gogregor6
join:2002-09-26
Bethlehem, PA
| persistent connection to qw-in-f113.1e100.net on boot
I've recently noticed a TCP (port 1030-1033) connection (netstat -a) to the addr qw-in-f113.1e100.net (74.125.93.113) right after boot and before starting any applications. ARIN reports this is a google addr, and google reports this is a mail server. I've run SpyBot and AVG anti-vir apps and found nothing. I see a google update service when checking installed services, but it is not started? Any ideas?
thanx!
greg |
|
dsilvers
join:2009-05-17
Canyon Lake, TX
| Run TCP view to see what process (PID) has that connection open. If it is svchost.exe use process explorer, right click on the PID > Properties > TCP/IP will tell you where it's connecting and the service tab will tell you everything that svchost is running. It's probably harmless but does seem odd.
»technet.microsoft.com/en-us/sysi···027.aspx
Looks like it might pertain to google-anatalitic.com
»www.robtex.com/dns/www.google-an···com.html |
|
nonymous
join:2003-09-08
Glendale, AZ | reply to gogregor6
Yes it is Google something. |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
1 edit | reply to gogregor6
i think that there might be something fishy going on..
when i look up the ip address for "www.gmer.net", at "samspade", samspade shows the ip address as being "74.125.53.121", which is "google", and, further, "samspade" shows ip address 74.125.53.121 as being "pw-in-f121.1e100.net"..
if i look up the ip address for "www.gmer.net" at "hpHosts", here is what it shows:
Host: www.gmer.net ( H )
Current IP*: 74.125.77.121 ( 24 H )
IP PTR: ew-in-f121.1e100.net
ASN: 15169 74.125.76.0/23 GOOGLE - Google Inc.
when i actually go to "www.gmer.net", using my computer, the ip address that i get is "85.128.230.45".. so why does "samspade" and "hpHosts" show a different ip address for "www.gmer.net", both relating to "1e100.net", which gogregor6 mentioned in the original post?
gogregor6, how did you manage to notice that your computer was "phoning home" to "qw-in-f113.1e100.net"? |
|
gogregor6
join:2002-09-26
Bethlehem, PA
| Redwolf, I have an older desktop that was running very slow. Did the usual check for spyware, etc. and found nothing. Just a guess - did a netstat -a to check connections right after boot and the google addr showed up. I'm mostly just a blind chicken who finds some corn once in a while! Thanks! |
|
dsilvers
join:2009-05-17
Canyon Lake, TX
| reply to gogregor6
Google analitics is everywhere. Even dslr uses it. You can safely add these to your host file and your connection will appear as local host.
127.0.0.1 google-analytics.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 googlesyndication.com
127.0.0.1 sb.google.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 pagead.googlesyndication.com
127.0.0.1 www.google-analytics.com/urchin.js
127.0.0.1 eh-in-f191.google.com
127.0.0.1 www.google-analytics.com
127.0.0.1 sb.google.com
Add five spaces between 127.0.0.1 and the URL. I could not get it to display correctly. There are probably others that can be added. If you are running any google applications (google toolbar, gmail, ect.) they may be taking you there at start up. Google analitics is largely harmless but the crap that tracks you today is unbelievable.
Another solution is Firefox with No Script and Add Block Plus. Highly recommended. Google analytics is a privacy issue and not a malware issue. |
|
gogregor6
join:2002-09-26
Bethlehem, PA
| I cannot querry this processs (PID 0 ) using tcpview, tcpvcon returns the following:
C:\Documents and Settings\Owner\My Documents\Install>tcpvcon
TCPView v2.54 - TCP/UDP endpoint viewer
Copyright (C) 1998-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
[TCP] [System Process]
PID: 0
State: TIME_WAIT
Local: faith.cable.rcn.com:1032
Remote: qw-in-f139.1e100.net:http |
|
dsilvers
join:2009-05-17
Canyon Lake, TX
| reply to gogregor6
Tcpvcon.exe is the command line version of the utiility. It looks like you running it from my documents. Tcpview does connect to the internet and is not a problem. Try running the GUI version which is TCPview.exe. Consider running it from somewhere on your root drive, perhaps C:\program files\sysinternals. You can run it from anywhere so if you are comfortable running an execute from my documents by all means do so.
