to potentially vulnerable RPC DCOM security log of the firewall. It has blocked all incoming and outgoing traffic in port 181 and 135, i wanted to know if NDIS might be related to it? any idea?

[Mr. Boo Bear]

If you are having a firewall protecting port 135 than you dont have to worry about anything. I wanted to share that RPC is used by Wireless Zero Configuration but as you have shut it down, there shouldn't be any problem.RPC which is RPCRT4.dll is used by svchost.exe. In case you dont see svchost.exe running than you system might have got affected by trojan. You will have to run a through scan to eliminate it as soon as possible. If that's not the case and you want to keep Wireless Zero Configuration running than you can use BlackIce. You can use it for shutting down ndisuio.sys from communicating but still allowing it to run.

[Ascetica]

Thanks for sharing those extra information with me, I will check out BlackIce for shutting down ndisuio.sys from communicating but still allowing it to run. Hope running it wont create any mess further.

[WazzoTheMartian]

I was running in to exactly the same issue and while looking after a fix for this i came across this thread. Was able to fix it out by the very first solution posted by Mr. Boo Bear, your solution was really time saver for me.