Hi,
I need some help.
Facing serious virus attacks, I hav had to re-install w2k.
But as soon as I connect to the web, attacks start all over again. I must have missed something and so must have avast and all other tools I am using.
Here is latest System Info collection
<AVZ_CollectSysInfo>
--------------------
Start time: 06/12/2009 02:58:17
Duration: 00:00:29
Finish time: 06/12/2009 02:58:46
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
06/12/2009 02:58:17 Windows version: Microsoft Windows 2000, Build=2195, SP="Service Pack 4"
06/12/2009 02:58:17 System Restore: enabled
06/12/2009 02:58:18 1.1 Searching for user-mode API hooks
06/12/2009 02:58:18 Analysis: kernel32.dll, export table found in section .text
06/12/2009 02:58:18 Function kernel32.dll:FreeLibrary (200) intercepted, method ProcAddressHijack.GetProcAddress ->77E7DFDA->61F041FC
06/12/2009 02:58:18 Hook kernel32.dll:FreeLibrary (200) blocked
06/12/2009 02:58:18 Function kernel32.dll:GetModuleFileNameA (317) intercepted, method ProcAddressHijack.GetProcAddress ->77E84C44->61F040FB
06/12/2009 02:58:18 Hook kernel32.dll:GetModuleFileNameA (317) blocked
06/12/2009 02:58:18 Function kernel32.dll:GetModuleFileNameW (31 intercepted, method ProcAddressHijack.GetProcAddress ->77E80FB7->61F041A0
06/12/2009 02:58:18 Hook kernel32.dll:GetModuleFileNameW (31 blocked
06/12/2009 02:58:18 Function kernel32.dll:GetProcAddress (344) intercepted, method ProcAddressHijack.GetProcAddress ->77E7E6A9->61F04648
06/12/2009 02:58:18 Hook kernel32.dll:GetProcAddress (344) blocked
06/12/2009 02:58:18 Function kernel32.dlloadLibraryA (484) intercepted, method ProcAddressHijack.GetProcAddress ->77E805CF->61F03C6F
06/12/2009 02:58:18 Hook kernel32.dlloadLibraryA (484) blocked
06/12/2009 02:58:18 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
06/12/2009 02:58:18 Function kernel32.dlloadLibraryExW (486) intercepted, method ProcAddressHijack.GetProcAddress ->77E8A952->61F03E5A
06/12/2009 02:58:18 Hook kernel32.dlloadLibraryExW (486) blocked
06/12/2009 02:58:18 Function kernel32.dlloadLibraryW (487) intercepted, method ProcAddressHijack.GetProcAddress ->77E852C5->61F03D0C
06/12/2009 02:58:18 Hook kernel32.dlloadLibraryW (487) blocked
06/12/2009 02:58:18 IAT modification detected: LoadLibraryW - 00AE0010<>77E852C5
06/12/2009 02:58:18 Analysis: ntdll.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: user32.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: advapi32.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: ws2_32.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: wininet.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: rasapi32.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: urlmon.dll, export table found in section .text
06/12/2009 02:58:18 Analysis: netapi32.dll, export table found in section .text
06/12/2009 02:58:19 1.2 Searching for kernel-mode API hooks
06/12/2009 02:58:19 Driver loaded successfully
06/12/2009 02:58:19 SDT found (RVA=083560)
06/12/2009 02:58:19 Kernel ntoskrnl.exe found in memory at address 80400000
06/12/2009 02:58:19 SDT = 80483560
06/12/2009 02:58:19 KiST = 80474F00 (24
06/12/2009 02:58:20 Functions checked: 248, intercepted: 0, restored: 0
06/12/2009 02:58:20 1.3 Checking IDT and SYSENTER
06/12/2009 02:58:20 Analysis for CPU 1
06/12/2009 02:58:20 Analysis for CPU 2
06/12/2009 02:58:20 Checking IDT and SYSENTER - complete
06/12/2009 02:58:21 1.4 Searching for masking processes and drivers
06/12/2009 02:58:21 Checking not performed: extended monitoring driver (AVZPM) is not installed
06/12/2009 02:58:21 Driver loaded successfully
06/12/2009 02:58:21 1.5 Checking of IRP handlers
06/12/2009 02:58:21 Checking - complete
06/12/2009 02:58:23 Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: Alerter (Avertissement)
06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: Schedule (Planificateur de tвches)
06/12/2009 02:58:40 >> Services: potentially dangerous service allowed: mnmsrvc (Partage de Bureau а distance NetMeeting)
06/12/2009 02:58:40 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
06/12/2009 02:58:40 >> Security: disk drives' autorun is enabled
06/12/2009 02:58:40 >> Security: administrative shares (C$, D$ ...) are enabled
06/12/2009 02:58:40 >> Security: anonymous user access is enabled
06/12/2009 02:58:40 >> Security: terminal connections to the PC are allowed
06/12/2009 02:58:40 >> Security: sending Remote Assistant queries is enabled
06/12/2009 02:58:45 >> Service termination timeout is out of admissible values
06/12/2009 02:58:46 >> Disable HDD autorun
06/12/2009 02:58:46 >> Disable autorun from network drives
06/12/2009 02:58:46 >> Disable CD/DVD autorun
06/12/2009 02:58:46 >> Disable removable media autorun
06/12/2009 02:58:46 >> Windows Update is disabled