Expert: Lorry - 5/5/2009

Question
I've had a great track record of avoiding viruses; however, I now have one with the Google Updater.

My protection programs won't fix it, so I'm trying to look into it myself... any help will be greatly appreciated.

It seems the svchost.exe RPC mechanism now has a child GoogleUpdater process.  I uploaded a Process Explorer screenshot of this; a picture can be worth a thousand words: http://s574.photobucket.com/albums/ss189/codeMonkey/?action=view¤t=virusPr...


The RPC service stop button is now grayed out on service properties menu, so I can't stop RPC.  Occasionally, a Trojan-horse.exe appears in my temp directory, and AVG catches it on an open and identifies it as a Trojan-horse.

Have you ever dealt with or seen something like this before?

Thanks much for considering my question.

Answer
Hi David,

This is the first I have heard of this, saying that, check out the following:

http://www.google.com/support/pack/bin/answer.py?hl=en&answer=55950

http://www.google.si/support/pack/bin/static.py?page=known_issues.cs

Not sure if Symantec would flag Google or not, but using Internet Explorer go to:

http://security.symantec.com/sscv6/WelcomePage.asp

Click "Continue to Symantec Security Check", in the next window click No when asked if you want to close this window, that will bring you to a window where you should click Virus Detection.

Write down exactly anything it finds, then go to: http://www.symantec.com/search/  and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually. Make sure that you follow the instructions for removal, step by step, especially the part regarding disabling System Restore.

Hope this helps!
Lorry