TechSpot

HJT log - Buffer overrun in Kerio personal firewall

By Alya
Jun 4, 2008
  1. Hello, I would appreciate any help with the following problem.

    Today I tried to open preferences in my personal Kerio firewall to edit some settings, and suddenly it started giving me the following error:

    ===
    Microsoft Visual C++ Runtime Library
    Buffer overrun detected!
    Program C:\Program Files\Utilities\Kerio\Personal Firewall 4\kpf4gui.exe
    A buffer overrun has been detected which has corrupted the program's internal state. The programcannot safely continue execution and must now be terminated.
    ===

    I made a clean install of the whole system to my new PC just a few days ago, and there haven't been any problems with Kerio earlier. I've been using this version for almost 1.5 years now, and never had anything like this.

    If this info helps, I permanently use Kaspersky antivirus (pro-active defense) and Kerio firewall, they are always on; periodically use SpyBot (with latest updates, immunized system) and AdAware. Neither has detected any possible malware.

    Please advise.
    I would like to make sure that something is actually wrong with my system, before taking any steps like those advised in your viruses/spyware/malware removal instructions.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    why did you do a clean install?

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot



    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  3. Alya

    Alya TS Rookie Topic Starter

    Why clean install? I got a completely new PC, so I installed my system and all my programs from scratch.

    Here's a log from Combofix and a new log from HJT, per your instructions.

    By the way, if the entry
    O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
    looks suspicious, in fact it's a false positive, it's FolderBox.

    I got a new problem: when I rebooted my PC after Combofix, I got BSOD with a memory dump message, error 0x0000008E :(
    Is my RAM faulty?

    Any help is greatly appreciated!
     

    Attached Files:

  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    What software do you have from Borland Delphi?

    If you didn't install any I think I may know the problem
     
  5. Alya

    Alya TS Rookie Topic Starter

    None that I recall of. I don't think that I installed anything from Borland.

    Can it be that my problems are not caused by any viruses, that my system is in fact clean, but the errors originate from some system conflicts and/or faulty hardware?
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let's look at a couple of files more closely

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders
    • Remove the checkmark from the checkbox labeled Hide protected operating system files
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    -----------------------------------------------------------------------------

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\midas.dll
    • Click the Open button
    • Click the Send button
    • Copy and paste the results for each back here please.

    Do the same for:
    C:\WINDOWS\system32\t3zelena.sys
    C:\WINDOWS\system32\qtintf.dll
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I see that you logged off, I wanted to get you this information as it appears to be what you may have.

    Trojan.Dropper.Delphi.Gen <- I think you have something in this family as you have files that point back to Delphi, a lot of malware will be named similar to actual files making harder to detect.

    Exploits:
    It makes use of the following Exploits:
    – MS03-026 (Buffer Overrun in RPC Interface)
    – MS03-039 (Buffer Overrun in RPCSS Service)
    – MS03-049 (Buffer Overrun in the Workstation Service)

    It terminates a lot of security and firewall programs:

    List of services that can be disabled:
    • Security Center
    • Automatic Updates
    • Windows Firewall/Internet Connection Sharing (ICS)

    Additional info:
    http://www.trustedsource.org/TS?do=threats&subdo=malware_threat&id=98259
     
  8. Alya

    Alya TS Rookie Topic Starter

    File midas.dll received on 06.05.2008 04:19:39 (CET)
    Current status: finished
    Result: 0/32 (0.00%)

    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.06.04 -
    AntiVir 7.8.0.26 2008.06.04 -
    Authentium 5.1.0.4 2008.06.04 -
    Avast 4.8.1195.0 2008.06.04 -
    AVG 7.5.0.516 2008.06.04 -
    BitDefender 7.2 2008.06.05 -
    CAT-QuickHeal 9.50 2008.06.04 -
    ClamAV 0.92.1 2008.06.04 -
    DrWeb 4.44.0.09170 2008.06.04 -
    eSafe 7.0.15.0 2008.06.04 -
    eTrust-Vet 31.6.5847 2008.06.04 -
    Ewido 4.0 2008.06.04 -
    F-Prot 4.4.4.56 2008.06.04 -
    F-Secure 6.70.13260.0 2008.06.05 -
    Fortinet 3.14.0.0 2008.06.05 -
    GData 2.0.7306.1023 2008.06.05 -
    Ikarus T3.1.1.26.0 2008.06.05 -
    Kaspersky 7.0.0.125 2008.06.05 -
    McAfee 5310 2008.06.04 -
    Microsoft 1.3604 2008.06.05 -
    NOD32v2 3159 2008.06.05 -
    Norman 5.80.02 2008.06.04 -
    Panda 9.0.0.4 2008.06.05 -
    Prevx1 V2 2008.06.05 -
    Rising 20.47.22.00 2008.06.04 -
    Sophos 4.30.0 2008.06.05 -
    Sunbelt 3.0.1144.1 2008.06.04 -
    Symantec 10 2008.06.05 -
    TheHacker 6.2.92.335 2008.06.05 -
    VBA32 3.12.6.7 2008.06.04 -
    VirusBuster 4.3.26:9 2008.06.04 -
    Webwasher-Gateway 6.6.2 2008.06.04 -

