Google Earth self install - Google Updater

Discussion in 'Computer Information' started by James D Andrews, Nov 19, 2011.

  1. So Google Earth installed itself out of the blue again last night. The
    last time it did, I uninstalled all Google products using Revo.

    So, a search showed I missed a file in my Temp directory with Google
    Updater in it, and a couple empty folders, and it has a prefetch from
    when it loaded last night.

    I found nothing as far as running applications/running
    processes/Startup items related to it, but apparently there are related
    registry items from previous installs that I'm unsure of.

    Questions:

    1. Can I (and should I even bother) to delete the Prefetch item?
    2. Are there specific registry items I can target to delete?

    I know there are several related to GoogleUpdate &
    GoogleUpdateProcessLauncher listed in the registry, but I'm not
    comfortable editing the registry without some handholding (wisely).

    3. Can the built-in Google searchbar in Firefox 8 be involved in this
    Google conspiracy?

    4. Is there a freeware Firewall program that would allow me to block
    this from recurring in the future?

    Personally, I consider any program that installs itself without my
    control to be malware, although that's really a loosely defined term.

    --
    -There are some who call me...
    Jim


    "You got to be careful if you don't know where you're going, because
    you might not get there."
    - Yogi Berra
    James D Andrews, Nov 19, 2011
    #1
    1. Advertising

  2. James D Andrews

    Paul Guest

    James D Andrews wrote:
    > So Google Earth installed itself out of the blue again last night. The
    > last time it did, I uninstalled all Google products using Revo.
    >
    > So, a search showed I missed a file in my Temp directory with Google
    > Updater in it, and a couple empty folders, and it has a prefetch from
    > when it loaded last night.
    >
    > I found nothing as far as running applications/running processes/Startup
    > items related to it, but apparently there are related registry items
    > from previous installs that I'm unsure of.
    >
    > Questions:
    >
    > 1. Can I (and should I even bother) to delete the Prefetch item?
    > 2. Are there specific registry items I can target to delete?
    >
    > I know there are several related to GoogleUpdate &
    > GoogleUpdateProcessLauncher listed in the registry, but I'm not
    > comfortable editing the registry without some handholding (wisely).
    >
    > 3. Can the built-in Google searchbar in Firefox 8 be involved in this
    > Google conspiracy?
    >
    > 4. Is there a freeware Firewall program that would allow me to block
    > this from recurring in the future?
    >
    > Personally, I consider any program that installs itself without my
    > control to be malware, although that's really a loosely defined term.
    >


    If you download Sysinternals Autoruns program, that provides a
    convenient way to turn off activities like that.

    http://technet.microsoft.com/en-us/sysinternals/bb963902

    It's not guaranteed to stop everything, or, display every possible
    mechanism for code to run on a computer. For example, if you had a
    rootkit running on the computer, it's not going to "present an item
    to turn off TDSS". It only handles the simple-minded stuff, and gives
    you boxes to tick, to stop things (so no registry to edit). If the same
    item shows up tomorrow (two identical items, one ticked, one not ticked),
    then you'd have some idea that a new one was installed, after Autoruns
    took care of the original one. And then, you'd have to figure out how
    you got "reinfected".

    Paul
    Paul, Nov 19, 2011
    #2
    1. Advertising

  3. Paul was thinking very hard and all he could come up with was:
    > James D Andrews wrote:
    >> So Google Earth installed itself out of the blue again last night. The
    >> last time it did, I uninstalled all Google products using Revo.
    >>
    >> So, a search showed I missed a file in my Temp directory with Google
    >> Updater in it, and a couple empty folders, and it has a prefetch from when
    >> it loaded last night.
    >>
    >> I found nothing as far as running applications/running processes/Startup
    >> items related to it, but apparently there are related registry items from
    >> previous installs that I'm unsure of.
    >>
    >> Questions:
    >>
    >> 1. Can I (and should I even bother) to delete the Prefetch item?
    >> 2. Are there specific registry items I can target to delete?
    >>
    >> I know there are several related to GoogleUpdate &
    >> GoogleUpdateProcessLauncher listed in the registry, but I'm not comfortable
    >> editing the registry without some handholding (wisely).
    >>
    >> 3. Can the built-in Google searchbar in Firefox 8 be involved in this
    >> Google conspiracy?
    >>
    >> 4. Is there a freeware Firewall program that would allow me to block this
    >> from recurring in the future?
    >>
    >> Personally, I consider any program that installs itself without my control
    >> to be malware, although that's really a loosely defined term.
    >>

    >
    > If you download Sysinternals Autoruns program, that provides a
    > convenient way to turn off activities like that.
    >
    > http://technet.microsoft.com/en-us/sysinternals/bb963902
    >
    > It's not guaranteed to stop everything, or, display every possible
    > mechanism for code to run on a computer. For example, if you had a
    > rootkit running on the computer, it's not going to "present an item
    > to turn off TDSS". It only handles the simple-minded stuff, and gives
    > you boxes to tick, to stop things (so no registry to edit). If the same
    > item shows up tomorrow (two identical items, one ticked, one not ticked),
    > then you'd have some idea that a new one was installed, after Autoruns
    > took care of the original one. And then, you'd have to figure out how
    > you got "reinfected".
    >
    > Paul


    Definitely a good idea, Paul. I should have tried it when I had
    Windows System Control Center open for Process Explorer before.

