Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mtn6 popups from internet explorer


  • This topic is locked This topic is locked
2 replies to this topic

#1 Wh4T

Wh4T

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 11 January 2009 - 03:04 PM

Hi. 1st time posting a topic here. So I currently have an infection where popups in internet explorer come up every few minutes. The popups are from a site called mtn6. (either google or other sites) com.ws
The popups are in internet explorer although I have only been using firefox for the last month. I am currently using Malwarebytes' Anti-Malware the clean out infections. The last time I used it it cleaned out some viruses but the popups still continued to come up. Since 1/5/09, the day the popups started, I have not been on the internet on the laptop with the infection. Now coming back on today, the popups continued. Today before connecting to the internet, my Auto-Protect came up saying it had acted on these risks. I have an attachment with a screenshot of it. I tried right-clicking on it and quarentining or deleting them permently, but it would not allow it. You can see it in the next attachment. Running Malwarebytes' Anti-Malware full scan today, nothing was infected.
Below are the logs from Malwarebytes' Anti-Malware from 1/5/09

This is the quick scan.

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

2:19:03 PM 1/5/2009
mbam-log-1-5-2009 (14-19-03).txt

Scan type: Quick Scan
Objects scanned: 3300
Time elapsed: 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnkIyWn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rcpbplwq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wsehcd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60001f3c-50fa-457c-9a74-1aeb3afdf736} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{60001f3c-50fa-457c-9a74-1aeb3afdf736} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8bf4487-30eb-4c2b-943c-3a954a580c1e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8bf4487-30eb-4c2b-943c-3a954a580c1e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\060fcd52 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnkiywn -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnkiywn -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wsehcd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnkIyWn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nWyIknnn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nWyIknnn.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcpbplwq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qwlpbpcr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

______________________________________________________________________________________________________



Here is the full scan right after the quick scan.

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

4:16:18 PM 1/5/2009
mbam-log-1-5-2009 (16-16-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 147834
Time elapsed: 50 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ssqPiiiH.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpiiih (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ssqPiiiH.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNEvut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccdaxwV.dll (Trojan.Vundo) -> Delete on reboot.


______________________________________________________________________________________________________


I believe on rebooting my laptop, I have quarantined and deleted the delete on reboot files.

Please help me solving this infection.



EDIT: I just ran Malwarebytes' again today with a full scan. It found 8 infected objects. Here is the log.

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 2

1/12/2009 12:16:55 PM
mbam-log-2009-01-12 (12-16-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 163341
Time elapsed: 51 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\204890\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\204890\Application Data\Twain\Twain.exe (Trojan.Agent) -> Delete on reboot.

______________________________________________________________________________________________________

Thanks again.

Attached Files


Edited by Wh4T, 11 January 2009 - 03:21 PM.


BC AdBot (Login to Remove)

 


#2 Wh4T

Wh4T
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 13 January 2009 - 02:08 AM

I'm not sure but I think the last log I posted showed that I got rid of the infection because there have been no more mtn6 popups whenever I'm connected to the internet.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:26 PM

Posted 19 January 2009 - 08:28 AM

Thanks for informing us.

If you find other problems please start a new topic.

This thread is closed.

Good luck.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users