Google redirection localhost.world

Page 6 of 12 FirstFirst ... 45678 ... LastLast
  1. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #51

    So, I am going through the thread, and noting everything that has been run by people infected with this:

    ESET
    Defender
    Malwarebytes Anti-rootkit
    Malwarebytes Antimalware
    TDSSKiller
    HitmanPro
    ZHPCleaner
    RogueKiller
    Comodo Rescue Disk
    Spybot
    ADWCleaner
    RKILL
    JRT
    Resetting all browsers/Flushing DNS

    Yes, I have info on how to report this to the AVs.
      My Computer


  2. Posts : 21
    10 64bit
       #52

    Looks like it did show up on Rkill but looked meaningless

    2015-12-09 11:30 - 2015-12-16 18:00 - 00000548 _____ C:\WINDOWS\Tasks\Adobe Acrobat Pro DC Update.job
    2015-12-09 11:30 - 2015-12-09 11:30 - 00003448 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Pro DC Update
    2015-12-09 11:30 - 2015-12-09 11:30 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Adobe Acrobat Pro DC
      My Computer

  3. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #53

    mixolyd said:
    Looks like it did show up on Rkill but looked meaningless

    2015-12-09 11:30 - 2015-12-16 18:00 - 00000548 _____ C:\WINDOWS\Tasks\Adobe Acrobat Pro DC Update.job
    2015-12-09 11:30 - 2015-12-09 11:30 - 00003448 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Pro DC Update
    2015-12-09 11:30 - 2015-12-09 11:30 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Adobe Acrobat Pro DC
    So RKILL temporarily stopped it, but everything goes back to status quo upon reboot. And because it's disguised as Acrobat update, it wasn't flagged by any of the AVs or other scanners.
      My Computer

  4. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #54

    @mixolyd Now that you are clean, I would recommend running CryptoPrevent on your system. This program was originally written to prevent encryption infections, but also includes protection for a whole host of other infections as well. It works by setting Group Policies, preventing malware from running executables from typical places such as the App Data folder. There's a free version, which you run once, set the protection, and then occasionally manually update.
      My Computer

  5. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #55

    moraleja39 said:
    Here are all the things I had to wipe:

    • The scheduled task. Its name was "Adobe Acrobat Pro DC Update". You can open the task scheduler writing taskschd.msc on the start menu search bar and hitting enter.
    • A file named "settings.ini" located on %APPDATA%\Adobe Acrobat Pro DC". Full path could be "C:\Users\[username]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini".
    • In my case, two fake certificates. Open the certificate manager writing certmgr.msc on the start menu and hitting enter. The certificates are named "DO_NOT_TRUST_FiddlerRoot" and are under the folder "trusted root CAs" (or however it is in English)
    • Registry changes used to force proxy usage. In my case, I totally deleted the following values:
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
      • HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
      • HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache

    • Just in case it is still enabled, disable the proxy. Go to control panel, internet settings, connections, LAN settings, and disable all checkboxes.


    I also will attach the removed INI and certificate files, just in case they could be of use to anybody reading this, as they are not dangerous per se.

    Thank you very much for your efforts!
      My Computer


  6. Posts : 21
    10 64bit
       #56

    simrick said:
    @mixolyd Now that you are clean, I would recommend running CryptoPrevent on your system. This program was originally written to prevent encryption infections, but also includes protection for a whole host of other infections as well. It works by setting Group Policies, preventing malware from running executables from typical places such as the App Data folder. There's a free version, which you run once, set the protection, and then occasionally manually update.
    Will do. Thanks!
      My Computer

  7. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #57

    flavien317 said:
    I have Windows 10 . And sometime i have a cmd popup show and close my chrome browser. After if i do a search on google, it's redirect to a fake google. I go to internet option, connection, network configuration, i have this:


    Attachment 43714




    I have cleanup with kasperky, ccleaner, adwcleaner and doesn't work. How to solve it ?

    Here is the solution, found in post #49.
    Please perform the steps indicated and advise if that resolves things for you as well. If so, please mark the thread as solved, and modify your first post to show post #49 as the solution. Thanks.
      My Computer

  8. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #58

    nakiel said:
    Nah... still not gotten rid of it...

    Malwarebytes Anti-Malware found some more unwated stuff; works for now
    pnrao1948 said:
    After using almost all antivirus, spyware and malware removing programs and crashing one computer, I found out a work around.
    And that is to delete the infected account and start a new account.
    Maintown said:
    I am also having this EXACT problem. I have the same registry key listed above and cleared it just now (thanks, this is the only thing I have missed so far), otherwise I have run all the suggested fixes and tools to no avail. Glad I found this thread and that I am not the only one with the issue. I will update on the status of what happens with mine.
    Guys, here is the solution, found in post #49.
    Please perform the steps indicated and advise if that resolves things for you as well.

    Many thanks to @moraleja39 for the investigative work!
      My Computer

  9. eLPuSHeR's Avatar
    Posts : 2,447
    Windows 10 Home x64
       #59

    I wonder if this is related or not...
      My Computer

  10. simrick's Avatar
    Posts : 16,108
    W10Prox64
       #60

    eLPuSHeR said:
    I wonder if this is related or not...
    I don't think so, as TDSSKiller was run and did nothing on one infected system.
    Last edited by simrick; 28 Dec 2015 at 19:24.
      My Computer


 
Page 6 of 12 FirstFirst ... 45678 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 22:29.
Find Us




Windows 10 Forums