Google is stalking me

[skibbli]

so, i wanted to know what ports were being used by a particular program (netstat) when i noticed so many connections to google (at least what looks like google). ive checked out my hosts file and there are no entries with the same address in it.

(host name is acer)

The three programs that seem to be connecting to google are java, sony acid pro, and xlink kai

this is very odd. check that command out on your pc to see if the same thing is happening and if you know why this may be then please let me know, its concerning me.

below is the netstat command

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
 
C:\Users\Administrator>netstat -ab
 
Active Connections
 
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 ACER:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 ACER:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:34522 ACER:0 LISTENING
[kaiEngine.exe]
TCP 0.0.0.0:49152 ACER:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 ACER:0 LISTENING
eventlog
[svchost.exe]
TCP 0.0.0.0:49154 ACER:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 ACER:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49157 ACER:0 LISTENING
[services.exe]
TCP 127.0.0.1:31000 ACER:32000 ESTABLISHED
[java.exe]
TCP 127.0.0.1:32000 ACER:0 LISTENING
[wrapper.exe]
TCP 127.0.0.1:32000 ACER:31000 ESTABLISHED
[wrapper.exe]
TCP 127.0.0.1:49158 ACER:49159 ESTABLISHED
[java.exe]
TCP 127.0.0.1:49159 ACER:49158 ESTABLISHED
[java.exe]
TCP 127.0.0.1:63879 ACER:63880 ESTABLISHED
[kaiEngine.exe]
TCP 127.0.0.1:63880 ACER:63879 ESTABLISHED
[kaiEngine.exe]
TCP 192.168.0.200:139 ACER:0 LISTENING
Can not obtain ownership information
TCP 192.168.0.200:5001 ACER:0 LISTENING
[java.exe]
TCP 192.168.0.200:49156 173.194.44.82:http CLOSE_WAIT
[java.exe]
TCP 192.168.0.200:53943 apps:http CLOSE_WAIT
[acid70.exe]
TCP 192.168.0.200:63829 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63830 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63831 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63839 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63849 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63857 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63868 173.194.43.96:http TIME_WAIT
TCP 192.168.0.200:63885 ks309624:34525 ESTABLISHED
[kaiEngine.exe]
TCP 192.168.0.200:63888 173.194.43.104:http TIME_WAIT
TCP 192.168.0.200:63889 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63890 173.194.43.100:http TIME_WAIT
TCP 192.168.0.200:63891 173.194.44.100:http TIME_WAIT
TCP [::]:135 ACER:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 ACER:0 LISTENING
Can not obtain ownership information
TCP [::]:49152 ACER:0 LISTENING
[wininit.exe]
TCP [::]:49153 ACER:0 LISTENING
eventlog
[svchost.exe]
TCP [::]:49154 ACER:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49155 ACER:0 LISTENING
[lsass.exe]
TCP [::]:49157 ACER:0 LISTENING
[services.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:1900 *:*
[java.exe]
UDP 0.0.0.0:3544 *:*
iphlpsvc
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:30000 *:*
[kaiEngine.exe]
UDP 0.0.0.0:34522 *:*
[kaiEngine.exe]
UDP 0.0.0.0:63492 *:*
[kaiUI.exe]
UDP 192.168.0.200:137 *:*
Can not obtain ownership information
UDP 192.168.0.200:138 *:*
Can not obtain ownership information
UDP 192.168.0.200:63869 *:*
iphlpsvc
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:4500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [fe80::f0b0:283a:c8bc:95f5%11]:546 *:*
Dhcp
[svchost.exe]

 

[Valwynd]

Could you paste a netstat -o -b
just remove the a, replace with o
Hoping to get a second view of the connections, and this way it will show you what process ID's are connecting to google.

You can then compare that to task manager, and find out exactly what is connecting to google.

 

[gregrocker]

Uncheck all msconfig>startup listings except AV and gadgets. Everything else is a freeloader on your RAM, CPU, Startup and can spy on you. Start programs only when you need them.

80% of computers I work on have Google Toolbar which is spyware - as is any 3rd party toolbar, which sneak in on Java/Adobe/etc. Updates - each of which destablize the OS by about 10%. Use only the stable Search bar built into your browser.

Uninstall any Google programs using Revo Uninstaller. Google Chrome is an inferior browser, not worth being spied upon by having it even without an Updater. IE8 is perfected in Win7, rock solid stable with features that make the others seem amateur, and security that protects rather than spys.

Finally, make sure you're not signed in to Google while searching with it, by checking the top right of the search page. It logs all of your searches this way.

 

[skibbli]

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

 

[Coram Daes]

Check this and then this for more info on those ports, see if it helps.

The ports are listed with no ip adress hence they are only used internally and considering many applications (especially java based) have some kind of internal communication, this is not very surprising.

I differ on considering Google Desktop a spyware anymore than Microsoft Search or Windows Gadgets, but there are of course other reasons not to use it.

