How to Remove OpenCloud Security Virus
I have been trying to remove OpenCloud Security virus from a computer. I have tried all the normal methods posted on the internet:
However, even when I start the computer in SafeMode and run RogueKiller, the virus keeps preventing Malbytes Antimalware from running. As soon as MBAM starts running, this virus kills MBAM and deletes MBAM.
Running RogueKiller shows that it is killing a process 3423950225:1856694835.exe,
Can someone please help?
Running XP Pro.
Thanks in advance,
Calvin
RogueKiller
Malbytes Antimalware
SafeMode
However, even when I start the computer in SafeMode and run RogueKiller, the virus keeps preventing Malbytes Antimalware from running. As soon as MBAM starts running, this virus kills MBAM and deletes MBAM.
Running RogueKiller shows that it is killing a process 3423950225:1856694835.exe,
Can someone please help?
Running XP Pro.
Thanks in advance,
Calvin
Here are the Bleeping Computer removal instructions which I didn't find helpful but you may.
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security
It's unusual for removal instructions on Bleeping Computer not to be effective. They weren't in my case.
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security
It's unusual for removal instructions on Bleeping Computer not to be effective. They weren't in my case.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hi there, sorry forgot to include the link..thx for putting it up here....no intention to claim this as my original posting(and i said in the beginning i found it and creditted the op)
But to the restore point issue, i dissagree with your statement, there are nasty's out which exactly hide out in the restore point, (been there, after getting rid of some virus it reinstated itself after boot b/c it was hidden in the restore point and after disabling the RP and cleaning again it was gone)
But i didn't see the recommendation to delete the Restore Point?...
Anyway, sorry again for not posting the link but i don't see why this advice was bad or harmful(other being posted on yahoo)lol
Thx for the link to the rules, read them when i joined a couple months ago..
Have a great day
liquidcherry
But to the restore point issue, i dissagree with your statement, there are nasty's out which exactly hide out in the restore point, (been there, after getting rid of some virus it reinstated itself after boot b/c it was hidden in the restore point and after disabling the RP and cleaning again it was gone)
But i didn't see the recommendation to delete the Restore Point?...
Anyway, sorry again for not posting the link but i don't see why this advice was bad or harmful(other being posted on yahoo)lol
Thx for the link to the rules, read them when i joined a couple months ago..
Have a great day
liquidcherry
Turning off System Restore deletes all the restore points. It is especially important to have System Restore enabled when running ComboFix.
I agree with younghv and rpggamergirl that leaving System Restore enabled is preferable. It's saved my bacon a couple of times.
I agree with younghv and rpggamergirl that leaving System Restore enabled is preferable. It's saved my bacon a couple of times.
ASKER
I managed to finally clean this thing off that computer after basically following liquidcherry's advice.
Finally, I decided to take the chance on restarting the computer because it had not done anything for a few hours. There is one SharePoint Foundation error that I need to sort out (has to do with being connected to an SBS2011 server), but apart from that, it seems like the computer survived.
The only thing is that I wished that I had not turned off System Restore.
I have removed these types of viruses from other people's computers at least 4-5 times, but this one was 10 times harder because it would not let any Anti-Malware program run.
Thanks,
Calvin
Finally, I decided to take the chance on restarting the computer because it had not done anything for a few hours. There is one SharePoint Foundation error that I need to sort out (has to do with being connected to an SBS2011 server), but apart from that, it seems like the computer survived.
The only thing is that I wished that I had not turned off System Restore.
I have removed these types of viruses from other people's computers at least 4-5 times, but this one was 10 times harder because it would not let any Anti-Malware program run.
Thanks,
Calvin
ASKER
Thanks everyone
Vic -- take a look at this one if you haven't already done so. https://www.experts-exchange.com/questions/27382173/How-can-we-remove-OpenCloud-AV-Seems-to-have-evolved.html?anchorAnswerId=36921029#a36921029
Same infection. looks like my instructions are working.
No apology needed. You know I'm not a points hog.
Same infection. looks like my instructions are working.
No apology needed. You know I'm not a points hog.
@willcomp -
Understood about the points, but that Expert vs. Admin post was a real "Oops" on my part.
I am monitoring that other question and have been tracking the "ZeroAccess" questions for a few weeks now. I started seeing it in my shop about the same time I saw you and rpg working it for another member and have been using your techniques to make some beer money.
If you want to write an EE Article about your methods, I'd be glad to do the PE work on it - let me know.
Vic
Understood about the points, but that Expert vs. Admin post was a real "Oops" on my part.
I am monitoring that other question and have been tracking the "ZeroAccess" questions for a few weeks now. I started seeing it in my shop about the same time I saw you and rpg working it for another member and have been using your techniques to make some beer money.
If you want to write an EE Article about your methods, I'd be glad to do the PE work on it - let me know.
Vic
Usually, running CF in normal mode will remove ZeroAccess. In this case, I couldn't get CF to run in normal mode so had to start it in safe mode and let it reboot into normal mode. I don't think it was ZeroAccess preventing CF from running in normal mode. Had problems running software in normal mode after removing ZeroAccess and after running FixNCR. Maybe I just wasn't holding my mouth right :-)
ASKER
Further to this question, I should add that after I ran ComboFix and manually restarted the computer, I could run MBAM. It showed 2 infections ZeroAccess and something else (I am not at that computer right now). However, because ComboFix removed the OpenCloud, I was able to run MBAM and it found and fixed the rootkit.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I do not want to abandon this question.
I have not been able to get back to this client's office. I am going to be back early next week, so I am going to do a couple more checks as recommended above.
Calvin
I do not want to abandon this question.
I have not been able to get back to this client's office. I am going to be back early next week, so I am going to do a couple more checks as recommended above.
Calvin
Hi Calvin,
As long as you will post an info update for us about once a week, the question will not fall into the 'Abandoned' category.
After 15 days without a comment, it will go in the "Cleanup Queue" and one of the CV's will try to close it for you.
We're still monitoring it, so post back when you have more details.
As long as you will post an info update for us about once a week, the question will not fall into the 'Abandoned' category.
After 15 days without a comment, it will go in the "Cleanup Queue" and one of the CV's will try to close it for you.
We're still monitoring it, so post back when you have more details.
ASKER
Once CF removed the OpenCloud, I ran the MBAM. It showed the following:
c:\documents and settings\administrator\loc
c:\documents and settings\administrator\loc
So, it shows that MBAM deleted the Rootkit.
Now, i just ran TDSSKiller and it show that it was infected with 915515cc (Rootkit.Win32.PMax.gen).
c:\documents and settings\administrator\loc
c:\documents and settings\administrator\loc
So, it shows that MBAM deleted the Rootkit.
Now, i just ran TDSSKiller and it show that it was infected with 915515cc (Rootkit.Win32.PMax.gen).
ASKER
Finally cleaned it completely.
Thanks everyone.
Calvin
Thanks everyone.
Calvin
Zero Access and TDSS rootkits were present and Zero Access may be causing MBAM to close in safe mode. Run TDSSKiller and see what it finds -- it'll show Zero Access but won't remove it. ComboFix (CF) will remove Zero Access but you will have to run CF in safe mode. IF CF identifies root kits, it will reboot and when it does, allow Windows to boot into normal mode.
http://support.kaspersky.com/faq/?qid=208283363
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post back with your results and I'll add some additional info that should help.