I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:
- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)
My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.
I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:
- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review
Thanks again!
Unknown URL redirected to Kolmic.com
Started by
Fred7887
, Oct 23 2007 05:45 AM
12 replies to this topic
#2
mikieg
-
- Full Member
-
- 2 posts
Member
Posted 15 November 2007 - 02:06 PM
Any luck in resolving this? I too am having the identical problem. It seems to be an infection of the PC because two of my others just give me the usual 404 message when I type in an invalid URL.
Any help would be appreciated.
Any help would be appreciated.
I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:
- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)
My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.
I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:
- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review
Thanks again!
#3
Indrid_Cold
-
- Global Moderator
-
- 7,116 posts
Forum Deity
Posted 15 November 2007 - 03:02 PM
mikieg - Fred7887 has not visited since that was posted. I would suggest that you review the forum FAQ, open a new topic in the forum Malware Removal and then post your HijackThis log.
Hope is not a method.
If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here
Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators
#4
Fred7887
-
- Full Member
-
- 2 posts
Member
Posted 15 November 2007 - 05:51 PM
Sorry Mikieg. I have resolved this.
Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.
Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:
http://myintranetsite
It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com
This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.
Anyways, hope this helps.
Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.
Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:
http://myintranetsite
It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com
This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.
Anyways, hope this helps.
Edited by Fred7887, 15 November 2007 - 05:52 PM.
#5
mikieg
-
- Full Member
-
- 2 posts
Member
Posted 16 November 2007 - 05:55 PM
I finally figured this out too. Somehow the DNS settings have been changed in my LAN connection settings (and not by me may I add).
The culprit was an entry called "shsorg.net"
xxxxxxxxxxx Edit, please do not swear, this is a family forum - jedi
The culprit was an entry called "shsorg.net"
xxxxxxxxxxx Edit, please do not swear, this is a family forum - jedi
Edited by jedi, 17 November 2007 - 05:07 AM.
#6
hunter_alexander
-
- New Member
-
- 1 posts
Member
Posted 30 January 2008 - 01:09 PM
I too have run into this problem.
My network at work is having this problem. If I do a ipconfig /displaydns it comes up with all this crap.
I flush the dns, clearing all entries, and the stuff immediately comes back.
Anyone know the fix yet?
Thanks
My network at work is having this problem. If I do a ipconfig /displaydns it comes up with all this crap.
I flush the dns, clearing all entries, and the stuff immediately comes back.
Anyone know the fix yet?
Thanks
#7
bzp
-
- New Member
-
- 1 posts
Member
Posted 30 January 2008 - 01:46 PM
Thanks for this informatino but how can I clear this?
Any details you can provide would be greatly appreciated!
Any details you can provide would be greatly appreciated!
Sorry Mikieg. I have resolved this.
Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.
Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:
http://myintranetsite
It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com
This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.
Anyways, hope this helps.
#8
Theo
-
- New Member
-
- 1 posts
Member
Posted 15 February 2008 - 09:06 PM
bzp & hunter_alexander, the way to fix this is by changing the DNS config within your NIC's properties, under TCP/IP protocol. In my case the malware that did this had harcoded the DNS entry in all my NICs' properties, so you better check them all -- specially if you have both a regular one and WiFi.
The way to go is:
1.- Open CONTROL PANEL
2.- Double click NETWORK CONNECTIONS
3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically (default)
6.- ENJOY having beaten this frigging hack!
The way to go is:
1.- Open CONTROL PANEL
2.- Double click NETWORK CONNECTIONS
3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically (default)
6.- ENJOY having beaten this frigging hack!
#9
stillmadatyoko64
-
- New Member
-
- 1 posts
Member
Posted 12 March 2008 - 10:25 AM
I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?
#10
screen317
-
- Global Moderator
-
- 8,815 posts
SWI Sentinel
Posted 17 March 2008 - 12:52 PM
Please consider donating to help support the continued prompt and excellent services of this site.
#11
deverill
-
- New Member
-
- 1 posts
Member
Posted 29 June 2009 - 08:30 PM
For anyone like me looking for this on a Mac, I'm using Leopard and here's what I did to fix mine.I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?
1 System Preferences
2 Network
3 Select the proper adapter - ethernet, airport, etc.
4 Search domains: <clear this>
Hope it helps someone. The above got me close and this was the solution that leapt out at me.
#12
screen317
-
- Global Moderator
-
- 8,815 posts
SWI Sentinel
Posted 13 July 2009 - 01:24 PM
deverill,
That only removes part of the trojan, I'm afraid.
Install an antivirus for Mac (Sophos makes a good one), and follow the instructions in my previous post.
That only removes part of the trojan, I'm afraid.
Install an antivirus for Mac (Sophos makes a good one), and follow the instructions in my previous post.
Please consider donating to help support the continued prompt and excellent services of this site.
#13
Mistress12
-
- Banned
-
- 1 posts
Member
Posted 10 September 2009 - 04:25 AM
Also try to use kaspersky anti-virus...I think they have good software to delete that virus...Or search some in the internet...
Regards
Albert
___________
AD removed
Regards
Albert
___________
AD removed
Edited by Budfred, 10 September 2009 - 07:31 AM.
