Link to home
Start Free TrialLog in
Avatar of anuneznyc
anuneznycFlag for United States of America

asked on

Cannot Remove OpenCloud AV Spyware

I have a client's laptop (running Windows 7 Ultimate) that was infected with OpenCloud AV spyware. I tried to download and run Malware Bytes. It installs and updates just fine, but then the program abruptly shuts down after less than 1 minute. Ditto for SuperAntiSpyware. This happens even in Safe Mode.

Client already had a paid version of AVG Anti-Virus installed. However, when I try to run a scan, it says "No infection was found during this scan" after less than 10 seconds of scanning. So it seems that the spyware infection is tricking AVG into thinking it did a full scan when it obviously did not.

I tried to run ComboFix but got a warning that it would not run unless I first uninstall AVG. However, I get an error message when I try to uninstall AVG, so that failed.

I found that the shortcut link for OpenCloud AV points to annGG4ammHsWjfL.exe under Windows\System32\ so I deleted that file and rebooted. But still having all the above problems.

Running RKill doesn't find any illegal processes.

Feeling really stuck here. How can I get rid of this infection?
ASKER CERTIFIED SOLUTION
Avatar of Alienwalker
Alienwalker
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Adam Leinss
Scan the laptop offline with Microsoft Standalone System Sweeper:

http://connect.microsoft.com/systemsweeper
Avatar of anuneznyc

ASKER

Thanks for the advice, guys. I cannot seem to kill either instance of csrss.exe.

I am now running a full scan with Microsoft Standalone System Sweeper. Will update when it's finished.
Microsoft Standalone System Sweeper finished its scan. It found & removed 2 infections:

1. Rogue:Win32/FakeScanti
2. TrojanDropper:Win32/Sirefef.I

I wrote down the details for the files/directories infected by the 2nd one:
\users\thinkpad\appdata\local\temp0.24064498337964824.exe
\users\thinkpad\appdata\locallow\sun\java\deployment\cache\6.0\12\6b7fb14c-44fa79d3
\windows\temp\9b88.exe

I was hoping that removing these 2 infections would solve the problem. But it hasn't b/c when I try to install & run Malwarebytes, again it only scans for less than 20 seconds and then abruptly shuts down. So seems like there is definitely some infection left over.

Right now I'm using a copy of Trinity Rescue Kit (http://trinityhome.org/) to run a full scan using Avast AntiVirus. However, I think I will ultimately have to edit the registry entries to remove the references to the infected processes that are launching every time I boot Windows. I will need to use an offline registry editor. Is there one of those on the Ultimate Boot CD for Windows??

Thanks Alienwalker. Running that free removal tool from the link you sent me seems to have finally killed off this nasty malware. I am now able to run Malwarebytes with no problems. Thanks!