12 replies to this topic

[Fred7887]

I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:

- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)

My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.

I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:

- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review

Thanks again!

[mikieg]

Any luck in resolving this? I too am having the identical problem. It seems to be an infection of the PC because two of my others just give me the usual 404 message when I type in an invalid URL.

Any help would be appreciated.

I'm looking for the communities feedback in locating a malware infection on a users computer. Here is a breakdown of the malware behaviour:

- Infected computer is Windows XP SP2 with latest updates
- Unknown URL's are redirected to Kolmic.com (i.e. www.adjkhalksdjhlaskdjha.com, will display www.kolmic.com, with a network solutions branded page)
- Monitoring the outgoing traffic displays a destination IP of 209.62.20.188, 209.62.20.40, 209.62.20.50, 209.62.20.49
- Behaviour happens in multiple browsers (IE and Firefox)

My thoughts are it's a low-level system process such as a Winsock hook to intercept and redirect these unknown URL's. I've looked through the Winsock configuration, and everything looks normal.

I'm really interested in understanding the location of this infection, and I'm hoping for the following feedback:

- anyone experiencing the same problem
- some explaination of what happens after the unknown URL is typed into the browser window from a Windows XP perspective
- links to guides or even general forum advice for looking for this type of low-level hook
- spyware / malware techniques to review

Thanks again!

[Indrid_Cold]

mikieg - Fred7887 has not visited since that was posted. I would suggest that you review the forum FAQ, open a new topic in the forum Malware Removal and then post your HijackThis log.

[Fred7887]

Sorry Mikieg. I have resolved this.

Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.

Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:

http://myintranetsite

It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com

This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.

Anyways, hope this helps.

Edited by Fred7887, 15 November 2007 - 05:52 PM.

[mikieg]

I finally figured this out too. Somehow the DNS settings have been changed in my LAN connection settings (and not by me may I add).

The culprit was an entry called "shsorg.net"

xxxxxxxxxxx Edit, please do not swear, this is a family forum - jedi

Edited by jedi, 17 November 2007 - 05:07 AM.

[hunter_alexander]

I too have run into this problem.

My network at work is having this problem. If I do a ipconfig /displaydns it comes up with all this crap.

I flush the dns, clearing all entries, and the stuff immediately comes back.

Anyone know the fix yet?

Thanks

[bzp]

Thanks for this informatino but how can I clear this?

Any details you can provide would be greatly appreciated!

Sorry Mikieg. I have resolved this.

Turns out it's not spyware, the nameservers on a domain specified as a default DNS suffix were hijacked.

Basically the users computer was configured with this default DNS suffix, so when accessing Intranet applications you could use just the hostname. Well the user had this hostname as the default homepage, when they would go home connect to the internet outside the work network, this intranet site for example:

http://myintranetsite

It would append, internalworkdomain.com, giving http://myintranetsit...lworkdomain.com

This only internally used domain 'internalworkdomain.com' was registered externally, but after reviewing the registration information I realized the name servers were replaced with ns1.lamedelegation.net. And this was the cause of why this hostname would look like kolmic.com.

Anyways, hope this helps.

[Theo]

bzp & hunter_alexander, the way to fix this is by changing the DNS config within your NIC's properties, under TCP/IP protocol. In my case the malware that did this had harcoded the DNS entry in all my NICs' properties, so you better check them all -- specially if you have both a regular one and WiFi.

The way to go is:
1.- Open CONTROL PANEL
2.- Double click NETWORK CONNECTIONS
3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically (default)
6.- ENJOY having beaten this frigging hack!

[stillmadatyoko64]

I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?

[screen317]

Hi stillmadatyoko64,

This topic may be of help to you.

[deverill]

I'm getting the same thing on my Mac using OSX Tiger 10.4.11 and Firefox 2. Anyone know the steps for removal on this platform?

For anyone like me looking for this on a Mac, I'm using Leopard and here's what I did to fix mine.

1 System Preferences
2 Network
3 Select the proper adapter - ethernet, airport, etc.
4 Search domains: <clear this>

Hope it helps someone. The above got me close and this was the solution that leapt out at me.

[screen317]

deverill,

That only removes part of the trojan, I'm afraid.

Install an antivirus for Mac (Sophos makes a good one), and follow the instructions in my previous post.

[Mistress12]

Also try to use kaspersky anti-virus...I think they have good software to delete that virus...Or search some in the internet...



Regards


Albert


___________
AD removed

Edited by Budfred, 10 September 2009 - 07:31 AM.