Syslink BEFSX41 Homepage Spoofed? 1

[Foada]

I don't know if I can explain this well enough, but here goes. I have 3 computers on my network. I am using a LinkSys BEFSX41 firewall/router with firmware version 1.50.18 at the present time. I have tried every version of firmware that I could get my hands on. The machine in question is a dual boot Win2k/XP Pro with both OS's up to date. I changed the routers ip address and the admin password so as not to use the default. It is set as a DHCP. Everything works fine as long as I don't connect to my ISP on the WAN side. Here is the problem. If I just use the LAN side of the router, the machine in question can open the router's home page. After I connect the WAN, the machine in question, appears to be redirected to a spoofed router homepage. The give away for this is the time zone, which becomes Kwajalein, and the ISP connection type settings have been changed. If I use one of the other machines to access the router homepage, my settings are still in tack. It is almost as if something is monitoring my ISP for that machines MAC address, and when it sees the connection, redirects to a different page. The machine surfs the web fine, but I am worried that all my traffic is going through monitored server. Any thoughts? Any Questions?

If you choose to battle wits with the witless be prepared to lose.

 

[LloydSev]

check the hosts file for one..

that can redirect you to another site.. and then also have you ran any spyware/adware/virus programs? or hijack this?

Computer/Network Technician
CCNA

 

[Foada]

I am sorry I should have mentioned it. I have run CWShredder, Spybot S&D, Adaware, and Hijack this. I am runnning ZoneAlarm firewall and AV, as well as Microsoft Antispy and Spyware Killer pro. Here is another detail that may be interesting. I use the machine as a web browser mainly, so in my frustration I did a zero fill of the harddrive with a fresh install. As soon as I connect to the ISP I get the same router homepage spoofing activity without browsing a single website. Here is the HiJackThis log.

Logfile of HijackThis v1.99.0
Scan saved at 9:28:36 PM, on 3/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\isafe.exe
C:\WINNT\system32\svchost.exe
P:\Windows 2k\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
P:\Windows 2k\Program Files\ZoneAlarm\zlclient.exe
P:\Windows 2k\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
P:\Windows 2k\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\RUNDLL32.EXE
P:\Windows 2k\Program Files\Spyware Killer Pro\shield\SDShield.exe
P:\Windows 2k\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
P:\Windows 2k\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://192.168.1.1/

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - p:\windows 2k\program files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - P:\WINDOW~1\PROGRA~1\SPYWAR~1\pop\ABG_PL~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "P:\Windows 2k\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "P:\Windows 2k\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] P:\Windows 2k\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] P:\WINDOW~1\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "P:\Windows 2k\Program Files\Spyware Killer Pro\shield\SDShield.exe"
O4 - Global Startup: Acrobat Assistant.lnk = P:\Windows 2k\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = P:\Windows 2k\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper - Ahead Software AG - P:\Windows 2k\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks for any help.

If you choose to battle wits with the witless be prepared to lose.

 

[LloydSev]

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

This was the only one I didn't recognize?

Computer/Network Technician
CCNA

 

[Foada]

That is an Adobe Reader Plugin. I guess I just assumed it would be safe? Assumption is the Mother of all screw-ups though.

If you choose to battle wits with the witless be prepared to lose.

 

[Foada]

Here is some more info. I determined that the spoof appears to be a result of ZoneAlarm. I basically had the LAN up and running and was able to access the router admin page with no problem until I installed ZoneAlarm. After the install my attempt to access the router appears to run a script and generates a bogus router admin page. I don't know if that makes sense to anyone, but it sure is driving me crazy!

If you choose to battle wits with the witless be prepared to lose.

 

[aquias]

How do you know it is a bogus admin page? What, if any, kind of alarm is ZA flagging you with...

Lastly, what version of and where did you obtain your copy of ZA from? This is a new one for me so I just want to ensure when I'm doing some research what we're dealing with.

 

[Foada]

I determined that it was a bogus admin page from a couple of items. Prior to installing ZA, I set the router's time zone and the ISP connection type. After installing ZA the router's page loads slow and I can see it running a script(?) in the status bar. After the admin page loads, the time zone and ISP connection type have changed. There may be others, but these were the most obvious. The page will not allow me to change either one of the setting back, nor will it leave me change to another one of the router's set up pages. If I access the router's admin page from another machine the settings are still in tack. I purchased (legal store bought) ZA suite 2005.

If you choose to battle wits with the witless be prepared to lose.

 

[aquias]

Okay, bear with me while I ask if this is possible. Can you install ZA to another (working machine) and test to see what results you get?

I'm just trying to narrow our focus a bit on whether or not it is the system or are we dealing with ZA/malware issue of some sort.

 

[Foada]

I have installed ZA on another machine and I get the same results. FYI I am installing ZA on complete fresh rebuilds with nothing but the OS (I have tried with both 2k pro and XP pro) and latest service pack installed. To be honest, it looks as if ZA is attempting to redirect my internet traffic through a different page.

If you choose to battle wits with the witless be prepared to lose.

 

[LloydSev]

And this is with the Linksys router?

I haven't found any tech support cases from either company regarding this behavior on any router, let alone a Linksys. Why don't you download the latest version from the company's website and use that to install on a fresh install of Windows and see if you get the same results?

Computer/Network Technician
CCNA

 

[Foada]

LloydSev, I am assuming you are talking about the firmware from LinkSys. I have done that. I have tried every version of firmware from LinkSys I could get my hands on. I have rebuilt the machine each time I try a different firmware as well. I don't think the problem is comming from the router though as I can access it just fine until I install ZA, at which point I can't access the router settings anymore, until I uninstall ZA.

If you choose to battle wits with the witless be prepared to lose.

 

[aquias]

Then that leaves ZA. This probably is a settings issue, I'm not a heavy user of ZA so I may not be of to much use. What are the rules for traffic internal to your network? Is there any form of script blocking, NATing, or other rules being applied?

 

[LloydSev]

I was referring to ZoneAlarm.

ZoneLabs offers it's program as a download which can be unlocked for the full version using the key you bought.

Download the newest version off of their website..

of course after uninstalling ZoneAlarm first via SafeMode.

Computer/Network Technician
CCNA

 

[Foada]

The only rules would be the defaults set (if any) by the router,ZA, or the OS install. I guess I didn't think to look at it as I have only been running the one machine until I can get this mess figured out. I will do some digging and see if I can come up with anything. Anything in particular that I should be looking for?

If you choose to battle wits with the witless be prepared to lose.

 

[LloydSev]

ZA blocks everything by default and then allows you to specify what should be run.

I would look into my idea. I've had my share of fun with ZA when every once in a great while they release a build that should not have been released.

Computer/Network Technician
CCNA

 

[aquias]

Hrm...silly, silly question but you don't have the local Windows XP firewall enabled along with ZA do you? I don't know that it would cause this type of problem but it is possible that it is creating some of the headache.

 

[Foada]

LloydSev,
I purchased the Security Suite cd about a month ago, are you suggesting that I download from the website and ditch the cd?

If you choose to battle wits with the witless be prepared to lose.

 

[Foada]

aquias,
At the present time I am just fighting with the 2k pro install, but when I was frustrating myself with the XP pro I did disable the SP2 firewall.

If you choose to battle wits with the witless be prepared to lose.

 

[LloydSev]

I purchased the Security Suite cd about a month ago, are you suggesting that I download from the website and ditch the cd?

Well you have a product key correct?

What I'm suggesting is, is that you download security suite from the internet, then activate it using the product key you purchased. Since that in essence is really what you are purchasing at the store.

It's worth a try.

Computer/Network Technician
CCNA