    Additional information
    File size: 296448 bytes
    MD5...: a82285dda6f4778e5504fdf463f263e8
    SHA1..: 7d49097c362234e0bd991a8ab216733e98c70414
    SHA256: 0b0edf7067ecb7a9554ffe5743fb65ba6e25c6407c137cb3657f7b8dd046138e
    SHA512: fcd6fa22906974ba0c87ae1dc8a04f29fa96cd8fd61d8d65029305c654dbbd67<br>d553b0dca73bbaa816ca2bd36dec607d9a8f60f8c7aaae29fdac2a10f4fdd77f
    PEiD..: -
    PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4dae10c8<br>timedatestamp.....: 0x3d5437c1 (Fri Aug 09 21:44:33 2002)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x3b000 0x3a200 6.51 ecf212852a27d61bb865611edf1dc1fc<br>.data 0x3c000 0xd000 0x9000 4.56 ab8bb7f531dbcd6d5dcbbbb5ebdcc701<br>.tls 0x49000 0x1000 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b<br>.idata 0x4a000 0x1000 0xa00 4.51 b28d1d793d19047a4743a28fc68c9a06<br>.edata 0x4b000 0x1000 0x200 3.33 efb8185bde8c955bbd3fdb0c97089cfd<br>.rsrc 0x4c000 0x2000 0x1e00 3.58 4c1dbd754e114adc634743dd37e74021<br>.reloc 0x4e000 0x3000 0x2200 6.64 f359b458471d51b380aca9ff195203f8<br><br>( 5 imports ) <br>&gt; ADVAPI32.DLL: RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegOpenKeyExA, RegSetValueExA<br>&gt; KERNEL32.DLL: CloseHandle, CompareStringA, CreateFileA, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCurrentThreadId, GetEnvironmentStrings, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetUserDefaultLCID, GetVersion, GetVersionExA, GlobalAlloc, GlobalFree, GlobalHandle, GlobalLock, GlobalMemoryStatus, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, OutputDebugStringA, RaiseException, RtlUnwind, SetConsoleCtrlHandler, SetFilePointer, SetHandleCount, SetLastError, SetThreadLocale, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile, lstrcatA, lstrcmpA, lstrcmpiA, lstrcpyA, lstrcpynA, lstrlenA<br>&gt; USER32.DLL: CharLowerA, CharUpperA, EnumThreadWindows, LoadStringA, MessageBoxA, wsprintfA<br>&gt; OLE32.DLL: StringFromGUID2<br>&gt; OLEAUT32.DLL: -, -, -, -, -, -, -, -, -<br><br>( 9 exports ) <br>@WEP$qqsi, DllCanUnloadNow, DllGetClassObject, DllGetDataSnapClassObject, DllRegisterServer, DllUnregisterServer, ExitAlchemy, InitAlchemy, ___CPPdebugHook<br>
     
