Can anyone work my firewall log out (please)? 1

[thunder9998]

As soon as i connect to AOL i get hit by scans to port 4662 immediately. The scans always seem to come from the same people. I belive port 4662 has something to do with e-donkey? I have never had e-donkey installed on my comp.
Here are example logs taken over a 10 minute period -

2003/01/22 00:34:47 81.56.132.22:4422 (lns-p19-7-81-56-132-22.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:34:47 80.14.142.88:3302 (AVelizy-110-1-1-88.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:34:47 81.56.179.163:4516 (lns-p19-16-81-56-179-163.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:34:48 81.56.24.190:2110 (lns-p19-5-81-56-24-190.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:02 80.14.79.38:4763 (AToulon-103-1-2-38.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:14 81.49.178.51:2643 (ANancy-103-1-5-51.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:24 81.56.132.22:4571 (lns-p19-7-81-56-132-22.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:25 80.14.142.88:3471 (AVelizy-110-1-1-88.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:26 81.56.179.163:4723 (lns-p19-16-81-56-179-163.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:35:54 81.49.178.51:2811 (ANancy-103-1-5-51.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:36:06 80.14.142.88:3640 (AVelizy-110-1-1-88.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:36:08 81.56.132.22:4721 (lns-p19-7-81-56-132-22.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:36:08 81.56.179.163:3042 (lns-p19-16-81-56-179-163.adsl.proxad.net) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:37:18 193.49.120.41:4593 (pc-lewandowski.ipst.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:37:59 193.49.120.41:4755 (pc-lewandowski.ipst.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:38:03 80.11.160.83:3290 (AStrasbourg-206-1-8-83.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:38:41 193.49.120.41:4923 (pc-lewandowski.ipst.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:38:45 80.11.160.83:3443 (AStrasbourg-206-1-8-83.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:39:03 81.48.165.175:1718 (AClermont-Ferrand-203-1-1-175.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:39:28 80.11.160.83:3617 (AStrasbourg-206-1-8-83.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:39:44 81.48.165.175:1882 (AClermont-Ferrand-203-1-1-175.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:40:12 80.11.160.83:3784 (AStrasbourg-206-1-8-83.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:40:23 81.48.165.175:2035 (AClermont-Ferrand-203-1-1-175.abo.wanadoo.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:44:22 81.66.197.192:3881 (m192.net81-66-197.noos.fr) 172.182.69.11:4662 Port 4662 (TCP)
2003/01/22 00:45:09 81.66.197.192:4442 (m192.net81-66-197.noos.fr) 172.182.69.11:4662 Port 4662 (TCP)


As you can see the scans appear to come from France (faked?) The scans I receive are always like this.
I believe e-donkey has something to do with file sharing but isn't it be a bit of a coincidence that i get scanned from what appears the same people as soon as i connect to AOL all the time?
Any help would be much appreciated, I just cannot work it out. Thanks

 

[SgtB]

Run a virus/trojan scan on your machine. Make sure you're clean. Then research e-donkey a bit, and make sure it isn't installed on your computer.

Well, you're computer is probably contacting these machines to let them know you're online. That's the only way they know you're machine is up and running. Or they're constantly scanning your computer (doubt it).

________________________________________
Check out

http://www.security-forums.com

 

[peterve]

do you have a static IP ?
If not, then someone with your IP address might have been running edonkey in the past, so that might explain why you are getting the hits... --------------------------------------------------------------------

http://kickme.to/dpsecurity

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

 

[yizhar]

HI.

If you're sharing IP address with other workstations (NAT/PAT), then maybe another workstation has/had EDonkey running.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[WheeDoggy]

First thing to do, using your firewall, block all communications to your port 4662.

Assuming that you are using some version of Windoze (using aol), go to

http://www.sysinternals.com

and download TDI Monitor (TDIMon). Put the file in a permanent folder and double click it. The .exe file itself does a mini install (this is the actual app and not an install file) in that it extracts a .vxd file out of itself into Windows\System and references itself in system.ini (tdimsys.vxd). You will need to re-boot.

Then before running aol, start TDI Monitor. You might even want to put it in your startup folder. This should expose the offending "scumware?". Simply note the application attempting to use :4662.

You might also consider a new firewall that will log which application is involved in the communications.

I would say that you probably have something on your machine that you do not want considering that aol probably does not issue static IPs, which would be the only way that these servers could be "looking" for you.

Then again, aol is spyware in itself......................

Good Luck.

 

[HollisGraves]

Hi everyone...I need some serious help. I was cleaning out my computer so I could do a Defrag and when I restarted I got a error refering to a file called tdimsys.vxd. I have no idea what that is but I saw it post here so maybe someone can help me.

The error basicly said the file could not be found and I should reinstalled the program associated with that file. I have no idea what program used that file so how can I fix it?

Here is ways to contact me:
AIM: wickedjackcs
ICQ: 119570805
Email: msrobins@ctvea.net

 

[drdebit]

Just for grins I downloaded the program and installed it.
It looks like it (tdimon.exe) has an uninstall option on its file menu.

try a search for *tdimon*.* and see if that shows you any files.

 

[HollisGraves]

Well from what I saw I deleted it.

 

[WheeDoggy]

It solved the purpose of the original post in this thread.

 

[HollisGraves]

What do I need to do?

 

[WheeDoggy]

There are only 2 files as far as I can remember, tdimon.exe, which is wherever you or someone else put it, and the tdimsys.vxd, which it puts in C:\Windows or C:\Windows\System.

I think there is also a registry entry, something like HKCU\Software\SysInternals\tdimon that you can delete.

It sounds suspicious that you get a File Not Found for the .vxd because if the ,vxd was missing, the app would just create it and tell you to reboot.

 

[drdebit]

When I uninstalled from file menu, files did not go away.
Jv16 power tools showed it still installed.
Based on what I just saw, you might try following
Download JV16 power tools (it's a registry editor)
Let it look for installed programs - if tdimon shows up you can then ask JV16 to remove it.
Then under file section look for *tdi*. This would let you see if any files are left over.

AND remember messing with the registry is a potential for problems-it's your risk when you do. Back it up first-there are some other threads about JV16 and about backing up registry.

 

[HollisGraves]

Well I kow how to edit and backup/restore my reg. I was just wondering why I can't run my computer without that stupid tdimsys.vxd file. I went and installed tidmon and now my computer runs like it used to.

 

[WheeDoggy]

~HollisGraves

I am stymied on this one. The program that I mentioned does not behave this way, at least it didn't the last time that I played with it.

Have you tried to uninstall through the app from it's own menu or is there an entry in your Control Panel's Add/Remove Programs list?