Anything that appears as time wait has been closed but because it takes time to properly close the connection Tcpview indicates it is handed off to system 0. That is not exactly correct but as long as you understand the connection is closed and waiting to finish you should still be able to right click the connection > properties > and get the path to the executable if you do it before it completely closes out. Sometimes there will be more than one time wait and it will be a WAG to determine the correct one. Click on view > update speed > 5 seconds. This gives you five seconds to find the correct closed wait. The default is one second.
If your connection happens really early in the boot sequence it may not be possible to capture the path because it may already be completely closed out. If that is happening you might try putting Tcpview in your start up folder so it comes up with your boot.
You appear to be using a third party firewall. Are there any logs that might help explain what is using this connection? Some firewalls allow you to establish different levels of logging. Is that an option for you? What is the exact name of the google service you have installed? Have you tried setting the service to disable, not manual but disable? Are there any other google applications installed?
There is no boot logging associated with Tcpview so that is not an option. Process monitor does do boot logging but you really need to set a filter or you will be faced with pages and pages of logs that do not apply to this connection. |
|
gogregor6
join:2002-09-26
Bethlehem, PA
| First of all - thank you for a very complete reply! And all the help. I've run both the GUI and command line of tcpview, and from several locations. I've watched the connection go from WAIT to ESTABLISHED, then dissappear, then return later. When I right click on the connection in tcpview I always get an error that states it cannot query PROC ID 0. The only Google app I have installed (that I'm aware of) is Google Earth, and that was installed about 3 years ago - this is a relatively new issue. I have some technical background - and this one has me stumped right now. Also - no third party firewall??? What is the indication for that??
thanks again!
greg |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
1 edit | If Google Earth is truly the only Google app that is running on your PC, then Google Earth is a likely source of the connection to qw-in-f113.1e100.net.
That connection is certainly to a Google server as verified by nslookup, whois and by simply putting http://qw-in-f113.1e100.net into a browser address bar.
Since you have already used TCPView, you might also want to try Process Explorer to be absolutely sure that there are no other Google processes running on your PC.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
-- Thomas Jefferson |
|
dsilvers
join:2009-05-17
Canyon Lake, TX
| reply to gogregor6
Netfixer is correct.
OK, I just started the latest version 2.54, right clicked on a closed wait and it gave me the path and command line. I am unsure what is happening but your experience is not the usual behavior.
I am living in the dark ages, still running XP. If it's Vista it may need administrator rights. I don't have access to a Vista box right now. I do know that on the Vista box process explorer needs administrative rights to reveal any meaningful information. Try run as administrator, not from a shortcut, right click the actual file > run as. UAC drives me up the wall.
Currports at: »www.nirsoft.net/utils/cports.html is often recommended but I have never used it.
You stated, "Also - no third party firewall??? What is the indication for that??" Normally when something calls home the first indication is a firewall alert. Rereading your post I see you stumbled into it with a netstat. My bad. Installing a third party firewall would catch it but they frequently don't clean uninstall.
If it's Vista try run as administrator and see if that works. I don't think this is malacious but it is a good mystery. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
1 edit | said by dsilvers  :OK, I just started the latest version 2.54, right clicked on a closed wait and it gave me the path and command line. I am unsure what is happening but your experience is not the usual behavior. That depends on from what process you are attempting to obtain the properties.
A normal application will show its properties, but TCPView will not show the properties for a System process:
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
-- Thomas Jefferson |
|
dsilvers
join:2009-05-17
Canyon Lake, TX |
@netfixer
You are right. I had not noticed that before. Any ideas on how to catch it short of a firewall. I am out of aces. |
|
moo0000
@verizon.net | reply to gogregor6
its google notifier most likely |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
| reply to dsilvers
said by dsilvers :@netfixer You are right. I had not noticed that before. Any ideas on how to catch it short of a firewall. I am out of aces. I already suggested Process Explorer. It sees all and tells all.
If you walk the process trees, you can find out about all active processes including any network sessions.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
-- Thomas Jefferson |
|
jashsu
@comcast.net | reply to gogregor6
1E100 is exponent notation for one googol. Hope that helps explain the url. |
|
jester121
join:2003-08-09
Lake Zurich, IL
 ·surpasshosting
·ViaTalk
| reply to gogregor6
Ran into this today, and traced the PID to GoogleToolbarNotifyer.exe.
For some unknown reason, it was using a full T1's worth of bandwidth for the entire day, connecting to ".1e100.net".
It's back to normal so far, I'll do some more monitoring in MRTG and see what happens tomorrow. |
|