  9. Alya

    Alya TS Rookie Topic Starter

    File t3zelena.sys received on 06.05.2008 04:48:56 (CET)
    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.06.04 -
    AntiVir 7.8.0.26 2008.06.04 -
    Authentium 5.1.0.4 2008.06.04 -
    Avast 4.8.1195.0 2008.06.05 -
    AVG 7.5.0.516 2008.06.04 -
    BitDefender 7.2 2008.06.05 -
    CAT-QuickHeal 9.50 2008.06.04 -
    ClamAV 0.92.1 2008.06.04 -
    DrWeb 4.44.0.09170 2008.06.04 -
    eSafe 7.0.15.0 2008.06.04 -
    eTrust-Vet 31.6.5849 2008.06.05 -
    Ewido 4.0 2008.06.04 -
    F-Prot 4.4.4.56 2008.06.04 -
    F-Secure 6.70.13260.0 2008.06.05 -
    Fortinet 3.14.0.0 2008.06.05 -
    GData 2.0.7306.1023 2008.06.05 -
    Ikarus T3.1.1.26.0 2008.06.05 -
    Kaspersky 7.0.0.125 2008.06.05 -
    McAfee 5310 2008.06.04 -
    Microsoft 1.3604 2008.06.05 -
    NOD32v2 3159 2008.06.05 -
    Norman 5.80.02 2008.06.04 -
    Panda 9.0.0.4 2008.06.05 -
    Prevx1 V2 2008.06.05 -
    Rising 20.47.22.00 2008.06.04 -
    Sophos 4.30.0 2008.06.05 -
    Sunbelt 3.0.1144.1 2008.06.04 -
    Symantec 10 2008.06.05 -
    TheHacker 6.2.92.335 2008.06.05 -
    VBA32 3.12.6.7 2008.06.04 -
    VirusBuster 4.3.26:9 2008.06.04 -
    Webwasher-Gateway 6.6.2 2008.06.04 -
    Additional information
    File size: 55 bytes
    MD5...: b1e54325b9ea3196247a636eba394d53
    SHA1..: 8b6af3f490e2957e19464ad93b1dc67803f6c686
    SHA256: e92243b7ced675336cd26b69630fd7b113fe83be075760e5adf8d57667ec8216
    SHA512: 8b5814f2edd21d56276d39b4c5a47a951ee59942d6a3b4d5be228b8ea42d5daf<br>e5b2cfaffce8c5da72d16c56405d100f651af102088a86a1f1eb24c9bade839a
    PEiD..: -
    PEInfo: -

    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.06.04 -
    AntiVir 7.8.0.26 2008.06.04 -
    Authentium 5.1.0.4 2008.06.04 -
    Avast 4.8.1195.0 2008.06.05 -
    AVG 7.5.0.516 2008.06.04 -
    BitDefender 7.2 2008.06.05 -
    CAT-QuickHeal 9.50 2008.06.04 -
    ClamAV 0.92.1 2008.06.04 -
    DrWeb 4.44.0.09170 2008.06.04 -
    eSafe 7.0.15.0 2008.06.04 -
    eTrust-Vet 31.6.5849 2008.06.05 -
    Ewido 4.0 2008.06.04 -
    F-Prot 4.4.4.56 2008.06.04 -
    F-Secure 6.70.13260.0 2008.06.05 -
    Fortinet 3.14.0.0 2008.06.05 -
    GData 2.0.7306.1023 2008.06.05 -
    Ikarus T3.1.1.26.0 2008.06.05 -
    Kaspersky 7.0.0.125 2008.06.05 -
    McAfee 5310 2008.06.04 -
    Microsoft 1.3604 2008.06.05 -
    NOD32v2 3159 2008.06.05 -
    Norman 5.80.02 2008.06.04 -
    Panda 9.0.0.4 2008.06.05 -
    Prevx1 V2 2008.06.05 -
    Rising 20.47.22.00 2008.06.04 -
    Sophos 4.30.0 2008.06.05 -
    Sunbelt 3.0.1144.1 2008.06.04 -
    Symantec 10 2008.06.05 -
    TheHacker 6.2.92.335 2008.06.05 -
    VBA32 3.12.6.7 2008.06.04 -
    VirusBuster 4.3.26:9 2008.06.04 -
    Webwasher-Gateway 6.6.2 2008.06.04 -

    Additional information
    File size: 55 bytes
    MD5...: b1e54325b9ea3196247a636eba394d53
    SHA1..: 8b6af3f490e2957e19464ad93b1dc67803f6c686
    SHA256: e92243b7ced675336cd26b69630fd7b113fe83be075760e5adf8d57667ec8216
    SHA512: 8b5814f2edd21d56276d39b4c5a47a951ee59942d6a3b4d5be228b8ea42d5daf<br>e5b2cfaffce8c5da72d16c56405d100f651af102088a86a1f1eb24c9bade839a
    PEiD..: -
    PEInfo: -
     
