Windows 10: Google redirection localhost.world

Wow. What AV do you use? @moraleja39 is using ESET.

 

No problem, I am glad I could help. If you need it I can write with greater detail what I did to remove it.

 

Yes please we need the detail. Thanks! *Thumbs

 

Windows Defender. I did a full scan with ESET and Comodo also. That's crazy nothing picked this up.

That would be great. I deleted the task and ini file but not sure what registry changes to fix

 

I am thinking this needs to be reported to the AVs.

 

Here are all the things I had to wipe:

• The scheduled task. Its name was "Adobe Acrobat Pro DC Update". You can open the task scheduler writing taskschd.msc on the start menu search bar and hitting enter.
• A file named "settings.ini" located on %APPDATA%\Adobe Acrobat Pro DC". Full path could be "C:\Users\[username]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini".
• In my case, two fake certificates. Open the certificate manager writing certmgr.msc on the start menu and hitting enter. The certificates are named "DO_NOT_TRUST_FiddlerRoot" and are under the folder "trusted root CAs" (or however it is in English)
• Registry changes used to force proxy usage. In my case, I totally deleted the following values:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
• Just in case it is still enabled, disable the proxy. Go to control panel, internet settings, connections, LAN settings, and disable all checkboxes.

I also will attach the removed INI and certificate files, just in case they could be of use to anybody reading this, as they are not dangerous per se.

 

Yeah, I think that too. Any idea on how to do that?

 

So, I am going through the thread, and noting everything that has been run by people infected with this:

ESET
Defender
Malwarebytes Anti-rootkit
Malwarebytes Antimalware
TDSSKiller
HitmanPro
ZHPCleaner
RogueKiller
Comodo Rescue Disk
Spybot
ADWCleaner
RKILL
JRT
Resetting all browsers/Flushing DNS

Yes, I have info on how to report this to the AVs.

 

Looks like it did show up on Rkill but looked meaningless

2015-12-09 11:30 - 2015-12-16 18:00 - 00000548 _____ C:\WINDOWS\Tasks\Adobe Acrobat Pro DC Update.job
2015-12-09 11:30 - 2015-12-09 11:30 - 00003448 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Pro DC Update
2015-12-09 11:30 - 2015-12-09 11:30 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Adobe Acrobat Pro DC

 

So RKILL temporarily stopped it, but everything goes back to status quo upon reboot. And because it's disguised as Acrobat update, it wasn't flagged by any of the AVs or other scanners.

 

@mixolyd Now that you are clean, I would recommend running CryptoPrevent on your system. This program was originally written to prevent encryption infections, but also includes protection for a whole host of other infections as well. It works by setting Group Policies, preventing malware from running executables from typical places such as the App Data folder. There's a free version, which you run once, set the protection, and then occasionally manually update.

 

Thank you very much for your efforts! *Thumbs

 

Will do. Thanks!

 

Here is the solution, found in post #49.
Please perform the steps indicated and advise if that resolves things for you as well. If so, please mark the thread as solved, and modify your first post to show post #49 as the solution. Thanks.

 

Guys, here is the solution, found in post #49.
Please perform the steps indicated and advise if that resolves things for you as well.

Many thanks to @moraleja39 for the investigative work!