J'ai etait infecté il y a plusieurs jours. je vous passe sur les désagréments posés par ce trojan mais comme en plus l'ordi que j'utilise me sert pour le boulot c'est assez ennuyeux !
J'ai fait un scan avec kaspersky
voila ce que me donne le rapport
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\Program Files\Zylom Games\Build-a-lot 3 Deluxe\buildalot3.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Local Settings\Temp\nso17C.tmp\FullSetupGamesClient-wildgames.exe
detected: riskware Invader Running process: C:\Program Files\WildGames\Build-a-lot\Buildalot-WT.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar008\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar008\mpcs.exe
detected: riskware Invader Running process: C:\omar008\mpcs.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Bureau\be-rich_s5_l4_gF2822T1L4_d487037231.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s5_l4.exe
detected: riskware Invader Running process: C:\Program Files\Be Rich\nstwxjp.exe
detected: riskware Invader Running process: C:\Program Files\Be Rich\game.exe
detected: riskware Invader Running process: C:\omar08\mpcs.exe
detected: riskware Invader Running process: C:\omar008\mpcs.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Bureau\gourmania_s5_l4_gF2740T1L4_d487243782.exe
detected: riskware Invader Running process: C:\Program Files\Gourmania\mwtllll.exe
detected: riskware Invader Running process: C:\Program Files\Gourmania\gourmania.exe
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
detected: riskware Hidden install Running process: C:\Program Files\Build A Lot 3 Passport To Europe\BuildALot3PassportToEuropeSetupx.EXE
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Local Settings\Temp\IXP000.TMP\ICICON~3.EXE
detected: riskware Hidden install Running process: C:\Documents and Settings\user\Local Settings\Temp\IXP002.TMP\ICASHI~1.EXE
deleted: Trojan program Packed.Win32.PolyCrypt.d File: C:\WINDOWS\system32\ftp_non_crp.exe//PE_Patch.Poly//PE_Patch.Poly
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\nano[1]
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\eqgrwlyv.exe
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\WINDOWS\system32\bglerwaf.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\WINDOWS\system32\eiiuos.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.thp File: C:\WINDOWS\system32\gwgjms.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.thp File: C:\WINDOWS\system32\pmsmmuoj.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\WINDOWS\system32\qaaweihy.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\WINDOWS\system32\toqmek.dll
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\wdbipcsm.exe
deleted: Trojan program Trojan.Win32.Monder.byzu File: C:\WINDOWS\system32\cnuepnom.dll
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\01MF05EF\nano[1]
deleted: Trojan program Trojan.Win32.Monder.byzu File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\01MF05EF\qw[1]
deleted: Trojan program Trojan.Win32.Monder.byzu File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\01MF05EF\qw[2]
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\01MF05EF\nano[2]
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\01MF05EF\nano[3]
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.thp File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\index[1]
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\index[2]
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.tho File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\index[3]
deleted: Trojan program Trojan.Win32.Monder.byvv File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\qw[1]
deleted: Trojan program Trojan.Win32.Monder.byub File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\qw[2]
deleted: Trojan program Trojan.Win32.Monder.byub File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\qw[3]
deleted: Trojan program Trojan.Win32.Monder.byuj File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\qw[4]
deleted: Trojan program Trojan.Win32.Monder.byuj File: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2O76TNHS\qw[5]
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\berjfdqn.exe
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\esfypsip.exe
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\jnrcwhdq.exe
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\tyvuyvun.exe
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.vohb File: C:\WINDOWS\system32\uspkkfba.exe
detected: Trojan program Trojan.Win32.Monder.bzib File: C:\WINDOWS\system32\ssqPgeCv.dll
deleted: Trojan program Trojan.Win32.Monder.bzif File: C:\WINDOWS\system32\sevymlav.dll
deleted: Trojan program Trojan.Win32.Monder.bzif File: C:\WINDOWS\system32\qdascwsm.dll
Ensuite j'ai fais une analyse avec hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:23:25, on 12/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Infecté par vundo.malawaresbytes va certainement te le trouver.A la fin du scan tu le supprime et tu me post le rapport.
Cliques sur le lien pour hijackthis et suis la procédure pour le renommer.
#Fais un scan HijackThis : : http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Avant de lancer HijackThis, renomme-le !
Pour cela, suis le chemin ci-dessous, jusqu' au fichier en gras :
Clique droit dessus et choisis "renommer" : tape moulin.exe et valide.
Puis, clique droit sur "moulin.exe" et choisis Envoyer vers -> Bureau (créer un raccourci).
Reviens sur le bureau et clique sur le nouvel icône pour le lancer.
*. Accepte la license en cliquant sur le bouton "I Accept"
*. Choisis l'option "Do a system scan and save a log file"
*. Clique sur "Save log" pour enregistrer le rapport qui s'ouvrira avec le bloc-note
*. Clique sur "Edition -> Sélectionner tout", puis sur "Edition -> Copier" pour copier tout le contenu du rapport
*. Colle le rapport que tu viens de copier sur ce forum
*. Ne fixe encore AUCUNE ligne, cela pourrait empêcher ton PC de fonctionner correctement
Tutoriaux