  10. Alya

    Alya TS Rookie Topic Starter

    File qtintf.dll received on 06.05.2008 04:51:02 (CET)
    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.06.04 -
    AntiVir 7.8.0.26 2008.06.04 -
    Authentium 5.1.0.4 2008.06.04 -
    Avast 4.8.1195.0 2008.06.05 -
    AVG 7.5.0.516 2008.06.04 -
    BitDefender 7.2 2008.06.05 -
    CAT-QuickHeal 9.50 2008.06.04 -
    ClamAV 0.92.1 2008.06.04 -
    DrWeb 4.44.0.09170 2008.06.04 -
    eSafe 7.0.15.0 2008.06.04 -
    eTrust-Vet 31.6.5849 2008.06.05 -
    Ewido 4.0 2008.06.04 -
    F-Prot 4.4.4.56 2008.06.04 -
    F-Secure 6.70.13260.0 2008.06.05 -
    Fortinet 3.14.0.0 2008.06.05 -
    GData 2.0.7306.1023 2008.06.05 -
    Ikarus T3.1.1.26.0 2008.06.05 -
    Kaspersky 7.0.0.125 2008.06.05 -
    McAfee 5310 2008.06.04 -
    Microsoft 1.3604 2008.06.05 -
    NOD32v2 3159 2008.06.05 -
    Norman 5.80.02 2008.06.04 -
    Panda 9.0.0.4 2008.06.05 -
    Prevx1 V2 2008.06.05 -
    Rising 20.47.22.00 2008.06.04 -
    Sophos 4.30.0 2008.06.05 -
    Sunbelt 3.0.1144.1 2008.06.04 -
    Symantec 10 2008.06.05 -
    TheHacker 6.2.92.335 2008.06.05 -
    VBA32 3.12.6.7 2008.06.04 -
    VirusBuster 4.3.26:9 2008.06.04 -
    Webwasher-Gateway 6.6.2 2008.06.04 -
    Additional information
    File size: 4142592 bytes
    MD5...: b5878fb9055f651ab60936c97d990223
    SHA1..: be8fc4f0b909e4b4fb51dedc8985121284376458
    SHA256: 897c240c8ee4e239adcb8605f7ce7004f27946d38345827292c55dd5662ca207
    SHA512: 6ea4834e58b693ea6e938aa41e1520958cde939ec398b48f70f8ef4add162df7<br>b3255d0b0938598e4573893f63d155034cfd11994af4fd0ac98169cb689e58e0
    PEiD..: -
    PEInfo: (too long to paste here)
     
  11. Alya

    Alya TS Rookie Topic Starter

    Looks like all three files are clean, from these tests.

    I am stumped. My system is immunized and my antivirus and firewall are on 24/7; I always run SpyBot and AdAware, don't use IE (I run Firefox with NoScript).

    Are there any sureproof ways to detect the presence of this Trojan.Dropper.Delphi.Gen on my machine?

    Thank you for your time and patience!

    P.S. Search hasn't shown files copypad32.exe and msdirectx.sys on my machine (including search in system folders and hidden files and folders).
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am not certain that you are infected. But there are some suspicious things in the logs as I mentioned. Lets try a scan with MBAM and see if it picks it up, then we can also try an online scan for a 2nd opinion.

    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  13. Alya

    Alya TS Rookie Topic Starter

    Hello again, I gradually came to the conclusion that my machine is not infected, after all, and my recent problems stem from driver conflicts and/or faulty hardware. However, if you find from the attached logs that there's still something wrong with my software, I would appreciate your input.

    Anyway, just to close the matter, here's my two last logs, from MBAM and online Kaspersky scanner.

    There's no option in Online Kaspersky to check only selected disks, so it ran the full scan of my whole system. I edited out some sensitive entries in the log; I did NOT ran or installed these programs, which Kaspersky Online nailed down as viruses, they were there just for my personal archives, so I excluded them from the final log.
    In any case, I run an up-to-date Kaspersky with daily updates as my primary resident antivirus program, with regular weekly full scans of my whole system and search for rootkits.

    May I ask, Blind Dragon, why did you suspect that there might be infection on my machine; what entries in the logs made you suspicious? Just curious.

    I *really* appreciate your time and efforts, many thanks for helping me to chase this problem!
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I think you are pretty safe, but those entries in kas online were old emails with a worm attached. The other was smitfraudfix looks like you may have ran at one time or another.

    The suspect entries were in your combofix and they referenced delphi like I said, then you replied that you didn't install delphi software so that made it even more suspect.

    The other thing is the symptom of a buffer overrun, it is fairly easy to code one of these for an attack, and between the 2 I figured you would have something in the family of the Trojan.Delphi infection, though I see no direct evidence.

    Maybe try starting a new thread in the windows OS section
     
  15. Alya

    Alya TS Rookie Topic Starter

    Yes, I think I'm safe so far, thank you for confirming. The old archive is just what it is: an archive, and now that I know there's a worm there, I will delete the offending message.

    As for smitfraudfix, as a matter of fact, I didn't run it even once, just downloaded it together with two other tools (using the links from the forum instructions on removing malware); why it got detected as a virus, is beyond me - I think that Kaspersky is just a bit paranoid :)

    Thank you for your help!
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yes smitfraudfix is always picked up, false positive
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...