Cannot Remove OpenCloud AV Spyware

Posted on 2011-10-03
Last Modified: 2013-11-22
I have a client's laptop (running Windows 7 Ultimate) that was infected with OpenCloud AV spyware. I tried to download and run Malware Bytes. It installs and updates just fine, but then the program abruptly shuts down after less than 1 minute. Ditto for SuperAntiSpyware. This happens even in Safe Mode.

Client already had a paid version of AVG Anti-Virus installed. However, when I try to run a scan, it says "No infection was found during this scan" after less than 10 seconds of scanning. So it seems that the spyware infection is tricking AVG into thinking it did a full scan when it obviously did not.

I tried to run ComboFix but got a warning that it would not run unless I first uninstall AVG. However, I get an error message when I try to uninstall AVG, so that failed.

I found that the shortcut link for OpenCloud AV points to annGG4ammHsWjfL.exe under Windows\System32\ so I deleted that file and rebooted. But still having all the above problems.

Running RKill doesn't find any illegal processes.

Feeling really stuck here. How can I get rid of this infection?
Question by:anuneznyc
    LVL 5

    Accepted Solution

    Hi anuneznyc,

    There is an auto remove OpenCloud AV spyware if you google for it.

    Boot into safe mode, can you run your AV from there?

    To manually delete av files and dlls look for;

     %StartMenu%\Programs\OpenCloud AV\
     %StartMenu%\Programs\OpenCloud AV\Buy OpenCloud AV.lnk
     %StartMenu%\Programs\OpenCloud AV\Launch OpenCloud AV.lnk
     %UserProfile%\Desktop\Buy OpenCloud AV.lnk

    Unregister OpenCloud AV registry values:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19090308-636D-4e9b-A1CE-A647B6F794BF}

    You may have to kill Openclouds process first (crss.exe)  

    note: Please check to see in Internet Explorer there is no proxy setting set in lan settings (a symptom of opencloud)

    further reading:
    LVL 22

    Expert Comment

    by:Adam Leinss
    Scan the laptop offline with Microsoft Standalone System Sweeper:

    Author Comment

    Thanks for the advice, guys. I cannot seem to kill either instance of csrss.exe.

    I am now running a full scan with Microsoft Standalone System Sweeper. Will update when it's finished.

    Author Comment

    Microsoft Standalone System Sweeper finished its scan. It found & removed 2 infections:

    1. Rogue:Win32/FakeScanti
    2. TrojanDropper:Win32/Sirefef.I

    I wrote down the details for the files/directories infected by the 2nd one:

    I was hoping that removing these 2 infections would solve the problem. But it hasn't b/c when I try to install & run Malwarebytes, again it only scans for less than 20 seconds and then abruptly shuts down. So seems like there is definitely some infection left over.

    Right now I'm using a copy of Trinity Rescue Kit ( to run a full scan using Avast AntiVirus. However, I think I will ultimately have to edit the registry entries to remove the references to the infected processes that are launching every time I boot Windows. I will need to use an offline registry editor. Is there one of those on the Ultimate Boot CD for Windows??


    Author Comment

    Thanks Alienwalker. Running that free removal tool from the link you sent me seems to have finally killed off this nasty malware. I am now able to run Malwarebytes with no problems. Thanks!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
    It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
    This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
    This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now