Maleware Suspicious.cloud ? Ist mein Rechner befallen?

janmeierei · 19.05.2014, 23:07

Hallo liebe Experten,

beim täglichen Viren-Scan meldete mein Symmantec Endpoint:
Malware: Suspicious.Cloud.5

Ein Bereinigen sei nicht möglich.
Beim Googlen bekam ich ziemliche Panik: Passwörter werdenn ausspioniert, ist nicht vom System zu entfernen, ...

Symmantec hat Datei isoliert.
In diesem Forum erhielt ich Empfehlung MBAR. hab es installiert und durchlaufen lassen:

Ergebnis:
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.19.10

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.17107
Jan :: MASCHINE [administrator]

19.05.2014 22:20:26
mbar-log-2014-05-19 (22-20-26).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 298834
Time elapsed: 28 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Zudem habe ich die Datei auf Virustotal hochgeladen:
Ergebnis:

SHA256: 3332085dea182b31b65f8b457b57c0434a630137251c51c2d24c270646546f7c
Dateiname: yhotj2gk.exe.part
Erkennungsrate: 11 / 52
Analyse-Datum: 2014-05-19 21:37:43 UTC ( vor 0 Minuten )
0
0

Analyse
File detail
Zusätzliche Informationen
Kommentare
Bewertungen
Verhaltens-Informationen

Antivirus Ergebnis Aktualisierung
AVG Generic.D24 20140519
AntiVir APPL/DomaIQ.Gen 20140519
Avast Win32

omaIQ-BO [PUP] 20140519
ESET-NOD32 a variant of Win32/DomaIQ.BF 20140519
GData Win32.Trojan-Downloader.Lisp.A 20140519
Kaspersky not-a-virus:AdWare.Win32.Lollipop.qn 20140519
Malwarebytes PUP.Optional.Domalq 20140519
Panda PUP/MultiToolbar.A 20140519
Sophos DomainIQ pay-per install 20140519
Symantec Suspicious.Cloud.5 20140519
VIPRE DomaIQ (fs) 20140519
Ad-Aware 20140519
AegisLab 20140519
Agnitum 20140519
AhnLab-V3 20140519
Antiy-AVL 20140519
Baidu-International 20140519
BitDefender 20140519
Bkav 20140517
ByteHero 20140519
CAT-QuickHeal 20140519
CMC 20140519
ClamAV 20140519
Commtouch 20140519
Comodo 20140519
DrWeb 20140519
Emsisoft 20140519
F-Prot 20140519
F-Secure 20140519
Fortinet 20140519
Ikarus 20140519
Jiangmin 20140519
K7AntiVirus 20140519
K7GW 20140519
Kingsoft 20140519
McAfee 20140519
McAfee-GW-Edition 20140519
MicroWorld-eScan 20140519
Microsoft 20140519
NANO-Antivirus 20140519
Norman 20140519
Qihoo-360 20140519
Rising 20140519
SUPERAntiSpyware 20140519
Tencent 20140519
TheHacker 20140519
TotalDefense 20140519
TrendMicro 20140519
TrendMicro-HouseCall 20140519
VBA32 20140519
ViRobot 20140519
Zillya 20140519
nProtect 20140519

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Publisher Payments Interactive SL
Signature verification Signed file, verified signature
Signing date 3:54 PM 5/19/2014
Signers
[+] Payments Interactive SL
[+] Go Daddy Secure Certification Authority
[+] Go Daddy Class 2 Certification Authority
Counter signers
[+] Symantec Time Stamping Services Signer - G4
[+] Symantec Time Stamping Services CA - G2
[+] Thawte Timestamping CA
Packers identified
F-PROT PecBundle
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-05-19 09:12:03
Entry Point 0x00004085
Number of sections 3
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 733184 315392 8.00 ef488de4a5454df461f9e040ed4e9630
.rsrc 737280 94208 94208 7.47 b9fca2326f5b39ccfebc1e6373e90db7
.reloc 831488 512 512 0.29 cb94cef5921e7f40d70daaff04608d9e
PE imports
[+] ADVAPI32.dll
[+] OLEAUT32.dll
[+] kernel32.dll
[+] mscoree.dll
Number of PE resources by type
RT_ICON 15
BLENDER 1
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
SPANISH MODERN 17
ENGLISH US 1
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2014:05:19 10:12:03+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
153088

LinkerVersion
11.0

FileAccessDate
2014:05:19 22:38:06+01:00

EntryPoint
0x4085

InitializedDataSize
573952

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

FileCreateDate
2014:05:19 22:38:06+01:00

UninitializedDataSize
0

File identification
MD5 5bd369112da69d3719e61d1f55fe98d8
SHA1 7b12fae3a3aa8e4686bb811016e6c4c2a31120f1
SHA256 3332085dea182b31b65f8b457b57c0434a630137251c51c2d24c270646546f7c
ssdeep
12288:/5OlniygVmOPUwWVuIvgJ6wSJX1uOncQAI0F:/5EmkOPnkDv66wkrcVI0F

imphash 8ffc31bccd11f7f873be952d93bdc291
File size 408.6 KB ( 418400 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 EXE PECompact compressed (v2.x) (54.1%)
Win32 EXE PECompact compressed (generic) (38.0%)
Win32 Executable (generic) (4.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
Tags
peexe signed

VirusTotal metadata
First submission 2014-05-19 21:37:43 UTC ( vor 24 Minuten )
Last submission 2014-05-19 21:37:43 UTC ( vor 24 Minuten )
Dateinamen yhotj2gk.exe.part

So, nun ist meine Frage: Kann ich beruhigt ins Bett gehen, oder was kann bzw. muss ich tun?
Wie gefährlich ist die Sache?
Ist mein System bereinigt?

Ich würde mich über Antworten freuen.

P.S. Ich habe keinerlei e-Mail-Anhang geöffnet, der mir unbekannt war.

Vielen Dank
Jan

Maleware Suspicious.cloud ? Ist mein Rechner befallen?

Log-Analyse und Auswertung: Maleware Suspicious.cloud ? Ist mein Rechner befallen?

Maleware Suspicious.cloud ? Ist mein Rechner befallen?

Ähnliche Themen: Maleware Suspicious.cloud ? Ist mein Rechner befallen?