 

[Thorsen]

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

Are you using Autoruns to take out these entries?
Autoruns for Windows

Also, TCPview is an awesome program for viewing your open connections and gives you many context menu options.
TCPView for Windows

 

[SledgeDG]

Do you have the Google Toolbar installed by any chance?

-DG

 

[OEM]

gregrocker,
no program i dont need starts up by default (i remove all unwanted run values from the registry)
no service that i dont need starts either
i checked the md5's of the executables and they are all unmodified
also checked the PIDs they all match properly
this is very weird, havent installed any google applications.

the only thing i can imagine is what you said about spyware in java, i use java all the time as i have ps3 media server, but why would it hook into another running process? unless sony acid pro and xlink kai are partnered with google? i dont know about that. could be, but i strongly doubt it.

Are you using Autoruns to take out these entries?
Autoruns for Windows

Also, TCPview is an awesome program for viewing your open connections and gives you many context menu options.
TCPView for Windows

Forgot about autoruns in ms system internals, but "Autoruns for windows" that you linked too...

Option 2: download for system internals, and renamed autorun_2 is that the same as MS SysInt autorun?

ADDED:

I hae something from google too, but Never Installed anything of theirs, It set up as a search provider (auto-fill maybe), could it be used for that?

Also, in services was one I have no clue as to what it is:


View attachment 122206


I also had 2 items in Task Scheduler of Google's and Deleted them. Once or twice they came back, but lately the've not been in there for awhile.

 

[Thorsen]

I think the LxrJD31... is for you Lexar Printer?

the others:

Groove Audit Requirements

getPlus(R) Helper - getPlus_HelperSvc.exe - Program Information

 

[gregrocker]

Select Google for the built-in Search Bar in the top right corner of IE8 or Firefox, using the tiny drop-down arrow to the right to Find More Providers. This precludes any Google add-on to your browser, and doesn't even give Google a chance to install software.

However, when you get the search results page, always check the top right to make sure you're not currently signed into Google, as this is another way (besides installed programs) that they log your activity to monitor and sell your marketing information, or tailor Google ads to insert in webpages.

 

[OEM]

I think the LxrJD31... is for you Lexar Printer?

the others:

Groove Audit Requirements

getPlus(R) Helper - getPlus_HelperSvc.exe - Program Information

If thats what I listed as unknown, I remember what that is now, ...I have 512 mb thumb drive from Lexar called "Jump drive Secure" (LxrJD31...Lxr= Lexar/JD= Jump Drive/31 model #?), it can be set up where you can divide the 512mb of space into a public folder with no need for a p.w. and set a "secure" partition that to enter it would require a p.w. Partition space between the 2 can be sized to anything up to the 512mb thumb limit.

Works great on XP, but did away with all of that and re-formated as a plain old drive to be used a password reset thumb drive since it's only 512mb.

However, Se7en didn't play well with it so that can be removed.


_________


To the OP,

Sorry if I went OT, but while researching this google thing, I came across those items.

Not sure what that google is in autorun\services and like I said, check your task scheduler library for anything google, ...I would Delete 'em. I did, but then again I have nothing of google other than it set to home page.

Also found this in KIS_2011 Firewall:

View attachment 122400

It was in the trusted folder with full permissions to do whatever it wanted to do, but moved it to restricted and locked it down even further. They're installers, so nothing is installed, but just in-case they get a itch to install, they can't now.

Thanks for this thread, just like you said, google is reaching a little to deep imho, specialy when its just my home page, no toolbars/chrome/etc!

Google :devil:

 

[OEM]

Select Google for the built-in Search Bar in the top right corner of IE8 or Firefox, using the tiny drop-down arrow to the right to Find More Providers. This precludes any Google add-on to your browser, and doesn't even give Google a chance to install software.

However, when you get the search results page, always check the top right to make sure you're not currently signed into Google, as this is another way (besides installed programs) that they log your activity to monitor and sell your marketing information, or tailor Google ads to insert in webpages.

Thats exactly how I have it, and have no account with google/youtube/etc. ...no google accounts created.

Yet there is that entry in autorun/services, had 2 items in Task Scheduler, and 2 entries of google installers in "trusted" firewall folder with full permissions, ...have been moved to "high restricted" and locked down even more.

Makes ya wonder...

View attachment 122405

 

[Coram Daes]

That entry in Kaspersky does not add itself, that would be against all basic Firewall setup. Hence I would assume you at some time approved the access. Or that Google own stock in Kaspersky Labs. Or that KIS sucks Googles *lls. Excuse my french.

 

[OEM]

That entry in Kaspersky does not add itself, that would be against all basic Firewall setup. Hence I would assume you at some time approved the access. Or that Google own stock in Kaspersky Labs. Or that KIS sucks Googles *lls. Excuse my french.

LMAO!!!

...I don't know how they got there, but are locked down now.

Might be when you install or update Java, Adobe Reader/FP/SW, or other, where they're always offering to install a toolbar like google, ...but I take my time and Always Un-tick 'em and don't allow them to install, ...never have I had a 3rd party toolbar install or have just showed up in IE.