Attack from the internet....wtf is this?

[Tjorriemorrie]

Hi. Can anyone clear this up for me....my kapersky keeps pop up with this message:

Network attack Intrusion.Win.I.SASS.ASN1-kill-bill.exploit from address 41.208.205.46 has been successfully repelled.

What does this mean? Why with every time i connect to the internet does this happen? is it spyware on my pc?

 

[BTTB]

Google picks up 3 references, but all Russian.
Sorry, but I cannot help you.

Have you tried HijackThis to see what is going on under the hood.
Do not click "fix" unless you are sure of yourself.
Perhaps you can upload the Log File or paste the contents here?

 

[Tjorriemorrie]

hijack log

i didn't bother to trace it as it would mean nothing to me, lol

anyway, here u go:

Logfile of HijackThis v1.99.1
Scan saved at 18:37:28, on 11/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Utilities\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Utilities\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Utilities\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Applications\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Utlities\NetMeter\NetMeter.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Utilities\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\Apache.exe
C:\APPLIC~1\Webshots\webshots.scr
C:\Utilities\Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Backup\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Utilities\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Utilities\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Utilities\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Applications\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [C:\Utlities\NetMeter\NetMeter.exe] C:\Utlities\NetMeter\NetMeter.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to Finansies 2007.lnk = C:\Documents and Settings\Tjorriemorrie.BLIKBREIN\My Documents\Personal\Finansies 2007.xls
O4 - Startup: Webshots.lnk = C:\Applications\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst Terminal UTL.lnk = ?
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145985664406
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2B17479-0FBD-4A1E-94F9-595D4CE76109}: NameServer = 196.30.31.193 196.46.70.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

[BTTB]

Wow!

Quite a few things running there.

I would rather not pry into your system.
HijackThis is a pretty powerful little program and if you do use it then you had better make sure you have a backup of your system in case.
I prefer backing up my working drive using a Image Program like Drive Image.

Here is a screen shot of my ignore list. Those are the programs I allow to run on my computer. The rest got the boot.
Some virii like to grab hold of a windows running process like Winlogon for example.

Listen, I am no expert in this field, but I like to fiddle under the hood like the next guy.

If I recall one can paste those Log Files on a forum somewhere and the "experts" will advise accordingly.
Some of those entries cannot be merely erased by deleting them.
In one case I had to use the "delete on reboot" option to rid the pesky program/file/registry entry from clinging onto my Winlogon process.

HijackThis Start Page
Forums

Good Luck.

It could also be your Firewall like The Librarian suggested?

 

[The_Unbeliever]

Hi. Can anyone clear this up for me....my kapersky keeps pop up with this message:

Network attack Intrusion.Win.I.SASS.ASN1-kill-bill.exploit from address 41.208.205.46 has been successfully repelled.

What does this mean? Why with every time i connect to the internet does this happen? is it spyware on my pc?

Kill-bill...

Anyways, there is an article as to why non-dedicated firewalls is no good, you can read it here

Regards

Libs

 

[Tjorriemorrie]

BTTB, i think i'll go to that forum. can't remember the name, i think it's geekstogo. anyway, i realise the firewall could be the problem, but hey, i aint go t the money set up unix servers as firewalls! lol, i wouldn't even know how. so yeah, guess i'll have to get used to message

 

[-toady-]

i dunno about geekstogo but as i recall amazingtechs.com were very good.
just post your hijack logs and they analyse them for you.

toady

 

[w1z4rd]

http://housecall.trendmicro.com/

run a full scan. simple.