Networking gurus - question/problem

Jim727 · 05-26-2009, 03:58 PM

A bit of assistance would be much appreciated.

I am configuring a Thinkpad T-43 with XP Pro - needed for a remote desktop client. I have built it up in my normal fashion by immediately cloning the original hd to a new, larger hd using Acronis then built my partitions and installed SP3 and .nut 3.5 which was required by the rdp client.

I installed my standard security/spyware programs - WebWasher, Spybot, SpywareBlaster, HijackThis, ZoneAlarm (Ugh, but I want outbound connect info) and AVG anti-virus (on a recommendation), and Firefox 3.0.5, locking it down as much as possible, and added a printer via dedicated ip address. Up to this point, the computer has not seen the internet, just the local network.

Added in the remote desktop and configured to connect to the client site - all seemed to be well with the world. It isn't. Netstat is indicating four ports connected to doubleclick.net; now I'm pissed. I removed the modem from the network for troubleshooting.

What I have learned is that bringing up a browser initiates an aggressive attempt for *something* to find a port for connecting to doubleclick.net with what appears to be as many as 20 ports tried until four are established. Tracing back, the origin is always the browser - I installed Opera to see if the behavior is the same and it is.

HijackThis shows AVG installed a BHO which I removed. I have uninstalled Firefox and reinstalled with a different version. I uninstalled AVG. I uninstalled ZoneAlarm. No improvement. To verify that it isn't the Thinkpad, I replaced the current hd with the original and brought up ie. Netstat shows no doubleclick, so I'm thinking it had to have arrived with software.

I have four other computers here (two of them Thinkpads) configured with the same software except they are W2KPro, use Avast anti-virus, and an older version of ZoneAlarm. None of them have doubleclick connections.

Whatever is trying to connect to doubleclick.net is well below the radar and I'm about out of ideas. The only thing left seems to be to reformat the drive and start the process over; something I'm not relishing. I'm hoping the brain trust here has some suggestions as the offending Thinkpad is banished from the net until this goddamn doubleclick connection is killed permanently.

Thoughts??

968rz · 968rz's Garage

I use FireFox, Spybot, AVG and Zonealarm on XP Pro and have no issues with doubleclick.
If you cloned the drive before you did anything clone it back, install 1 app at a time and see what pops up.

Any tools bars get installed with any of the other apps you installed?

Jim727 · 04:45 PM

Rick -

I'm really hoping to avoid the reinstall everything approach, but if it's necessary I will. No toolbars that I know of. I always install using "custom" or whatever the option gets called so I can select components. Looks like AVG adds a BHO even when you say no, however.

Up to now I've always been able to avoid problems by careful setup; don't like this.

With your browser you can enter "netstat" from a command line and don't see doubleclick, correct? What versions of ZA and AVG are you using?

Jim727 · 05-27-2009, 12:40 PM

Any other ideas? I really don't want to have to wipe the drive and start over!

The good news is that the vpn works perfectly so I have until the weekend to find a solution.

Jim

willtel · 05-27-2009, 02:46 PM

Use this to see graphical real time port data and what is initiating it.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Jim727 · 05-27-2009, 03:34 PM

Willtel-

Many thanks. I downloaded and ran on two thinkpads; one with w2kpro and one with xppro (the problem box). The w2kpro box shows clean - as expected.

The xppro box using command line netstat shows local ports 1049, 1050, 1051 and 1052 established to foreign address doubleclick.net from a pid belonging to firefox; however, the TCPView listing, however shows the same information except the foreign address shows as localhost (which I would expect if the proxy is doing its job).

Is TCPView is more accurate than command line netstat?

If so, then I have no problem other than wanting to know which &%$^@& package tried to drop doubleclick into my system. Interestingly, I used TCPView to kill a connection and it does not get recreated when firefox is refreshed, but does when firefox is closed and re-invoked and then the ports being used for doubleclick are different.

I owe you a beer!

Jim

willtel · 05-27-2009, 04:40 PM

Quote:

Originally Posted by Jim727

Is TCPView is more accurate than command line netstat?

It is the same info, just easier to read with more detail. If you need more information about running processes use this.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Jim727 · 05-27-2009, 04:58 PM

That's what I would have expected, but netstat shows the foreign add as doubleclick, whereas TCPView shows the foreign add as localhost. That's the piece I don't understand. My proxy blocks doubleclick (in its many incarnations) and redirects to 127.0.0.1, as does my hosts file. One seems to be reading the foreign add before the redirect and the other perhaps after?

Jim

MrScott · 05-27-2009, 08:58 PM

Despite the silly name I've had good luck with this one: http://www.superantispyware.com/