ndisuio.sys downloading?

Triple6_wild · Post by **Triple6_wild** » Sat Nov 22, 2003 7:12 pm

well it seem like its a windows xp file lol someone should ask microsoft about it ... altho thay probly dont even know about it cuz ms sux ... anyways my sisters computer has it to but she has no firewall so i had to search for it

I HATE MICROSOFT HEHEHEHE

Archived topic from Iceteks, old topic ID:1290, old post ID:14350

Wren · Post by **Wren** » Sat Nov 22, 2003 7:52 pm

kenshin... go to Control Panel> Adm.Tools> Services. Scroll down to Wireless Zero Configuration, double click, which will bring up a window to disable.

Archived topic from Iceteks, old topic ID:1290, old post ID:14351

Red Squirrel · Post by **Red Squirrel** » Sat Nov 22, 2003 10:57 pm

This is really getting interesting. Given this is Windows XP and because of the whole DMCA thing, it could maybe be some kind of "big brother" or something. There's hardly anything on google about it, except for this thread .

Where is it trying to connect? That could get us somewhere.

By the way welcome to the forum Jax

Archived topic from Iceteks, old topic ID:1290, old post ID:14352

Anonymous · Post by **Anonymous** » Sat Nov 29, 2003 7:16 am

thank you so much meee for finally providing an answer to this problem! this had been bugging me for weeks. it all started after i temporarily used a wireless connection, but i never put the two incidents together. for anyone interested, this is what the problem looks like:

http://home.swfla.rr.com/pataphysician/ndis.png

pretty much all incoming data appears to be doubled, and sygate's packet log reports that half of it is going to ndisuio.sys.

you can tell that it's something local within the machine - not "hackers" or spyware or even microsoft spying on us - because the apparent incoming traffic will far exceed anything your connection is actually capable of (see the screenshot). in other words, this is all occuring locally within the computer, and is nothing to worry about.

Archived topic from Iceteks, old topic ID:1290, old post ID:14581

Anonymous · Post by **Anonymous** » Sat Nov 29, 2003 12:04 pm

tnx for the help, I had the same thing, with traffic doubled during transfers to that ****** file, well now it's gone

and I'm happy that I didn't have to reinstall XP.

But I havn't had any cordless things to my computer so I still wanna know the cause of this problem.

Archived topic from Iceteks, old topic ID:1290, old post ID:14588

Anonymous · Post by **Anonymous** » Sat Nov 29, 2003 4:35 pm

i don't think you need to have any wireless devices attached at any time. as long as the wireless config service is running, this will happen.

fwiw, this applies to both 2k and xp.

Archived topic from Iceteks, old topic ID:1290, old post ID:14605

Anonymous · Post by **Anonymous** » Sat Nov 29, 2003 10:18 pm

Well,
Let me tell you my experience with this problem.
I run windowsXP with Sygate. I have Linksys wireless drivers installed on my computer(Although the device is not used anymore). Program being in C:WINDOWSSystem32drivers
disuio.sys. I used my logs to check out who this program was contacting. I did some tracing and found that it connected to companies like Comcast, RoadRunner, Verizon, TimeWarner and so on. It also contacted this company called Brandenburg Telephone Company. I got their contact information. I called them up to ask what they knew(more for amusement) and ofcourse they gave me a blank answer, kinda funny. Anyway, on the other hand. I called up Microsoft and asked. After spending about 2 hours on the phone, they said they would email me(like all

up companies with bad tech support say). My conclusion for this problem is not that it is trying to hog all your bandwidth, but it is trying to download certain files from seperate sources. Like KaZaA grabs parts of files from different users. THIS IS A WIRELESS PROBLEM. It does not mean that you are using wireless, it means that one of your programs on your computer is calling for this driver.
I went to Administration Tools in Control Panel and then to Services. Down to Wireless Zero Configuration. I looked at the "Path to executable" and noticed that it was "C:WINDOWSSystem32svchost.exe -k netsvcs" I know from previous expererience that svchost.exe is a RPC(Remote Procedure Call) service which allow users to exploit your Windows system and run any code of the hacker's choice. As for a solution to this, you are able to patch this up: Here
Other RPC exploits can be searched for on the Microsoft website and patches can be downloaded.
Now that you have RPC patched and more secure(notice the *more* in there, Windows will never be secure, switch to `nix

), disableing the service is your best option(read above). Do not delete this file!
Also, this file often attatches to your network device so go to Control Panel, then Network Connections, then right click on your active network devices. Go to Proporties. Make sure that you do not have any unusuall(I only stick to unusual because it varies depending on what you have installed for Windows, generally, anything not signed by Mircosoft and your device's company).
Another thing that is highly recommended is enableing the firewalll on your device. While still in the Proporties for your network device, click on the "Advanced" tab and check the tab to enable your firewall.

Archived topic from Iceteks, old topic ID:1290, old post ID:14615

Red Squirrel · Post by **Red Squirrel** » Sat Nov 29, 2003 11:16 pm

hmm interesting... Sounds like a big brother thing to me. But what makes this strange is that pataphysician mentioned that it's local traffic, but maybe it's only partially local. I don't have this problem so I can't investigate it, but it sounds like quite a suspicious file that is up to no good, but yet not a virus.

