Jump to content


Photo

Unknown URL redirected to Kolmic.com


  • Please log in to reply
12 replies to this topic

#1 Fred7887

Fred7887

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 23 October 2007 - 05:45 AM

I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:

- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)

My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.

I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:

- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review

Thanks again!

#2 mikieg

mikieg

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 15 November 2007 - 02:06 PM

Any luck in resolving this? I too am having the identical problem. It seems to be an infection of the PC because two of my others just give me the usual 404 message when I type in an invalid URL.

Any help would be appreciated.


I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:

- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)

My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.

I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:

- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review

Thanks again!



#3 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 15 November 2007 - 03:02 PM

mikieg - Fred7887 has not visited since that was posted. I would suggest that you review the forum FAQ, open a new topic in the forum Malware Removal and then post your HijackThis log.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#4 Fred7887

Fred7887

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 15 November 2007 - 05:51 PM

Sorry Mikieg. I have resolved this.

Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.

Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:

http://myintranetsite

It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com

This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.

Anyways, hope this helps.

Edited by Fred7887, 15 November 2007 - 05:52 PM.


#5 mikieg

mikieg

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 16 November 2007 - 05:55 PM

I finally figured this out too. Somehow the DNS settings have been changed in my LAN connection settings (and not by me may I add).

The culprit was an entry called "shsorg.net"

xxxxxxxxxxx Edit, please do not swear, this is a family forum - jedi

Edited by jedi, 17 November 2007 - 05:07 AM.


#6 hunter_alexander

hunter_alexander

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 January 2008 - 01:09 PM

I too have run into this problem.

My network at work is having this problem. If I do a ipconfig /displaydns it comes up with all this crap.

I flush the dns, clearing all entries, and the stuff immediately comes back.

Anyone know the fix yet?

Thanks

#7 bzp

bzp

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 January 2008 - 01:46 PM

Thanks for this informatino but how can I clear this?

Any details you can provide would be greatly appreciated!

Sorry Mikieg. I have resolved this.

Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.

Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:

http://myintranetsite

It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com

This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.

Anyways, hope this helps.



#8 Theo

Theo

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 February 2008 - 09:06 PM

bzp & hunter_alexander, the way to fix this is by changing the DNS config within your NIC's properties, under TCP/IP protocol. In my case the malware that did this had harcoded the DNS entry in all my NICs' properties, so you better check them all -- specially if you have both a regular one and WiFi.

The way to go is:
1.- Open CONTROL PANEL
2.- Double click NETWORK CONNECTIONS
3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically (default)
6.- ENJOY having beaten this frigging hack! :lol:

#9 stillmadatyoko64

stillmadatyoko64

    Member

  • New Member
  • Pip
  • 1 posts

Posted 12 March 2008 - 10:25 AM

I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?

#10 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,814 posts

Posted 17 March 2008 - 12:52 PM

Hi stillmadatyoko64,

This topic may be of help to you.

Please consider donating to help support the continued prompt and excellent services of this site.


#11 deverill

deverill

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 June 2009 - 08:30 PM

I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?

For anyone like me looking for this on a Mac, I'm using Leopard and here's what I did to fix mine.

1 System Preferences
2 Network
3 Select the proper adapter - ethernet, airport, etc.
4 Search domains: <clear this>

Hope it helps someone. The above got me close and this was the solution that leapt out at me.

#12 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,814 posts

Posted 13 July 2009 - 01:24 PM

deverill,

That only removes part of the trojan, I'm afraid.

Install an antivirus for Mac (Sophos makes a good one), and follow the instructions in my previous post.

Please consider donating to help support the continued prompt and excellent services of this site.


#13 Mistress12

Mistress12

    Member

  • Banned
  • Pip
  • 1 posts

Posted 10 September 2009 - 04:25 AM

Also try to use kaspersky anti-virus...I think they have good software to delete that virus...Or search some in the internet...



Regards


Albert


___________
AD removed

Edited by Budfred, 10 September 2009 - 07:31 AM.





Member of UNITE
Support SpywareInfo Forum - click the button