Skip to main content

Why do I see googletalkplugin.exe connected to a malware site?

So just a couple days ago, I notice that my Internet speed might be a little laggy. I had recently installed Lord of the Rings Online which uses a P2P network for serving files. They claim it doesn't affect your performance but it really does so I immediately killed it after install (killing PMB.exe seemed to do it). So when I noticed slow speeds again, I thought I better check my netstat to see if some LOTRO program is running again.

I run netstat -a -b -f. Option -a for all (includes listening ports), -b to get the process name the port is bound to, and -f to resolve IP's to hostnames. Browsing around I see that a program named googletalkplugin.exe is connected to 007guard.com. I'm immediately suspicious as I've never been to this site. I kill the GTP exe only for it to pop right back up again. I get a bit more anxious. I always keep MS Security Essentials running in the background and use Chrome for everything so I consider myself decently secure, but not impervious.

Time for some Google searching. This is where things get frustrating. Any searching for spyware, tends to provide little more than a bunch of worthless "What is this EXE" sites, or, discussions on computer tech boards filled with people doing 100 page dumps of various registry, process listings, whatever. From what I can gather, googletalkplugin.exe "can" be legit, but 007guard.com is definitely a spyware site.

I decided to try to sniff the network data with Wireshark but I didn't manage to find anything. Eventually, I end up closing my web browser (with GMail open in a tab) and notice the GTP process die. This makes me feel a bit better. I read somewhere that the exe is used for video chat within GMail. Opening GMail again results in the exe firing back up. Still, why connect to a spyware site?

Doing some more digging, I realize that Spybot has added a block to my hosts file for 007guard.com. Part of the immunization ability that Spybot provides. I also notice two connections for GTP in my netstat listing, one with a local port of 1984 and a foreign port of 1986. The other is backwards, local 1986, foreign 1984 (note these port numbers will usually change every time the process is started again). Since hosts now redirects 007guard.com to loopback (127.0.0.1), this looks more like some connection to my local machine for data transport. Still, why the spyware site? I decide to add my own loopback hosts entry for some made up domain and place it at the top of the file. Sure enough, my made up domain is now the hostname that netstat claims GTP is connected to. Apparently for resolving IP to hostname, Windows uses the first entry in hosts as the official name for a given IP. To confirm this, I ping loopback with -a (option for hostname resolution in ping) and sure enough, it lists the top hosts hostname entry for the IP.

So there you have it, Spyware scare to nothing serious. Hoping this will help someone out who notices the same "issue" on their system.

Comments

Popular posts from this blog

Fancy FTP Deployment with Grunt

I recently dove into Grunt.js at work for automating our build process and I haven’t looked back. It’s an awesome tool with a plug-in for just about anything. I expected the usual would be there like JavaScript minification and concatenation, but I was surprised at a few others that I found, one being for FTP file deployment. Just shows how popular and community supported Grunt is.

There are a few FTP plug-ins available for Grunt. I didn’t do an analysis of all of them but ran across grunt-ftp-push which seemed to do what I needed so I decided to try it out. A simple ftp-push setup to upload an entire project via FTP could look like this:

grunt.initConfig({ftp_push:{all:{options:{host:'example.com',port:21,dest:'/project/path/',username:'user',password:'pass'},expand:true,cwd:'dist',src:['**/*','!**/*.zip']}}});
Some details here: I opted to put the username and password in the main config rather than using an .ftpauth file. The …

Accessing other HTTP servers on Cloud 9 IDE

If you're using Cloud 9 to do development, you'll quickly realize that only ports 8080 through 8082 are available to the outside world from your development box. This is generally not an issue as you can set your application to bind to the $PORT environment variable when in development mode. However, there are sometimes other servers that we want to make use of that host on different default ports.

I recently had to setup a Neo4j server which defaults the admin interface of port 7474. Unfortunately, I could not access the admin interface even through the IDE based web browser window. So, what to do? I could change the default server settings so that it runs on a different port. However, the app I'm working on with a team has 7474 hard-coded and I currently don't feel like writing a local only work-around.

After some searching, I ran across a neat Linux tool called socat. This allows us to easily forward one port to another. After a quick install via apt-get, I ran the …

Moving to Babel 6 on the Server

Cross post from my employer's development blog: http://rootinc.github.io/2016/03/14/babel-6-server/

Decided it was time to upgrade my server-side code to run on Babel 6. Below is a synopsis of all the issues I ran into and resolved while upgrading my 0.11.3 SailsJS server to run with Babel 6 transpilation.

The upgrade to Babel 6 itself is easily achieved in Sails by upgrading the `sails-hook-babel` package.

### Missing preset
`couldn't find preset "stage-0" relative to directory`
Just because a preset is on the official Babel preset page, doesn’t mean that Babel comes with it. Simple fix by installing the [package][1] from npm. Read more [here][2].
[1]: https://www.npmjs.com/package/babel-preset-stage-0
[2]: http://jamesknelson.com/the-six-things-you-need-to-know-about-babel-6/

### Need strict mode everywhere
`Block-scoped declarations (let, const, function, class) not yet supported outside strict mode`
I didn’t have to worry about this before, and I don’t feel like …