Archived topic from Iceteks, old topic ID:1290, old post ID:14620

Anonymous · Post by **Anonymous** » Sun Nov 30, 2003 12:26 am

nro wrote: Well,
Let me tell you my experience with this problem.
I run windowsXP with Sygate. I have Linksys wireless drivers installed on my computer(Although the device is not used anymore). Program being in C:WINDOWSSystem32drivers
disuio.sys. I used my logs to check out who this program was contacting. I did some tracing and found that it connected to companies like Comcast, RoadRunner, Verizon, TimeWarner and so on. It also contacted this company called Brandenburg Telephone Company. I got their contact information. I called them up to ask what they knew(more for amusement) and ofcourse they gave me a blank answer, kinda funny. Anyway, on the other hand. I called up Microsoft and asked. After spending about 2 hours on the phone, they said they would email me(like all up companies with bad tech support say). My conclusion for this problem is not that it is trying to hog all your bandwidth, but it is trying to download certain files from seperate sources. Like KaZaA grabs parts of files from different users. THIS IS A WIRELESS PROBLEM. It does not mean that you are using wireless, it means that one of your programs on your computer is calling for this driver.
I went to Administration Tools in Control Panel and then to Services. Down to Wireless Zero Configuration. I looked at the "Path to executable" and noticed that it was "C:WINDOWSSystem32svchost.exe -k netsvcs" I know from previous expererience that svchost.exe is a RPC(Remote Procedure Call) service which allow users to exploit your Windows system and run any code of the hacker's choice. As for a solution to this, you are able to patch this up: Here
Other RPC exploits can be searched for on the Microsoft website and patches can be downloaded.
Now that you have RPC patched and more secure(notice the *more* in there, Windows will never be secure, switch to `nix ), disableing the service is your best option(read above). Do not delete this file!
Also, this file often attatches to your network device so go to Control Panel, then Network Connections, then right click on your active network devices. Go to Proporties. Make sure that you do not have any unusuall(I only stick to unusual because it varies depending on what you have installed for Windows, generally, anything not signed by Mircosoft and your device's company).
Another thing that is highly recommended is enableing the firewalll on your device. While still in the Proporties for your network device, click on the "Advanced" tab and check the tab to enable your firewall.

no offense, but i think this is a little paranoid. when you're seeing this stuff going to ndisuio.sys, what i suspect is happening is that all of the data coming in to your computer is duplicated, internally, and then sent to the process. you'll see it connected to all of these companies probably because you've connected to them yourself, on kazaa or irc or whatever.

again, at least in my experience, it's obvious that nothing is coming from outside of the machine itself because the apparent incoming data rate is so ridiculously high that it would be impossible. if you run a packet sniffer you can analyze the data "coming in" to ndisuio and compare it to all of your other incoming data. you'll see that it's the exact same thing, not some clandestine program. it's just a duplicate of all of your other network activity. furthermore, if it was downloading some massive program (this was happening to me for weeks), where is it being stored? a final test: unplug your modem from the router. grab a large file from another machine on your LAN. you'll see that ndisuio is still receiving massive amounts of data. all of the incoming data is still being duplicated, and obviously none of it is coming from the internet.

svchost.exe is not just for RPC services. it's a host-process for all services that launch from .dll files. that's why you have 3,4,5... svchosts running at once. 75% of 2k's/xp's services use svchost as a, well, host.

Archived topic from Iceteks, old topic ID:1290, old post ID:14623

Red Squirrel · Post by **Red Squirrel** » Sun Nov 30, 2003 4:48 pm

svchost always crashes at our school (our network is filled with viruses) and it usually stops us from copying and pasting.. very ennoying. It takes about 5 minutes to reboot those computers.

Archived topic from Iceteks, old topic ID:1290, old post ID:14631

Triple6_wild · Post by **Triple6_wild** » Mon Jan 05, 2004 2:51 am

ok peeps stop sending email and read the post by pataphysician cuz hes right lol

Archived topic from Iceteks, old topic ID:1290, old post ID:15452

Anonymous · Post by **Anonymous** » Mon Feb 02, 2004 10:20 pm

What the hell is WZCSVC.ndi

Been reading this thread.

Somehow came across the above in my system.

Looking for Wireless Zero Configuration...

setupapi whatever a notepad file extension is...forget...drunk...paranoid??:

Wireless Zero Configuration: %SystemRoot%System32svchost.exe -k netsvcs (autostart)

...in startuplist."I am drunk"...found...:
#I022 Found "MS_WZCSVC" in C:WINDOWSinf
etwzc.inf; Device: "Wireless Zero Configuration"; Driver: "Wireless Zero Configuration"; Provider: "Microsoft"; Mfg: "Microsoft"; Section name: "WZCSVC.ndi".

...so that's why i have asked you peeps?!!?!??!?!??!

