Posted 13 December 2011 - 03:42 PM
A couple of days ago I was using my computer early in the morning. I had my online school open in Firefox, and was working on homework in a couple of different windows. All of a sudden all of the Firefox windows started closing one by one, my mouse quite responding to me, windows started popping up delay write fail (hard drive failure), then errors popped up saying hard drive errors found and it wanted to scan. I said no, but then it popped up again and I said no again and it start to do so anyway. So, I tried to CTRL ALT DEL to get my task manager up, and it was gone as an option. Tried pulling up the administration tools and they were all gone! My virus scanner notification window popped up, but there was no item listed. So Iím like uhhhh ohh. So I immediately rebooted, did a hard drive check in the bios just to make sure and all was good. Booted back into safe mode, ran a system restore. Administrative tools were still gone. Booted back into regular mode and was able to run task manager. I found some weird gt processes (3 of time) and they appeared weird. There was no description and the properties showed the files to be in what appeared to be directory mirrored after the system32 folder located in c:\windows\sysWOW64 and there were three different services. Still without my admin tools, I manually launched the services snap in. Set the GT services to disabled and tried to stop themÖ.access denied. After doing so, the processes reset themselves to automatic start again! Dependencies showed they were hooked into the windows logon and rpcnet process. I went into the folder and found logs for the item, it looked like it was hooking in at not only the windows logon but anytime you try and stop the services & was also launched anytime rpcnet services started. So, I once again reset the gt services back to disabled, rebooted into safe mode and they didnít start. That enabled me to delete the folder, but when I tried to remove the services manually from a command prompt using the sc delete command, access denied. So, I had to go into the registry and delete each, then reboot again. After that, it appeared to be gone. I fixed my administrative tools afterwards and ran a virus scan with nothing found.
Today I was again working on homework logged into the schools online system (a final) and my computer just all of a sudden locked. Would not respond to CTRL+ALT+DEL or anything so I had to manually shut it down. Once I rebooted, I immediately checked the event viewer and found items relating back to gt services....it kept trying to start them and said they were not found and indicated as result it forced a shut down of the machine. I then checked the tasks no gt services there, however, my hypersnap which allows me to capture screen prints was gone (completely empty) and the task scheduler appeared on the start menu. So I went into services, and once again services for I thought that was weird because I have never even opened the task scheduler before. So I open it an find the entries for gpsvc, gupdate, and gupdatem all running. This time the description says these services are needed to keep your google software up to date. I find this strange since I don't have any google software installed including earth, chrome, etc. I go into the registry and find that gpsvc is using the "SeImpersonatePrivelege" and a few others which I snapped a screen print of. I also notice a rpcnet.exe starting from the same c:\windows\sysWow64\ folder. So I again disable the services, remove the registry entries and reboot but after doing so I check the task scheduler and find two interesting entries.
"GoogleUpdateTaskMachineCore which is triggered upon the logon of any user and daily at 6:01AM and repeats for every 1 hour per day, is jusing my username to start and starts c:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c.
Googleupdate.exe, digital signatures show the name of signer, but no email address or current timestamp.
The other "GoogleUpdateTaskMachineUA" also starts at 6:01am (but not upon login), and runs c:\Program Files (x86)\Google\Update\GoogleUpdate /ua / installsource scheduler
So I deleted both tasks, but now i have the rpcnept.exe which is in use and can't delete the entire c:\windows\sysWow64 folder and I'm left wondering what and why these gt services items are and how I can get rid of them since I don't have any google software installed, and I don't think they're really google related anyway. There are a whole bunch of other files in this folder with names that scare me as well such as a whole bunch of intsallers, dll's and rekeywiz.exe, rpcping, runcplelevated?