Skip to main content

Why do I see googletalkplugin.exe connected to a malware site?

So just a couple days ago, I notice that my Internet speed might be a little laggy. I had recently installed Lord of the Rings Online which uses a P2P network for serving files. They claim it doesn't affect your performance but it really does so I immediately killed it after install (killing PMB.exe seemed to do it). So when I noticed slow speeds again, I thought I better check my netstat to see if some LOTRO program is running again.

I run netstat -a -b -f. Option -a for all (includes listening ports), -b to get the process name the port is bound to, and -f to resolve IP's to hostnames. Browsing around I see that a program named googletalkplugin.exe is connected to I'm immediately suspicious as I've never been to this site. I kill the GTP exe only for it to pop right back up again. I get a bit more anxious. I always keep MS Security Essentials running in the background and use Chrome for everything so I consider myself decently secure, but not impervious.

Time for some Google searching. This is where things get frustrating. Any searching for spyware, tends to provide little more than a bunch of worthless "What is this EXE" sites, or, discussions on computer tech boards filled with people doing 100 page dumps of various registry, process listings, whatever. From what I can gather, googletalkplugin.exe "can" be legit, but is definitely a spyware site.

I decided to try to sniff the network data with Wireshark but I didn't manage to find anything. Eventually, I end up closing my web browser (with GMail open in a tab) and notice the GTP process die. This makes me feel a bit better. I read somewhere that the exe is used for video chat within GMail. Opening GMail again results in the exe firing back up. Still, why connect to a spyware site?

Doing some more digging, I realize that Spybot has added a block to my hosts file for Part of the immunization ability that Spybot provides. I also notice two connections for GTP in my netstat listing, one with a local port of 1984 and a foreign port of 1986. The other is backwards, local 1986, foreign 1984 (note these port numbers will usually change every time the process is started again). Since hosts now redirects to loopback (, this looks more like some connection to my local machine for data transport. Still, why the spyware site? I decide to add my own loopback hosts entry for some made up domain and place it at the top of the file. Sure enough, my made up domain is now the hostname that netstat claims GTP is connected to. Apparently for resolving IP to hostname, Windows uses the first entry in hosts as the official name for a given IP. To confirm this, I ping loopback with -a (option for hostname resolution in ping) and sure enough, it lists the top hosts hostname entry for the IP.

So there you have it, Spyware scare to nothing serious. Hoping this will help someone out who notices the same "issue" on their system.


Popular posts from this blog

IE Caches a Lot

Cross post from my employer's development blog:

In developing a page, I decided to do things a bit differently on the server. By doing an explicit check on the HTTP request headers, I can detect server-side if a request to the server is coming via XHR (Ajax) or a standard page load. I can then serve different content based on the request type. So, I can use the same URL for retrieving the initial HTML page and the raw JSON data associated with that page. Express makes this pretty easy:
if (req.xhr){      return res.json(await this.usersData());    }    else {      return res.view('users', await this.usersData());    }
I’m not sure if it’s technically more RESTful than having separate URL routes for data and HTML, but it felt like it made sense. The URL is referring to the same data, and based on a header, I want to determine how it is represented, but the data doesn’t change so why should the URL? This also makes it possible to d…

Atari E3 2004 PAL digital press kit

Making note of some old swag. The Atari E3 2004 PAL digital press kit. See video for details.

Changing Password Requirements with SailsJS and Passport

Cross post from my employer's development blog:

If you perform an installation of [Passport][passport] with [SailsJS][sails] using the [Sails Passport Auth Generator][sails-generate-auth] you get several files in your app already configured for you. If you then use passport-local, you will already have a complexity requirement on the password. It defaults to requiring 8 characters minimum, letters, numbers, and symbols.

What if you want to change this requirement? In the generated model file `Passport.js`, you should see a line that says `provider   : { type: 'alphanumericdashed' },` and `password    : { type: 'string', minLength: 6 }`. The minLength is an easy and obvious change. What about the complexity requirement though? This stumped me for a bit. There doesn’t seem to be any mention of these keywords or providers on the Passport official site, nor anything in the [Passport-local repository][passport…