
Unknown URL redirected to Kolmic.com
#1
Posted 23 October 2007 - 05:45 AM
- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)
My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.
I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:
- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review
Thanks again!
#2
Posted 15 November 2007 - 02:06 PM
Any help would be appreciated.
I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:
- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)
My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.
I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:
- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review
Thanks again!
#3
Posted 15 November 2007 - 03:02 PM
Hope is not a method.
If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here
Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators
#4
Posted 15 November 2007 - 05:51 PM
Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.
Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:
http://myintranetsite
It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com
This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.
Anyways, hope this helps.
Edited by Fred7887, 15 November 2007 - 05:52 PM.
#5
Posted 16 November 2007 - 05:55 PM
The culprit was an entry called "shsorg.net"
xxxxxxxxxxx Edit, please do not swear, this is a family forum - jedi
Edited by jedi, 17 November 2007 - 05:07 AM.
#6
Posted 30 January 2008 - 01:09 PM
My network at work is having this problem. If I do a ipconfig /displaydns it comes up with all this crap.
I flush the dns, clearing all entries, and the stuff immediately comes back.
Anyone know the fix yet?
Thanks
#7
Posted 30 January 2008 - 01:46 PM
Any details you can provide would be greatly appreciated!
Sorry Mikieg. I have resolved this.
Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.
Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:
http://myintranetsite
It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com
This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.
Anyways, hope this helps.
#8
Posted 15 February 2008 - 09:06 PM
The way to go is:
1.- Open CONTROL PANEL
2.- Double click NETWORK CONNECTIONS
3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically (default)
6.- ENJOY having beaten this frigging hack!

#9
Posted 12 March 2008 - 10:25 AM
#10
Posted 17 March 2008 - 12:52 PM
Please consider donating to help support the continued prompt and excellent services of this site.
#11
Posted 29 June 2009 - 08:30 PM
For anyone like me looking for this on a Mac, I'm using Leopard and here's what I did to fix mine.I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?
1 System Preferences
2 Network
3 Select the proper adapter - ethernet, airport, etc.
4 Search domains: <clear this>
Hope it helps someone. The above got me close and this was the solution that leapt out at me.
#12
Posted 13 July 2009 - 01:24 PM
That only removes part of the trojan, I'm afraid.
Install an antivirus for Mac (Sophos makes a good one), and follow the instructions in my previous post.
Please consider donating to help support the continued prompt and excellent services of this site.
#13
Posted 10 September 2009 - 04:25 AM
Regards
Albert
___________
AD removed
Edited by Budfred, 10 September 2009 - 07:31 AM.