potential spyware/trojan

Discussion in 'NZ Computing' started by -[Myth]-, Jan 21, 2004.

  1. -[Myth]-

    -[Myth]- Guest

    When i execute netstat i get this:
    Active Connections

    Proto Local Address Foreign Address State
    TCP david:1078 ad.de.doubleclick.net:1079 ESTABLISHED
    TCP david:1079 ad.de.doubleclick.net:1078 ESTABLISHED

    at first glance it appears to be an http connection downloading an ad,
    however i cannont connect to ad.de.doubleclick.net ports 1078 or 1079 using
    mozilla or telnet. I will do a scan with spybot and adaware.
    Does anyone have any idea what is causing this? my guess is spyware.
    -[Myth]-, Jan 21, 2004
    1. Advertisements

  2. -[Myth]-

    -[Myth]- Guest

    after rebooting i get:

    TCP david:1035 ad.de.doubleclick.net:1036 ESTABLISHED
    TCP david:1036 ad.de.doubleclick.net:1035 ESTABLISHED

    then after a few seconds:

    TCP david:1036 ad.de.doubleclick.net:1035 TIME_WAIT

    there was also an http connection to
    -[Myth]-, Jan 21, 2004
    1. Advertisements

  3. Well? Are you going to run a Spyware removing tool such as the excellent
    free Spybot Search & Destroy? :). One of your programs must be Adware -
    shows ad banners so that you can use it for free.

    Nicholas Sherlock
    Nicholas Sherlock, Jan 21, 2004
  4. -[Myth]-

    Enkidu Guest

    If you can't connect to it, that sort of implies that the other end
    connected first. If that is true, there may be a trojan on your


    Enkidu, Jan 21, 2004
  5. -[Myth]-

    -[Myth]- Guest

    there is no way that the connection could have got through my router,
    unless it has a security hole of some sort, which i very much doubt.
    -[Myth]-, Jan 21, 2004
  6. -[Myth]-

    -[Myth]- Guest

    as far as i know I have no adware software, and i have scanned with both
    adaware and spybot recently.
    -[Myth]-, Jan 21, 2004
  7. My guess is that it is simply a connection from one port on your
    computer to another. Either you have an entry in your hosts that sets
    ad.de.doubleclick.net to or you have some sort of ad
    blocking software that is doing that. Netstat is then trying to do a
    reverse lookup on and is comiong up with
    ad.de.doubleclick.net instead of the name of your computer.

    You don't say what OS you are running but at guess I would Windows
    2000 or XP. If so then download fport from
    http://www.foundstone.com/knowledge/proddesc/fport.html run it and it
    will tell you what is running on your computer is on that port.
    Richard Gallagher, Jan 21, 2004
  8. Can you try it with -n as well? Just to confirm that the addresses being
    connected to are not local to your net.
    Lawrence D'Oliveiro, Jan 21, 2004
  9. -[Myth]-

    -[Myth]- Guest

    yes that seems to be the case:
    C:\netstat -n

    Active Connections

    Proto Local Address Foreign Address State

    i have downloaded it but the connections have vanished now. i will wait
    till they come back then use fport.

    Thanks for the help.
    -[Myth]-, Jan 25, 2004
  10. -[Myth]-


    Mar 23, 2014
    Likes Received:
    I came across a similar issue with my system, I had this listing from netstat:

    Active Connections

    Proto Local Address Foreign Address State
    TCP doubleclick:59818 ESTABLISHED
    TCP doubleclick:59922 ESTABLISHED
    TCP doubleclick:60618 ESTABLISHED
    TCP doubleclick:49203 ESTABLISHED
    TCP doubleclick:nfsd-status TIME_WAIT
    TCP doubleclick:nfsd-status ESTABLISHED

    and so on...

    After freaking out, and searching for the symptoms with DuckDuckGo! I came to this site. After a quick check, the answer was apparent. Being a Sr. Unix Engineer (no blue and white stripe hat, and they do not let me drive trains!) has taught me a thing or two, it is very easy to forget all that in the face of a potential security leak.

    I do not like doubleclick, or any tracking of my wanderings about on the Net. Having been unsuccessful in blocking doubleclick with other means, I did to doubleclick what I do to my kids. All the mind numbing on line gaming and other activities which I do not approve of are easily blocked by my internal system. It is the DNS server among other things.

    On the DNS, I setup a domain mind.numbing.game.com and the IP address for all access to the site is Works well, although I had to block outbound DNS from any system other than my server, they found google's DNS at, GRRR!.

    Along the same lines, I modified my hosts file to include:

    ## fix those pesky bastards doubleclick.net googlesyndication.com adnxs.com serving-sys.com realmedia.com adsafeproteced.com

    Works like a charm!. So good that I forgot about it. If I were in your situation, I would capture the information from your netstat, reboot with no internet connected, edit the hosts file on your system and point all the spies at as I did. Then get out the big guns and scan, clean, and delouse your system. Run netstat /b (under windows) to find any offending binaries, and seriously: consider using the BFWG method of mapping them to

    Live Long And Grow Fat!

    Last edited: Mar 23, 2014
    BigFatWhiteGuy, Mar 23, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.