    I made sure to check for it to show all. Unfortunately, I couldn't
    find anything related to the Google Updater. I'll have to remember to
    look here next time it happens.

    Thanks for the guidance.

    --
    -There are some who call me...
    Jim


    It's a dangerous business, going out your door. You step onto the road,
    and if you don't keep your feet, there's no knowing where you might be
    swept off to.
    -Samwise Gamgee quoting Bilbo Baggins, edited
    James D Andrews, Nov 20, 2011
    #3
  4. James D Andrews

    Paul Guest

    James D Andrews wrote:

    >
    > Definitely a good idea, Paul. I should have tried it when I had Windows
    > System Control Center open for Process Explorer before.
    >
    > I made sure to check for it to show all. Unfortunately, I couldn't find
    > anything related to the Google Updater. I'll have to remember to look
    > here next time it happens.
    >
    > Thanks for the guidance.
    >


    I found some info here. Hiding in an "svchost" trick.

    http://www.techtalkz.com/windows-help/5599-ot-google-earth-5-0-users-beware.html

    Paul
    Paul, Nov 20, 2011
    #4
  5. Paul embroidered on the monitor :
    > James D Andrews wrote:
    >
    >>
    >> Definitely a good idea, Paul. I should have tried it when I had Windows
    >> System Control Center open for Process Explorer before.
    >>
    >> I made sure to check for it to show all. Unfortunately, I couldn't find
    >> anything related to the Google Updater. I'll have to remember to look here
    >> next time it happens.
    >>
    >> Thanks for the guidance.
    >>

    >
    > I found some info here. Hiding in an "svchost" trick.
    >
    > http://www.techtalkz.com/windows-help/5599-ot-google-earth-5-0-users-beware.html
    >
    > Paul


    Thanks Paul

    I find no .msi file, or any other file for that matter, in the files
    that could be related.

    I'm finding nothing under Services that jumps out.

    CLIP FROM REF: "You have to do
    a manual removal of the scheduled tasks and the service startup call."

    So how would I go about that? There are half a dozen listed svchost
    processes, so I'm kind of in the dark here.

    Thanks again for all your help

    --
    -There are some who call me...
    Jim


    "Do, or do not. There is no 'try'."
    - Yoda ('The Empire Strikes Back')
    James D Andrews, Nov 20, 2011
    #5
  6. James D Andrews

    Paul Guest

    James D Andrews wrote:

    >>
    >> I found some info here. Hiding in an "svchost" trick.
    >>
    >> http://www.techtalkz.com/windows-help/5599-ot-google-earth-5-0-users-beware.html
    >>
    >>
    >> Paul

    >
    > Thanks Paul
    >
    > I find no .msi file, or any other file for that matter, in the files
    > that could be related.
    >
    > I'm finding nothing under Services that jumps out.
    >
    > CLIP FROM REF: "You have to do
    > a manual removal of the scheduled tasks and the service startup call."
    >
    > So how would I go about that? There are half a dozen listed svchost
    > processes, so I'm kind of in the dark here.
    >
    > Thanks again for all your help
    >


    Scheduled Tasks control panel. This article actually shows the
    thing in question.

    http://techpp.com/2008/11/03/how-to-remove-googleupdateexe/

    "You must find GoogleupdateTaskUser.exe in the scheduled task list"

    As for the Service entry, I can find this on a malware cleanup site.

    O23 - Service: Google Updater Service (gusvc) - Google -

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    I'm no expert on this stuff, but if I was attempting to do this manually,
    first I'd stop the service, then try to delete it.

    Start>Control Panel>Administrative Tools>Services>Google Updater Service> Double click > Disabled

    There is a picture of the Google Updater Service entry here.
    This is where you'd change Automatic to Disabled.

    http://port16.com/blog/2007/09/29/remove-a-service-from-the-command-prompt/

    Once you back out of there (having clicked "Stop" and selected "Disabled"),
    as that article mentions, you could try

    sc delete gusvc

    from a command prompt window, and the theory is, that would cause
    the service to no longer appear in the Services list.

    Now, you'd have to ask yourself, if that thing was around, would it
    need C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    in order to work ? Or did it make a copy somewhere. I don't know the answer
    to that.

    I would think, if GoogleUpdaterService.exe exists, then the service could
    start each time the machine starts. (That's based on the entry in Services
    set to Automatic or whatever.)

