Discussion in 'Computer Information' started by James D Andrews, Nov 19, 2011.

  1. So Google Earth installed itself out of the blue again last night. The
    last time it did, I uninstalled all Google products using Revo.

    So, a search showed I missed a file in my Temp directory with Google
    Updater in it, and a couple empty folders, and it has a prefetch from
    when it loaded last night.

    I found nothing as far as running applications/running
    processes/Startup items related to it, but apparently there are related
    registry items from previous installs that I'm unsure of.


    1. Can I (and should I even bother) to delete the Prefetch item?
    2. Are there specific registry items I can target to delete?

    I know there are several related to GoogleUpdate &
    GoogleUpdateProcessLauncher listed in the registry, but I'm not
    comfortable editing the registry without some handholding (wisely).

    3. Can the built-in Google searchbar in Firefox 8 be involved in this
    Google conspiracy?

    4. Is there a freeware Firewall program that would allow me to block
    this from recurring in the future?

    Personally, I consider any program that installs itself without my
    control to be malware, although that's really a loosely defined term.

    -There are some who call me...

    "You got to be careful if you don't know where you're going, because
    you might not get there."
    - Yogi Berra
    James D Andrews, Nov 19, 2011
  2. James D Andrews

    Paul Guest

    If you download Sysinternals Autoruns program, that provides a
    convenient way to turn off activities like that.

    It's not guaranteed to stop everything, or, display every possible
    mechanism for code to run on a computer. For example, if you had a
    rootkit running on the computer, it's not going to "present an item
    to turn off TDSS". It only handles the simple-minded stuff, and gives
    you boxes to tick, to stop things (so no registry to edit). If the same
    item shows up tomorrow (two identical items, one ticked, one not ticked),
    then you'd have some idea that a new one was installed, after Autoruns
    took care of the original one. And then, you'd have to figure out how
    you got "reinfected".

    Paul, Nov 19, 2011
  3. Paul was thinking very hard and all he could come up with was:
    Definitely a good idea, Paul. I should have tried it when I had
    Windows System Control Center open for Process Explorer before.

    I made sure to check for it to show all. Unfortunately, I couldn't
    find anything related to the Google Updater. I'll have to remember to
    look here next time it happens.

    Thanks for the guidance.

    -There are some who call me...

    It's a dangerous business, going out your door. You step onto the road,
    and if you don't keep your feet, there's no knowing where you might be
    swept off to.
    -Samwise Gamgee quoting Bilbo Baggins, edited
    James D Andrews, Nov 20, 2011
  4. James D Andrews

    Paul Guest

    I found some info here. Hiding in an "svchost" trick.

    Paul, Nov 20, 2011
  5. Paul embroidered on the monitor :
    Thanks Paul

    I find no .msi file, or any other file for that matter, in the files
    that could be related.

    I'm finding nothing under Services that jumps out.

    CLIP FROM REF: "You have to do
    a manual removal of the scheduled tasks and the service startup call."

    So how would I go about that? There are half a dozen listed svchost
    processes, so I'm kind of in the dark here.

    Thanks again for all your help

    -There are some who call me...

    "Do, or do not. There is no 'try'."
    - Yoda ('The Empire Strikes Back')
    James D Andrews, Nov 20, 2011
  6. James D Andrews

    Paul Guest

    Scheduled Tasks control panel. This article actually shows the
    thing in question.

    "You must find GoogleupdateTaskUser.exe in the scheduled task list"

    As for the Service entry, I can find this on a malware cleanup site.

    O23 - Service: Google Updater Service (gusvc) - Google -

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    I'm no expert on this stuff, but if I was attempting to do this manually,
    first I'd stop the service, then try to delete it.

    Start>Control Panel>Administrative Tools>Services>Google Updater Service> Double click > Disabled

    There is a picture of the Google Updater Service entry here.
    This is where you'd change Automatic to Disabled.

    Once you back out of there (having clicked "Stop" and selected "Disabled"),
    as that article mentions, you could try

    sc delete gusvc

    from a command prompt window, and the theory is, that would cause
    the service to no longer appear in the Services list.

    Now, you'd have to ask yourself, if that thing was around, would it
    need C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    in order to work ? Or did it make a copy somewhere. I don't know the answer
    to that.

    I would think, if GoogleUpdaterService.exe exists, then the service could
    start each time the machine starts. (That's based on the entry in Services
    set to Automatic or whatever.)

    The removal from Scheduled Tasks, should have less issues with it, than
    fooling around with Services. And in Services, maybe "Disabled" is enough,
    without having to bother with sc delete gusvc.

    If you do a half-assed job of removal, I expect a side effect would be
    a new error entry in Event Viewer, each time you start the computer. That
    might be one consequence (if, say, you deleted GoogleUpdaterService.exe
    rather than work through Services).

    Just a guess,
    Paul, Nov 21, 2011
  7. Paul snuck on to your hard drive to scribble:

    I'm guessing that somewhere over the past few days I did said
    half-assed job of removal.

    Google Updater doesn't show up in Services at all, so maybe service
    stopped? So I look to Event Viewer.

    As you noted, Event Viewer shows gupdate tried starting and stopped
    numerous times. I viewed subsequent entries and it appears that I
    successfully uninstalled both Google Earth and Google Update Helper.

    There are no new entries in the past couple of days, so I'm guessing
    the problem is gone for now.

    I really have to remember to use the Event Viewer more often.

    Thanks for your help Paul. Hopefully the problem is resolved.

    -There are some who call me...

    "You got to be careful if you don't know where you're going, because
    you might not get there."
    - Yogi Berra
    James D Andrews, Nov 22, 2011
