How can we remove OpenCloud AV? Seems to have evolved

Thanks. Is that net studio link a trusted source?

Thanks. Is that net studio link a trusted source?

Yes. It has helped one user so far so I believe it is.

Further we could scan the system with the know well reputed tools later if you are able to resolve this issue with the tool provided.

Thx. Just a little skeptical to run a tool that isn't well reviewers yet. Does it do something we know mbam and cf and others can't do?  Seems like its just removing files. May check it out on a test machine first?  

Trying cf in the meantime since it terminates mbam pro after a few seconds of scanning.

CF does lot of things and where it is unable to delete the suspicious files we required to analyze the logs which CF has produced and create the script to remove the suspected files/folders and registry entries.

If MBAM is getting terminated then you may need to run Rogue-Killer first and then immediately MBAM.

I would suggest you to go through the following articles which would help you in dealing such infections

https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Sudeep

In my case, RougeKiller and RKill were not effective. The first order of business was to get rid of ZeroAccess root kit.

Willcomp, cf seems to have found zero access as you described. It rebooted windows to normal mode. Cf did post some messages about not being able to run as admin prior to reboot though. Waiting to see if a followup run let's mbam run.

"Cf did post some messages about not being able to run as admin prior to reboot though"

@Jsmply

which OS are we dealing with?

If this is Windows 7 you may need to run CF by right click and choose "Run As Administrator"

Before trying to run MBAM, boot into safe mode and disable all non MS services and Startup items using msconfig. Then reboot into normal mode and try to run MBAM. It may be necessary to install a fresh copy of MBAM. Also check that IE is able to connect to Internet. MBAM uses IE to update definitions. Check that proxy server is not enabled. You can use RogueKiller to remove proxies or do it in Connection tab of Internet Explorer.

Got same CF message about not able to run as administrator in XP using account with admin privileges.

Or at least I suppose it was the same message. CF ran though.

Ok update: ran cf in safemode as Willcomp said. It seemed to notice zero access and rebooted to normal Windows. Cf did not start again at that point. Manually typed the path to run rkill since desktop and other areas were hidden. That killed a few things. Ran cf from normal mode, it removed several files with the opencloud name. Registering and installing mbam pro now for a full scan in normal mode. So far its 3 mins in and hasn't crashed.

You may want to post the log of CF for further analyses.

Definitely will.  Willcomp - Quick question - You said that CF needs to be run in safe mode to remove zero access.  Would it at least detect it in normal mode?  Do we need to re-run in safe mode just to see if it detects it again?  MBAM still running, found 7 infections so far.

CF will remove Zero Access in normal mode. I just couldn't get it to start in normal mode and had to run in safe mode. It would start and then shutdown after a few seconds in normal mode.

Appears that MBAM is doing the job. I'd run CF again after MBAM finishes and post that log. MBAM should remove the infection.

Thanks.  MBAM still running now, lots of pics and other things on this hard drive that is slowing it down a bit.  Afterwards will run CF and post the log.  Any reason to post the MBAM log?  If so, do we need to re-run it for a clean run?  Thanks

MBAM logs are for the experts to know what infected your computer and if there are any further recommendations on the removal of those infections and precautions that one should made.

I think SSharma meant CF log. You can post MBAM log so we can see what was identified and removed.

MBAM finished, it found 9 infections and 6 of them were already in the Qoobox folder (presumably from one of the CF runs).  It removed them plus the other 3.  Going to run CF now and will post log.  

Opencloud hasn't evolved, it's just because of the ZeroAccess rootkit that's the main culprit that stops programs.

Did you try ComboFix in normal mode and it didn't run? It supposed to handle this rootkit but then rootkits these days seem to be always ahead of most tools.

@rpg - I couldn't get CF to run in normal mode, so suggested starting in safe mode. Looked like he had the same symptoms I encountered.

Seems to be running better. A third cf run turned up an opencloud .ico file missed the first two runs. Any concern that means something is left behind recreating it?  Will post the final log after this run. Hopefully its clean.

Here is the last CF run.  Anyone see anything alarming?  
Cflog.txt

All the folders under c:\users\Owner\AppData\Roaming\ are probably empty folders left by the malware and not removed. I'll defer to rpggamergirl or anyone else that can analyze and/or prepare a CF script for removal.

I wasn't aware of Inherit.exe. Just downloaded from Bleeping Computer and wondered why I haven't seen it mentioned on there before. Another contribution from sUBs. Thanks for the tip rpg.

Thanks all.  Re-ran CF with RPGs script and that log is attached with the name ScriptComboFix.  Question - The log file doesn't seem to show it deleted the files you put in the script (although it does mention the script trigger up top).  Should it show them under deletions in anyway?

Then just for good measure ran a follow-up run.  That log is attached also.

Thx
ScriptComboFix.txt
ComboFix.txt

Disregard that last question.  Not sure why but CF didn't seem to remove the folders from the script.  Going to try again now.

Okay, re-ran it and it removed all except:
c:\users\Owner\AppData\Local\BIT7C82.tmp
c:\users\Owner\AppData\Local\BITBA79.tmp

Cf seemed to ignore those files even with the script?  Regardless, they were removed manually.  Please see the two attached logs and see if everyone agrees it's clean.  Thx

WithDeletionsComboFix.txt
ComboFix.txt

You were clean to start with. Those were just empty leftovers to tidy up and were of no concern. They are all gone now and system looks fine.

After allowing time for any others to review your CF log, you need to uninstall CF. Type ComboFix /uninstall in the Run box which can be accessed by pressing Win Key + R.

Yes, log shows clean...
About those 2 files being ignored by combofix, my fault due to my copy/pasting, I accidentally put them in the wrong directive (which instructed CF to look for folders instead of files).
Sorry, :(

Hi Everyone,
Thanks for all the help.  Machine is running good now.  

SSharma - Your recommendation very well may have worked, but we were just hesitant to depend on software only verified by one EE user.  Hope you understand there.  Thank you

Willcomp - Thanks for all your help, your answers really got the job done

RPG - Your help, as always, got the job 100% done.  Really appreciate the script.