Windows 10: Google redirection localhost.world

Found mine under C:\Users\username\AppData\Roaming\ConvertXtoDVD\settings.ini

 

Thanks for letting us know. Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks.

 

Hi there, I updated post #71 with the requested zip file.

 

*Thumbs Thanks!

 

I was infected too. But only by its "localhost.world" script part.
Looking at the latter part of post #39 (by moraleja39), the one contributed by "mtmyoq.se" part of this Maleware, decoding its base64 encoded string:
==========
ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikp IHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30
==========


Leads to :
==========
function FindProxyForURL(url, host) { if (shExpMatch(host, "www.google.*")) return "PROXY 127.0.0.1:8080"; return "DIRECT";}
==========

Which seems (I presume - not an expert on "localhost" ports) that another flavor of this Maleware HiJacks any access to Google sites to a NOT used port (unless you have some server responding at port 8080 - alike your own WEB server running).

So it seems that this Maleware has 2 parts: the "localhost.world" script, and the "mtmyoq.se" part.
And that folks are infected by only 1 of them. Not by both at the same time.
Strange.

 

Hi rolibark and welcome to Tenforums.

Thanks very much for posting this info. Every little bit helps! Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks! *Smile

 

Hi,
As I said - I was infected only by its "localhost.world" script part (not by its "mtmyop.se" part)
And I had the same cause for this Malware (the Adobe Updater) as "moraleja39" had.
So (I guess) there's no need for my system info.

 

Thank you very much. Now I also know what caused this. An illegal infected copy of Adobe *Sad

 

In my case it was an infected copy of Adobe. But this infection can also be hidden in other infected (cracked, illegal) software. The following is the content of my settings.ini file in C:\Users\Username\AppData\Roaming\Adobe Acrobat Pro DC.

This might help to track other .ini files. A Windows index search might not be sufficient, because the content is not indexed by default. Just search for all settings.ini files on your system disk and open them.

Code: [/quote]

 

Hi FBtje and welcome to Tenforums.
Thanks very much for letting us know this information. Very glad this thread has helped you. *Thumbs

 

Thanks a lot !
But, suppose we search & find all "settings.ini" files, how do we recognize an infected one ?

 

by opening them in notepad en look if the content matches the settings.ini I posted above *Smile
try to look in the C:\Users\Username first

 

Reading thru this thread it is my understanding that people had reported they got infected by various different flavors of "*.ini" files.
So it may be the case that your signature (for identifying the "smelly" *.ini file is not the same as theirs.

 

Hi,

I just got this host.world fellow too through downloading the latest microsoft toolkit.
Defender reacted immediately, though other programs did not find anything, I normally use Defender, Malwarebytes Antimalware and Anti-exploit premium, CCleaner.
I tried every other program mentioned in this topic, none of them found anything.
My only symptom is the fake google site which is annoying as it is.

 

Try this and see comments below:

• The scheduled task. Its name was "Adobe Acrobat Pro DC Update". You can open the task scheduler writingtaskschd.msc on the start menu search bar and hitting enter.
• A file named "settings.ini" located on %APPDATA%\Adobe Acrobat Pro DC". Full path could be "C:\Users\[username]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini".
• In my case, two fake certificates. Open the certificate manager writing certmgr.msc on the start menu and hitting enter. The certificates are named "DO_NOT_TRUST_FiddlerRoot" and are under the folder "trusted root CAs" (or however it is in English)
• Registry changes used to force proxy usage. In my case, I totally deleted the following values:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
• Just in case it is still enabled, disable the proxy. Go to control panel, internet settings, connections, LAN settings, and disable all checkboxes.

But in your case the scheduled task is: "Microsoft Toolkit Update". Delete this task
And your *.ini file could be in C:\Users\[username]\AppData\Local\Microsoft Toolkit. Delete this folder completely