    The removal from Scheduled Tasks, should have less issues with it, than
    fooling around with Services. And in Services, maybe "Disabled" is enough,
    without having to bother with sc delete gusvc.

    If you do a half-assed job of removal, I expect a side effect would be
    a new error entry in Event Viewer, each time you start the computer. That
    might be one consequence (if, say, you deleted GoogleUpdaterService.exe
    rather than work through Services).

    Just a guess,
    Paul
    Paul, Nov 21, 2011
    #6
  7. Paul snuck on to your hard drive to scribble:
    > James D Andrews wrote:
    >
    >>>
    >>> I found some info here. Hiding in an "svchost" trick.
    >>>
    >>> http://www.techtalkz.com/windows-help/5599-ot-google-earth-5-0-users-beware.html
    >>>
    >>>
    >>> Paul

    >>
    >> Thanks Paul
    >>
    >> I find no .msi file, or any other file for that matter, in the files that
    >> could be related.
    >>
    >> I'm finding nothing under Services that jumps out.
    >>
    >> CLIP FROM REF: "You have to do
    >> a manual removal of the scheduled tasks and the service startup call."
    >>
    >> So how would I go about that? There are half a dozen listed svchost
    >> processes, so I'm kind of in the dark here.
    >>
    >> Thanks again for all your help
    >>

    >
    > Scheduled Tasks control panel. This article actually shows the
    > thing in question.
    >
    > http://techpp.com/2008/11/03/how-to-remove-googleupdateexe/
    >
    > "You must find GoogleupdateTaskUser.exe in the scheduled task list"
    >
    > As for the Service entry, I can find this on a malware cleanup site.
    >
    > O23 - Service: Google Updater Service (gusvc) - Google -
    >
    > C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    >
    > I'm no expert on this stuff, but if I was attempting to do this manually,
    > first I'd stop the service, then try to delete it.
    >
    > Start>Control Panel>Administrative Tools>Services>Google Updater Service>
    > Double click > Disabled
    >
    > There is a picture of the Google Updater Service entry here.
    > This is where you'd change Automatic to Disabled.
    >
    > http://port16.com/blog/2007/09/29/remove-a-service-from-the-command-prompt/
    >
    > Once you back out of there (having clicked "Stop" and selected "Disabled"),
    > as that article mentions, you could try
    >
    > sc delete gusvc
    >
    > from a command prompt window, and the theory is, that would cause
    > the service to no longer appear in the Services list.
    >
    > Now, you'd have to ask yourself, if that thing was around, would it
    > need C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    > in order to work ? Or did it make a copy somewhere. I don't know the answer
    > to that.
    >
    > I would think, if GoogleUpdaterService.exe exists, then the service could
    > start each time the machine starts. (That's based on the entry in Services
    > set to Automatic or whatever.)
    >
    > The removal from Scheduled Tasks, should have less issues with it, than
    > fooling around with Services. And in Services, maybe "Disabled" is enough,
    > without having to bother with sc delete gusvc.
    >
    > If you do a half-assed job of removal, I expect a side effect would be
    > a new error entry in Event Viewer, each time you start the computer. That
    > might be one consequence (if, say, you deleted GoogleUpdaterService.exe
    > rather than work through Services).
    >
    > Just a guess,
    > Paul



    I'm guessing that somewhere over the past few days I did said
    half-assed job of removal.

    Google Updater doesn't show up in Services at all, so maybe service
    stopped? So I look to Event Viewer.

    As you noted, Event Viewer shows gupdate tried starting and stopped
    numerous times. I viewed subsequent entries and it appears that I
    successfully uninstalled both Google Earth and Google Update Helper.

    There are no new entries in the past couple of days, so I'm guessing
    the problem is gone for now.

    I really have to remember to use the Event Viewer more often.

    Thanks for your help Paul. Hopefully the problem is resolved.

    --
    -There are some who call me...
    Jim


    "You got to be careful if you don't know where you're going, because
    you might not get there."
    - Yogi Berra
    James D Andrews, Nov 22, 2011
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martik

    google maps - alternative to google earth

    Martik, Jan 11, 2006, in forum: Computer Support
    Replies:
    9
    Views:
    870
    Geoff Pearson
    Jan 12, 2006
  2. Robert11
    Replies:
    1
    Views:
    1,039
    Bucky Breeder
    Nov 16, 2006
  3. Dan C

    Re: Install Google Earth, but where is it?

    Dan C, Jun 3, 2009, in forum: Computer Support
    Replies:
    0
    Views:
    412
    Dan C
    Jun 3, 2009
  4. VanguardLH

    Re: Install Google Earth, but where is it?

    VanguardLH, Jun 3, 2009, in forum: Computer Support
    Replies:
    0
    Views:
    515
    VanguardLH
    Jun 3, 2009
  5. Replies:
    2
    Views:
    132
    Jeff Strickland
    Feb 3, 2014
Loading...

Share This Page