[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot Remove OpenCloud AV Spyware

Posted on 2011-10-03
5
Medium Priority
?
716 Views
Last Modified: 2013-11-22
I have a client's laptop (running Windows 7 Ultimate) that was infected with OpenCloud AV spyware. I tried to download and run Malware Bytes. It installs and updates just fine, but then the program abruptly shuts down after less than 1 minute. Ditto for SuperAntiSpyware. This happens even in Safe Mode.

Client already had a paid version of AVG Anti-Virus installed. However, when I try to run a scan, it says "No infection was found during this scan" after less than 10 seconds of scanning. So it seems that the spyware infection is tricking AVG into thinking it did a full scan when it obviously did not.

I tried to run ComboFix but got a warning that it would not run unless I first uninstall AVG. However, I get an error message when I try to uninstall AVG, so that failed.

I found that the shortcut link for OpenCloud AV points to annGG4ammHsWjfL.exe under Windows\System32\ so I deleted that file and rebooted. But still having all the above problems.

Running RKill doesn't find any illegal processes.

Feeling really stuck here. How can I get rid of this infection?
0
Comment
Question by:anuneznyc
  • 3
5 Comments
 
LVL 5

Accepted Solution

by:
Alienwalker earned 1000 total points
ID: 36908167
Hi anuneznyc,

There is an auto remove OpenCloud AV spyware if you google for it.

Boot into safe mode, can you run your AV from there?

To manually delete av files and dlls look for;

%LocalAppData%\<random>.exe
 %StartMenu%\Programs\OpenCloud AV\
 %StartMenu%\Programs\OpenCloud AV\Buy OpenCloud AV.lnk
 %StartMenu%\Programs\OpenCloud AV\Launch OpenCloud AV.lnk
 %System%\drivers\<random>.sys
 %UserProfile%\Desktop\Buy OpenCloud AV.lnk

Unregister OpenCloud AV registry values:

HKEY_CLASSES_ROOT\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF}
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19090308-636D-4e9b-A1CE-A647B6F794BF}

You may have to kill Openclouds process first (crss.exe)  

note: Please check to see in Internet Explorer there is no proxy setting set in lan settings (a symptom of opencloud)

further reading: http://www.net-studio.org/eng/patch/patch/315-free-removal-tool-for-opencloud-antivirus.html
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 36909518
Scan the laptop offline with Microsoft Standalone System Sweeper:

http://connect.microsoft.com/systemsweeper
0
 

Author Comment

by:anuneznyc
ID: 36911210
Thanks for the advice, guys. I cannot seem to kill either instance of csrss.exe.

I am now running a full scan with Microsoft Standalone System Sweeper. Will update when it's finished.
0
 

Author Comment

by:anuneznyc
ID: 36912928
Microsoft Standalone System Sweeper finished its scan. It found & removed 2 infections:

1. Rogue:Win32/FakeScanti
2. TrojanDropper:Win32/Sirefef.I

I wrote down the details for the files/directories infected by the 2nd one:
\users\thinkpad\appdata\local\temp0.24064498337964824.exe
\users\thinkpad\appdata\locallow\sun\java\deployment\cache\6.0\12\6b7fb14c-44fa79d3
\windows\temp\9b88.exe

I was hoping that removing these 2 infections would solve the problem. But it hasn't b/c when I try to install & run Malwarebytes, again it only scans for less than 20 seconds and then abruptly shuts down. So seems like there is definitely some infection left over.

Right now I'm using a copy of Trinity Rescue Kit (http://trinityhome.org/) to run a full scan using Avast AntiVirus. However, I think I will ultimately have to edit the registry entries to remove the references to the infected processes that are launching every time I boot Windows. I will need to use an offline registry editor. Is there one of those on the Ultimate Boot CD for Windows??

0
 

Author Comment

by:anuneznyc
ID: 36914854
Thanks Alienwalker. Running that free removal tool from the link you sent me seems to have finally killed off this nasty malware. I am now able to run Malwarebytes with no problems. Thanks!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question