Archived topic from Iceteks, old topic ID:1290, old post ID:16444

Red Squirrel · Post by **Red Squirrel** » Mon Feb 02, 2004 10:22 pm

Probably part of the whole ndisuio.sys thing. Some kind of wireless file that does something odd. I assume it's that since it is a .ndi file and that's the first 3 letters of the file this thread is about. I have not experienced anything with this file though, since I think it's only in winxp.

Archived topic from Iceteks, old topic ID:1290, old post ID:16445

Anonymous · Post by **Anonymous** » Fri Mar 12, 2004 11:04 am

i know this is a very old thread now, but i just wanted to thank all you guys. I have just had to reinstall XP and my firewall (sygate). And found NDIS doing things that it shouldn't of been. I didn't understand what was happening coz i never had it before. But thanks to however said to disable the wireless services, which reminded me that i went through all the services and turned of none essential stuff last time. which ment i never saw this NDIS before. so anyhow THANKS AGAIN LADS AND LASSES

Archived topic from Iceteks, old topic ID:1290, old post ID:18210

Red Squirrel · Post by **Red Squirrel** » Fri Mar 12, 2004 1:53 pm

No problem. It seems to be a common issue because this thread has a crazy ammount of hits.

Archived topic from Iceteks, old topic ID:1290, old post ID:18212

Anonymous · Post by **Anonymous** » Sat Mar 13, 2004 5:37 am

hahaha this crazy post hit 21k views ..... hey red you should have a google ad or somthing in here lmao make a lil cash

Archived topic from Iceteks, old topic ID:1290, old post ID:18219

Red Squirrel · Post by **Red Squirrel** » Sat Mar 13, 2004 11:10 am

I do, on top. I think most of my ad money does come from this thread

Archived topic from Iceteks, old topic ID:1290, old post ID:18220

Anonymous · Post by **Anonymous** » Thu Jun 03, 2004 10:45 am

Hi, I've been having the same problem lately (NDisuio.sys kept trying to connect, perhaps over 50 times already) and I think it started right after I downloaded Sygate Firewall. I never had this problem before.

Archived topic from Iceteks, old topic ID:1290, old post ID:20126

Anonymous · Post by **Anonymous** » Fri Jun 04, 2004 11:04 am

Sorry, I'm a newbie. How do you disable wireless service?

Archived topic from Iceteks, old topic ID:1290, old post ID:20135

Wren · Post by **Wren** » Sun Jun 06, 2004 7:30 pm

If you are using XP, go to Control Panel> Adm.Tools> Services. Scroll down to Wireless Zero Configuration, double click, which will bring up a window to disable.

Here is a good site for explaining what services you may want to disable.

http://www.blackviper.com/WinXP/servicecfg.htm

Archived topic from Iceteks, old topic ID:1290, old post ID:20227

Red Squirrel · Post by **Red Squirrel** » Sun Jun 06, 2004 8:43 pm

Welcome aboard!

I should rename this site to DisableNdisuio because of so many new members because of this file.

Must be a big issue with winxp that's not well documented. It's always nice to know that this site helped.

Archived topic from Iceteks, old topic ID:1290, old post ID:20229

Red Squirrel · Post by **Red Squirrel** » Mon Jun 21, 2004 11:48 pm

When I get the chance I want to find myself a copy of XP so I can dual boot and analyse exactly what this file does, since I want to write an article on it to help others know more about what it's for and how to disable it and such.

Archived topic from Iceteks, old topic ID:1290, old post ID:20585

Anonymous · Post by **Anonymous** » Tue Jun 22, 2004 10:23 pm

Hi, I just signed up, new to anything more than defrag. info: when Sygate shows an "attack" or something blocked, the only thing usually is ndisuido.sys that hryd blocked(did because i accidently clicked the wrong one in the past. I think. IF you havn't, check out the site given before

http://www.blackviper.com/WinXP/service411...ransfer_Service

then go to COM+ Event SYSTEM, found in green lettered texts. Iwith that info and quickly lettin u know hardware profiles prefers you choose always connect. IT almost got me. Ok been up WAY to long. nice to meet ya folks, laterz. and b/c i will prolly be asked considering my state of mind, i am 19. lates

Archived topic from Iceteks, old topic ID:1290, old post ID:20599

Red Squirrel · Post by **Red Squirrel** » Tue Jun 22, 2004 11:19 pm

Welcome aboard,hope yo see you around.

Once I find my copy of XP I'll be doing some testing on this file to bring more data to everyone. I have lot of hacking tools and such that I'll be able to play with. Perhaps I can even exploit it.

Archived topic from Iceteks, old topic ID:1290, old post ID:20601

Triple6_wild · Post by **Triple6_wild** » Sun Jul 04, 2004 8:46 pm

update on this for you all that didnt find the article our very own red squirrel wrote if you havnt fixed problem yet this should help ya

has info on the file and ways to fix the problem

http://www.iceteks.com/articles.php?act=vi...le=ndisuio&p=1&

Archived topic from Iceteks, old topic ID:1290, old post ID:20785