Anime Forum

Google Redirect Virus

The Doctor

The Doctor

Active member
Legendary
Joined
Nov 9, 2010
Messages
12,954
Kin
5💸
Kumi
0💴
Trait Points
0⚔️
Awards
Demosthenes, has the Google Redirect Virus, and is incapable of getting rid of it.

We've isolated the virus, however, it's attached itself to a service "Windows Image Acquisition." There are two of them in the process list. When trying to stop one service, the one with a description, it works. However, with the one without a description, it says that it is unable to stop the process.


c:\programdata\api-ms-win-core-misc-l1-1-032.dll

Is the virus. Apparently it's pretty well known.

If anyone can help, it would be greatly appreciated.

Edit:Now there are two of the virus, one a .dll and the other a .exe

Now it says it's attached to "Power" which I believe is a vital process.
 
Last edited:
-Yard-

-Yard-

Active member
Supreme
Joined
Jan 13, 2011
Messages
25,264
Kin
0💸
Kumi
0💴
Trait Points
0⚔️
Awards
Yeah I've had it before, it's malware that installs it's self onto your computer.

Download malwarebytes

You must be registered for see links


Install it, do a scan and remove it.
 
The Doctor

The Doctor

Active member
Legendary
Joined
Nov 9, 2010
Messages
12,954
Kin
5💸
Kumi
0💴
Trait Points
0⚔️
Awards
~Yard~ said:
Yeah I've had it before, it's malware that installs it's self onto your computer.

Download malwarebytes

You must be registered for see links


Install it, do a scan and remove it.
Click to expand...
We have MalwareBytes, it comes up with nothing.

We've tried several different things, and nothing.


Most likely we'll have to end this manually, however, it's acting as though it's intelligent.
 
-Yard-

-Yard-

Active member
Supreme
Joined
Jan 13, 2011
Messages
25,264
Kin
0💸
Kumi
0💴
Trait Points
0⚔️
Awards
Polemarch said:
We have MalwareBytes, it comes up with nothing.

We've tried several different things, and nothing.


Most likely we'll have to end this manually, however, it's acting as though it's intelligent.
Click to expand...

Try this program then
You must be registered for see links


If it still doesn't find it then follow this guide.


You must be registered for see links
 
The Doctor

The Doctor

Active member
Legendary
Joined
Nov 9, 2010
Messages
12,954
Kin
5💸
Kumi
0💴
Trait Points
0⚔️
Awards
~Yard~ said:
Try this program then
You must be registered for see links


If it still doesn't find it then follow this guide.


You must be registered for see links
Click to expand...
Antivirus isn't what we need here. >_<

We've deleted them for now, we're running a trial time right now to see if it's still going to redirect. Nothing yet.
 
Demosthenes

Demosthenes

Active member
Veteran
Joined
Nov 6, 2010
Messages
3,258
Kin
0💸
Kumi
0💴
Trait Points
0⚔️
Awards
I took a chance with guessing which Power Service was the fake one, setting it to be disabled on start-up. o_o
I was fortunate enough to have chosen the correct one and, upon attempting to delete the virus manually again, I found that I could. As of now, I still have yet see anything to lead me to believe that the virus is still present.
 
-Yard-

-Yard-

Active member
Supreme
Joined
Jan 13, 2011
Messages
25,264
Kin
0💸
Kumi
0💴
Trait Points
0⚔️
Awards
Polemarch said:
We deleted it after the thread was posted, and for now, it's still going on a trial and error basis.
Click to expand...
I suggest you check these locations then to see if that really got rid of it, and if there are any files there, delete them.

C:\ProgramData\ir50_qc32.dll
C:\ProgramData\ir50_qc32.dll
C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll
C:\Windows\System32\api-ms-win-core-memory-l1-1-032.dll
C:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll
C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-032.dll
C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll

C:\Windows\System32\config\systemprofile\AppData\Roaming\D91F.tmp
c:\programdata\ir50_qc32.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\D91F.tmp
c:\programdata\api-ms-win-core-memory-l1-1-032.exe
C:\ProgramData\WsmRes32.exe
C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-032.exe
C:\Users\clehigh\AppData\Roaming\SysWin\lsass.exe
C:\ProgramData\1808284557c1
C:\ProgramData\1808284557c2
C:\ProgramData\1808284557c3
C:\ProgramData\1808284557c4
C:\ProgramData\iscsidsc32.exe
C:\ProgramData\iTVData32.exe
C:\Users\clehigh\Desktop\setup\QuickTime_Update_KB118012.exe
C:\Windows\System32\api-ms-win-core-localregistry-l1-1-032.exe
C:\Windows\System32\iscsium32.exe
C:\Windows\System32\iTVData32.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\F316.tmp
C:\Windows\SysWOW64\iscsium32.exe
C:\Windows\SysWOW64\iTVData32.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\D91F.tmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F316.tmp
C:\Windows\System32\GnuHashes.ini
 
The Doctor

The Doctor

Active member
Legendary
Joined
Nov 9, 2010
Messages
12,954
Kin
5💸
Kumi
0💴
Trait Points
0⚔️
Awards
~Yard~ said:
I suggest you check these locations then to see if that really got rid of it, and if there are any files there, delete them.

C:\ProgramData\ir50_qc32.dll
C:\ProgramData\ir50_qc32.dll
C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll
C:\Windows\System32\api-ms-win-core-memory-l1-1-032.dll
C:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll
C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-032.dll
C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll

C:\Windows\System32\config\systemprofile\AppData\Roaming\D91F.tmp
c:\programdata\ir50_qc32.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\D91F.tmp
c:\programdata\api-ms-win-core-memory-l1-1-032.exe
C:\ProgramData\WsmRes32.exe
C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-032.exe
C:\Users\clehigh\AppData\Roaming\SysWin\lsass.exe
C:\ProgramData\1808284557c1
C:\ProgramData\1808284557c2
C:\ProgramData\1808284557c3
C:\ProgramData\1808284557c4
C:\ProgramData\iscsidsc32.exe
C:\ProgramData\iTVData32.exe
C:\Users\clehigh\Desktop\setup\QuickTime_Update_KB118012.exe
C:\Windows\System32\api-ms-win-core-localregistry-l1-1-032.exe
C:\Windows\System32\iscsium32.exe
C:\Windows\System32\iTVData32.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\F316.tmp
C:\Windows\SysWOW64\iscsium32.exe
C:\Windows\SysWOW64\iTVData32.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\D91F.tmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F316.tmp
C:\Windows\System32\GnuHashes.ini
Click to expand...
As Demos said, he got rid of the files. If it continues to redirect within the next 24 hours, we'll make another post regarding the problem
 
You must log in or register to reply here.
Top