Google is stalking me

skibbli · 08 Dec 2010

so, i wanted to know what ports were being used by a particular program (netstat) when i noticed so many connections to google (at least what looks like google). ive checked out my hosts file and there are no entries with the same address in it.

(host name is acer)

The three programs that seem to be connecting to google are java, sony acid pro, and xlink kai

this is very odd. check that command out on your pc to see if the same thing is happening and if you know why this may be then please let me know, its concerning me.

below is the netstat command

Code:

 
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
 
C:\Users\Administrator>netstat -ab
 
Active Connections
 
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 ACER:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 ACER:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:34522 ACER:0 LISTENING
[kaiEngine.exe]
TCP 0.0.0.0:49152 ACER:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 ACER:0 LISTENING
eventlog
[svchost.exe]
TCP 0.0.0.0:49154 ACER:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 ACER:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49157 ACER:0 LISTENING
[services.exe]
TCP 127.0.0.1:31000 ACER:32000 ESTABLISHED
[java.exe]
TCP 127.0.0.1:32000 ACER:0 LISTENING
[wrapper.exe]
TCP 127.0.0.1:32000 ACER:31000 ESTABLISHED
[wrapper.exe]
TCP 127.0.0.1:49158 ACER:49159 ESTABLISHED
[java.exe]
TCP 127.0.0.1:49159 ACER:49158 ESTABLISHED
[java.exe]
TCP 127.0.0.1:63879 ACER:63880 ESTABLISHED
[kaiEngine.exe]
TCP 127.0.0.1:63880 ACER:63879 ESTABLISHED
[kaiEngine.exe]
TCP 192.168.0.200:139 ACER:0 LISTENING
Can not obtain ownership information
TCP 192.168.0.200:5001 ACER:0 LISTENING
[java.exe]
TCP 192.168.0.200:49156 173.194.44.82:http CLOSE_WAIT
[java.exe]
TCP 192.168.0.200:53943 apps:http CLOSE_WAIT
[acid70.exe]
TCP 192.168.0.200:63829 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63830 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63831 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63839 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63849 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63857 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63868 173.194.43.96:http TIME_WAIT
TCP 192.168.0.200:63885 ks309624:34525 ESTABLISHED
[kaiEngine.exe]
TCP 192.168.0.200:63888 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63889 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63890 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63891 173.194.44.100:http TIME_WAIT
TCP [::]:135 ACER:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 ACER:0 LISTENING
Can not obtain ownership information
TCP [::]:49152 ACER:0 LISTENING
[wininit.exe]
TCP [::]:49153 ACER:0 LISTENING
eventlog
[svchost.exe]
TCP [::]:49154 ACER:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49155 ACER:0 LISTENING
[lsass.exe]
TCP [::]:49157 ACER:0 LISTENING
[services.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:1900 *:*
[java.exe]
UDP 0.0.0.0:3544 *:*
iphlpsvc
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:30000 *:*
[kaiEngine.exe]
UDP 0.0.0.0:34522 *:*
[kaiEngine.exe]
UDP 0.0.0.0:63492 *:*
[kaiUI.exe]
UDP 192.168.0.200:137 *:*
Can not obtain ownership information
UDP 192.168.0.200:138 *:*
Can not obtain ownership information
UDP 192.168.0.200:63869 *:*
iphlpsvc
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:4500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [fe80::f0b0:283a:c8bc:95f5%11]:546 *:*
Dhcp
[svchost.exe]

Valwynd · 08 Dec 2010

Could you paste a netstat -o -b
just remove the a, replace with o
Hoping to get a second view of the connections, and this way it will show you what process ID's are connecting to google.

You can then compare that to task manager, and find out exactly what is connecting to google.

gregrocker · 08 Dec 2010

Uncheck all msconfig>startup listings except AV and gadgets. Everything else is a freeloader on your RAM, CPU, Startup and can spy on you. Start programs only when you need them.

80% of computers I work on have Google Toolbar which is spyware - as is any 3rd party toolbar, which sneak in on Java/Adobe/etc. Updates - each of which destablize the OS by about 10%. Use only the stable Search bar built into your browser.

Uninstall any Google programs using Revo Uninstaller. Google Chrome is an inferior browser, not worth being spied upon by having it even without an Updater. IE8 is perfected in Win7, rock solid stable with features that make the others seem amateur, and security that protects rather than spys.

Finally, make sure you're not signed in to Google while searching with it, by checking the top right of the search page. It logs all of your searches this way.

skibbli · 09 Dec 2010

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

Coram Daes · 09 Dec 2010

Check this and then this for more info on those ports, see if it helps.

The ports are listed with no ip adress hence they are only used internally and considering many applications (especially java based) have some kind of internal communication, this is not very surprising.

I differ on considering Google Desktop a spyware anymore than Microsoft Search or Windows Gadgets, but there are of course other reasons not to use it.

Thorsen · 09 Dec 2010

skibbli said:

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

Are you using Autoruns to take out these entries?
Autoruns for Windows

Also, TCPview is an awesome program for viewing your open connections and gives you many context menu options.
TCPView for Windows

SledgeDG · 09 Dec 2010

Do you have the Google Toolbar installed by any chance?

-DG

OEM · 09 Dec 2010

Thorsen said:

skibbli said:

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

Are you using Autoruns to take out these entries?
Autoruns for Windows

Also, TCPview is an awesome program for viewing your open connections and gives you many context menu options.
TCPView for Windows

Forgot about autoruns in ms system internals, but "Autoruns for windows" that you linked too...

Option 2: download for system internals, and renamed autorun_2 is that the same as MS SysInt autorun?

ADDED:

I hae something from google too, but Never Installed anything of theirs, It set up as a search provider (auto-fill maybe), could it be used for that?

Also, in services was one I have no clue as to what it is:

Attachment 122206

I also had 2 items in Task Scheduler of Google's and Deleted them. Once or twice they came back, but lately the've not been in there for awhile.

Thorsen · 09 Dec 2010

I think the LxrJD31... is for you Lexar Printer?

the others:

Groove Audit Requirements

getPlus(R) Helper - getPlus_HelperSvc.exe - Program Information

gregrocker · 09 Dec 2010

Select Google for the built-in Search Bar in the top right corner of IE8 or Firefox, using the tiny drop-down arrow to the right to Find More Providers. This precludes any Google add-on to your browser, and doesn't even give Google a chance to install software.

However, when you get the search results page, always check the top right to make sure you're not currently signed into Google, as this is another way (besides installed programs) that they log your activity to monitor and sell your marketing information, or tailor Google ads to insert in webpages.