Amazon.co.uk leading me to some dodgy links sites

BopNiblets

A dude on another forum said it worked fine for him, it's leading me to dodgy pages as "alansex.com, jobsearcher.com and bxnu.com" :rolleyes:

Happens in both Firefox 2.0 and IE7.

I updated AVG, SpywareBlaster, Ad-Aware and Spybot S&D and scanned and they came up with nuthin'.

I pinged www.amazon.co.uk an they all timed out, 100% loss!

Found one reference to it (just bxnu) in the registry in "Microsoft/Search Assistant", and deleted it, but it's still appearing.

Need to see my Amazon Wish List, I forget what I want to buy!

Thanks guys.

ressem

Start>Run> cmd {press enter}
ipconfig /flushdns {press enter}
nslookup {press enter}
www.amazon.co.uk {press enter}
Should tell you the IP that you are trying to access, and the name server that you're using.

Should be something like
"
> www.amazon.co.uk
Server: ns1.ns.esat.net
Address: 192.111.39.1 ... your ISPs DNS server

Non-authoritative answer:
Name: www.amazon.co.uk
Address: 87.238.85.129 ... one of amazon's www ips
"
as according to BT's NS.

If it's not the IP you're getting, then you might want to check the c:\windows\system32\drivers\etc\hosts file for any malware added entries. By default should only contain the "127.0.0.1 localhost" entry.

If it's not that, run Start> Run> cmd > ipconfig /all
and look at the DNS server entry. It might have been pointed to a bad entry.

As an emergency you can access www.amazon.co.uk by entering the ip listed above into a browser.

BopNiblets

C:\Documents and Settings\Eoghan>ipconfig /flushdns

Windows IP Configuration

Could not flush the DNS Resolver Cache: Function failed during execution.

Guh?

C:\Documents and Settings\Eoghan>nslookup
Default Server:  85.255.116.163-xbox.dedi.inhoster.com
Address:  85.255.116.163

> www.amazon.co.uk
Server:  85.255.116.163-xbox.dedi.inhoster.com
Address:  85.255.116.163

Name:    www.amazon.co.uk
Address:  64.28.178.8

Buh? I don't like the look of that "xbox.dedi.inhoster.com" thing...

I just checked the HOST file before coming back to check for replies (thanks!) and it was missing the the "127.0.0.1 localhost" entry (z0mg!), so I replaced it, rebooted and tried Amazon again, still no worky.

I also went to www.hosts-file.net where I download a custom uber-ad-blocking HOSTS file and lo and behold, I get the same dodgy links page as amazon.co.uk directs me to! :eek:

CONSPIRACAAAY!

http://87.238.85.129/ takes me there allright, so... I've to what? "look at the DNS server entry"?
How do I fix it it, assuming that's the problem?

There's two DNS servers when I do "ipconfig /all", both start with 85.*** etc.

Cheers dude.

ressem

Which ISP are you using?
Are you using Broadband?
Are you using a DSL router through ethernet or through USB?

Eircoms DNS ip's are
Primary DNS:
213.94.190.194
Secondary DNS:
213.94.190.236

Esats are
Preferred DNS : 192.111.39.1
Alternate DNS : 192.111.39.4

You can set your own values by
Start>Settings>Network Settings> (Local Area Connection) or (Dial up connection) or whichever is your line to the network

Look at the properties of this connection. Double click on the "Internet Protocol TCP/IP"
Click the checkbox to "Use the following DNS server addresses", if not selected already.
Set the Preferred and alternate DNS to one of the above.
Click Ok, OK

Open a command window.
Start> Run >cmd
ipconfig /flushdns

Try NSlookup again.
If values look correct, restart browser.
Try browsing with Firefox, then IE.
Try NSlookup again, to make sure value wasn't rewritten by a browser trojan.

BopNiblets

I'm with Esat/BT or whatever they are these days, their 1MB upgraded to 2MB connection, through their Zyxel Prestige LAN connection, not USB.

Ok I checked the TCP/IP properties and it seems theres two DNS server addresses in there that I didn't put in, fupp it .

I changed it back to "Obtain DNS server addresses automatically" and amazon.co.uk works fine now, as well as hosts-file.net.
Thanks man, didn't think to look in there, learnding is fun!

Is there a way to protect these in the future? Or how would something/somebody have changed them? (I certainly didn't do it)
Fat lot of good all this protection I have did!

ressem

Something executed on your PC to change these values.

So either running a downloaded program that wasn't what it claimed, or a code flaw in some internet connecting software.

Ok looks like a variant of

http://www.symantec.com/security_response/writeup.jsp?docid=2006-101911-4446-99&tabid=2

You might want to run through these checks, bit there about "injects itself into iexplore".

Might have been placed by smething like
"
Trojan.Emcodec.H is reported by Symantec.

Created: 2006-10-19
Short Info: Trojan.Emcodec.H is a Trojan horse that drops and executes a copy of Trojan.Flush.I. The Trojan masquerades as an installer for HQvideo.
"

In which case you'll want to look for removal tools or instructions
http://www.symantec.com/security_response/writeup.jsp?docid=2006-101911-4135-99&tabid=2

pob1

I had the same prob with ebay pages , tried everything as well but then got spyware doctor and it found a dns hijacker , which it removed and problem solved !