Hooper / Kolmic.com / NetworkSolutions browser redirect hijack

Discussion in 'Malware Help (A Specialist Will Reply)' started by drewbaby, Feb 1, 2009.

  1. drewbaby

    drewbaby Private E-2

    It appears I may have some sort of a browser hijack. The only symptom I'm seeing is, when I attempt to go to a legitimate website (www.theeducationcenter.com, a website my wife uses to order teaching supplies, and has for years), it starts to load the page, but then redirects to some "NetworkSolutions" website parking site.

    If you look at the screenshots I've attached in a zip file, it shows the various stages of what happens, where you can see the page loads, then immediately in the status bar you can see a "http://hooper/..." URL start to load, then in the next stage a "kolmic.com..." address, and then the final stage where it loads the redirected site.

    I haven't noticed this on any other sites, but when I try this from another machine, it doesn't redirect, so I'm pretty sure it's not the website.

    I've followed the Read Me sticky instructions, and am attaching the log files results.

    Please note that while this is my laptop, I use it for work and cannot disable McAfee. That does not appear to have interfered with the ComboFix or other anti-malware runnings.

    Thanks in advance for your help on this.
     

    Attached Files:

    drewbaby, Feb 1, 2009
    #1
  2. drewbaby

    drewbaby Private E-2

    Here are the rest of the log files.
     

    Attached Files:

    drewbaby, Feb 1, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Does this only happen with IE or does it also happen with other browsers?

    Have you removed all toolbars and add-ons in IE?

    Please use windows explorer to find and delete:
    c:\documents and settings\alovelan\atwbxdet.dll

    Have you cleaned out your temp internet files?

    Have you run CCleaner or ATF Cleaner by Atribune?
     
    TimW, Feb 3, 2009
    #3
  4. drewbaby

    drewbaby Private E-2

    Yes, this happens with other browsers (tried with a fresh installation of Firefox and saw the same thing as in IE.)

    I have removed all add-ons (did a complete IE reset.) I also tried running IE without add-ons enabled and experienced the same symptoms.

    Deleted the WebEx .dll you suggested.

    I've cleaned my temp. internet files several times.

    Ran both CCleaner and ATF Cleaner, no change in symptoms.
     
    drewbaby, Feb 3, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try this:

    Download HostsXpert and then follow the below steps.

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * click the Make Writeable? button.
    * click Restore Microsoft's Hosts File and then click OK.
    * Click the X to exit the program

    We may need to run spybot and re-immunize your host files.
     
    TimW, Feb 4, 2009
    #5
  6. drewbaby

    drewbaby Private E-2

    That's done, still same symptoms. I looked at all the entries that were in the hosts file, those were ones I put there on purpose for my work, but I can leave them out for now while we're troubleshooting this.
     
    drewbaby, Feb 5, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to capture each of those urls and add them to your hosts file. We have been having alot of re-directs lately.

    Try this:
    Using Dr.Web CureIt
     
    TimW, Feb 5, 2009
    #7
  8. drewbaby

    drewbaby Private E-2

    Not really sure what you mean by capturing the URLs? If you look at the original posts with the screenshots, it looks like it's redirecting to kolmic.com, but I'm not sure what I would add to my hosts file.

    I ran the Dr.Web CureIt per the instructions and the log is attached. The redirect is still happening.
     

    Attached Files:

    drewbaby, Feb 5, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try doing this:

    1 - Open CONTROL PANEL
    2.- Double click NETWORK CONNECTIONS
    3.- For all your NICs' entries: RIGHT CLICK -> PROPERTIES
    4.- Scroll down and select TCP/IP PROTOCOL -> PROPERTIES
    5.- Delete the malicious DNS entries and either set the right ones back manually or set it to be fetched automatically.

    Then:
    Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Options comes up click on the Advanced Tab. Once you get here, click on the "Reset" button and then click "Reset" once more. Doing this will default the settings for IE.


    Default Security Settings

    To Default Security Settings:
    For Internet Explorer 6 users:
    Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

    * Internet
    * Local Intranet
    * Trusted Sites
    * Restricted Sites.

    Click OK to exit.

    For Internet Explorer 7 users:
    Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

    NOTE: If it's "grey" then it's already at the default level.
     
    Last edited: Feb 6, 2009
    TimW, Feb 6, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds