Показано с 1 по 2 из 2.

mtsak and many others

  1. #1
    Junior Member Репутация
    Регистрация
    06.12.2009
    Сообщений
    1
    Вес репутации
    26

    mtsak and many others

    Hi,

    I need some help.

    Facing serious virus attacks, I hav had to re-install w2k.

    But as soon as I connect to the web, attacks start all over again. I must have missed something and so must have avast and all other tools I am using.

    Here is latest System Info collection

    <AVZ_CollectSysInfo>
    --------------------
    Start time: 06/12/2009 02:58:17
    Duration: 00:00:29
    Finish time: 06/12/2009 02:58:46


    <AVZ_CollectSysInfo>
    --------------------
    Time Event
    ---- -----
    06/12/2009 02:58:17 Windows version: Microsoft Windows 2000, Build=2195, SP="Service Pack 4"
    06/12/2009 02:58:17 System Restore: enabled
    06/12/2009 02:58:18 1.1 Searching for user-mode API hooks
    06/12/2009 02:58:18 Analysis: kernel32.dll, export table found in section .text
    06/12/2009 02:58:18 Function kernel32.dll:FreeLibrary (200) intercepted, method ProcAddressHijack.GetProcAddress ->77E7DFDA->61F041FC
    06/12/2009 02:58:18 Hook kernel32.dll:FreeLibrary (200) blocked
    06/12/2009 02:58:18 Function kernel32.dll:GetModuleFileNameA (317) intercepted, method ProcAddressHijack.GetProcAddress ->77E84C44->61F040FB
    06/12/2009 02:58:18 Hook kernel32.dll:GetModuleFileNameA (317) blocked
    06/12/2009 02:58:18 Function kernel32.dll:GetModuleFileNameW (31 intercepted, method ProcAddressHijack.GetProcAddress ->77E80FB7->61F041A0
    06/12/2009 02:58:18 Hook kernel32.dll:GetModuleFileNameW (31 blocked
    06/12/2009 02:58:18 Function kernel32.dll:GetProcAddress (344) intercepted, method ProcAddressHijack.GetProcAddress ->77E7E6A9->61F04648
    06/12/2009 02:58:18 Hook kernel32.dll:GetProcAddress (344) blocked
    06/12/2009 02:58:18 Function kernel32.dlloadLibraryA (484) intercepted, method ProcAddressHijack.GetProcAddress ->77E805CF->61F03C6F
    06/12/2009 02:58:18 Hook kernel32.dlloadLibraryA (484) blocked
    06/12/2009 02:58:18 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
    06/12/2009 02:58:18 Function kernel32.dlloadLibraryExW (486) intercepted, method ProcAddressHijack.GetProcAddress ->77E8A952->61F03E5A
    06/12/2009 02:58:18 Hook kernel32.dlloadLibraryExW (486) blocked
    06/12/2009 02:58:18 Function kernel32.dlloadLibraryW (487) intercepted, method ProcAddressHijack.GetProcAddress ->77E852C5->61F03D0C
    06/12/2009 02:58:18 Hook kernel32.dlloadLibraryW (487) blocked
    06/12/2009 02:58:18 IAT modification detected: LoadLibraryW - 00AE0010<>77E852C5
    06/12/2009 02:58:18 Analysis: ntdll.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: user32.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: advapi32.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: ws2_32.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: wininet.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: rasapi32.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: urlmon.dll, export table found in section .text
    06/12/2009 02:58:18 Analysis: netapi32.dll, export table found in section .text
    06/12/2009 02:58:19 1.2 Searching for kernel-mode API hooks
    06/12/2009 02:58:19 Driver loaded successfully
    06/12/2009 02:58:19 SDT found (RVA=083560)
    06/12/2009 02:58:19 Kernel ntoskrnl.exe found in memory at address 80400000
    06/12/2009 02:58:19 SDT = 80483560
    06/12/2009 02:58:19 KiST = 80474F00 (24
    06/12/2009 02:58:20 Functions checked: 248, intercepted: 0, restored: 0
    06/12/2009 02:58:20 1.3 Checking IDT and SYSENTER
    06/12/2009 02:58:20 Analysis for CPU 1
    06/12/2009 02:58:20 Analysis for CPU 2
    06/12/2009 02:58:20 Checking IDT and SYSENTER - complete
    06/12/2009 02:58:21 1.4 Searching for masking processes and drivers
    06/12/2009 02:58:21 Checking not performed: extended monitoring driver (AVZPM) is not installed
    06/12/2009 02:58:21 Driver loaded successfully
    06/12/2009 02:58:21 1.5 Checking of IRP handlers
    06/12/2009 02:58:21 Checking - complete
    06/12/2009 02:58:23 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: Alerter (Avertissement)
    06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: Schedule (Planificateur de tвches)
    06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau а distance NetMeeting)
    06/12/2009 02:58:40 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    06/12/2009 02:58:40 >> Security: disk drives' autorun is enabled
    06/12/2009 02:58:40 >> Security: administrative shares (C$, D$ ...) are enabled
    06/12/2009 02:58:40 >> Security: anonymous user access is enabled
    06/12/2009 02:58:40 >> Security: terminal connections to the PC are allowed
    06/12/2009 02:58:40 >> Security: sending Remote Assistant queries is enabled
    06/12/2009 02:58:45 >> Service termination timeout is out of admissible values
    06/12/2009 02:58:46 >> Disable HDD autorun
    06/12/2009 02:58:46 >> Disable autorun from network drives
    06/12/2009 02:58:46 >> Disable CD/DVD autorun
    06/12/2009 02:58:46 >> Disable removable media autorun
    06/12/2009 02:58:46 >> Windows Update is disabled

  2. #2
    VIP Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Aleksandra
    Регистрация
    13.01.2007
    Сообщений
    7,662
    Вес репутации
    2817
    Please read the rules here http://virusinfo.info/showthread.php?t=9184
    Наша служба, будто сердце, отдыха не знает никогда.

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00328 seconds with 18 queries