• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

How to Remove OpenCloud Security Virus

I have been trying to remove OpenCloud Security virus from a computer.  I have tried all the normal methods posted on the internet:
RogueKiller
Malbytes Antimalware
SafeMode

However, even when I start the computer in SafeMode and run RogueKiller, the virus keeps preventing Malbytes Antimalware from running. As soon as MBAM starts running, this virus kills MBAM and deletes MBAM.
Running RogueKiller shows that it is killing a process 3423950225:1856694835.exe, but when I run RogueKiller again, it still shows the same process again.

Can someone please help?

Running XP Pro.

Thanks in advance,

Calvin
0
Calvin Close
Asked:
Calvin Close
  • 6
  • 6
  • 2
  • +1
2 Solutions
 
willcompCommented:
I'm just finishing one that had Open Cloud Security along with several other nasties. Removal was difficult.

Zero Access and TDSS rootkits were present and Zero Access may be causing MBAM to close in safe mode. Run TDSSKiller and see what it finds -- it'll show Zero Access but won't remove it. ComboFix (CF) will remove Zero Access but you will have to run CF in safe mode. IF CF identifies root kits, it will reboot and when it does, allow Windows to boot into normal mode.
http://support.kaspersky.com/faq/?qid=208283363
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post back with your results and I'll add some additional info that should help.
0
 
willcompCommented:
Here are the Bleeping Computer removal instructions which I didn't find helpful but you may.
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security

It's unusual for removal instructions on Bleeping Computer not to be effective. They weren't in my case.
0
 
liquidcherryCommented:
Hi,

Found a very detailed posting and it is basically what i was going to type so to save me time typing here it is:

OpenCloud Antivirus is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue.

To detect and remove this threat and other malicious software that may be installed in your computer follow the steps carefully.

+First download the latest versions of the following on +another, clean machine+ and burn to CD or copy to a USB memory stick+

Malwarebytes: http://www.malwarebytes.org/products/malwarebytes_free
ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
FixNCR.reg http://download.bleepingcomputer.com/reg/FixNCR.reg
RKill http://www.bleepingcomputer.com/download/anti-virus/rkill-
 this page has a variety of different filenames to download to fool the virus, which will try to block RKill from running. Remember the filename of the version you downloaded.
CCleaner (cleans out caches) http://www.ccleaner.com

Avast! Home: http://www.avast.com/eng/download-avast-home.html

Download these to your desktop and before running them, then change the names of the malwarebyte and combofix files to
Malwarebytes: mblah.scr
ComboFix: comfix.exe

Follow these steps in order Don't skip ahead.

Now, start the machine in Safe Mode with networking (hit the F8 function key as the machine boots up, and choose Safe mode)

Turn off System Restore on your machine, but only until you get this fixed - many of these trojans get copied into the System Restore files, which anti-virus programs aren't allowed to touch and the viruses could reinstall themselves from there. My Computer > Properties > System Restore.

The malware actively blocks programs and tools, so before you can start cleaning, you need to get the malware entries out of the registry, and stop the malware's current processes from running.

Double-click FixNCR.reg to run it to clean the registry

Now double click the RKill file (whatever name you downloaded it as) to run it. Wait for it, it could take a while. If the fake antivirus program throws a warning on the screen and blocks RKill, leave the warning up on the screen and run RKill again.

Do not reboot your computer If you reboot it will just load the malware in again.

Then run CCleaner (it'll make scanning faster because it will delete a bunch of temp files and save you from having to scan those.) If the virus blocks CCleaner from running, proceed to the next step.

Then run Malwarebytes (mblah), and clean everything it says.

Then run ComboFix (comfix), and clean everything it says. If it tells you to reboot your machine during the process, do so immediately.

Then install and run Avast - tell Avast to do a boot-scan - click on "schedule boot-scan" - and restart the computer

Let it start and do the Avast boot scan

Then turn System Restore back on.

Now install the antivirus program of your choice to do continuous scanning, and make sure you keep it up to date.

Always keep your Windows, web browser and Java software up to date - frequent patches are released to plug security holes.

(credits go to tamim)

cheers

liquidcherry
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
liquidcherryCommented:
hi there, sorry forgot to include the link..thx for putting it up here....no intention to claim this as my original posting(and i said in the beginning i found it and creditted the op)

But to the restore point issue, i dissagree with your statement, there are nasty's out which exactly hide out in the restore point, (been there, after getting rid of some virus it reinstated itself after boot b/c it was hidden in the restore point and after disabling the RP and cleaning again it was gone)

But i didn't see the recommendation to delete the Restore Point?...

Anyway, sorry again for not posting the link but i don't see why this advice was bad or harmful(other being posted on yahoo)lol

Thx for the link to the rules, read them when i joined a couple months ago..

Have a great day

liquidcherry
0
 
willcompCommented:
Turning off System Restore deletes all the restore points. It is especially important to have System Restore enabled when running ComboFix.

I agree with younghv and rpggamergirl that leaving System Restore enabled is preferable. It's saved my bacon a couple of times.
0
 
Calvin ClosePresidentAuthor Commented:
I managed to finally clean this thing off that computer after basically following liquidcherry's advice.

Finally, I decided to take the chance on restarting the computer because it had not done anything for a few hours. There is one SharePoint Foundation error that I need to sort out (has to do with being connected to an SBS2011 server), but apart from that, it seems like the computer survived.

The only thing is that I wished that I had not turned off System Restore.

I have removed these types of viruses from other people's computers at least 4-5 times, but this one was 10 times harder because it would not let any Anti-Malware program run.

Thanks,

Calvin
0
 
Calvin ClosePresidentAuthor Commented:
Thanks everyone
0
 
willcompCommented:
Vic -- take a look at this one if you haven't already done so. http://www.experts-exchange.com/Security/Vulnerabilities/Q_27382173.html#a36921029

Same infection. looks like my instructions are working.

No apology needed. You know I'm not a points hog.
0
 
younghvCommented:
@willcomp -
Understood about the points, but that Expert vs. Admin post was a real "Oops" on my part.

I am monitoring that other question and have been tracking the "ZeroAccess" questions for a few weeks now. I started seeing it in my shop about the same time I saw you and rpg working it for another member and have been using your techniques to make some beer money.

If you want to write an EE Article about your methods, I'd be glad to do the PE work on it - let me know.

Vic
0
 
willcompCommented:
Usually, running CF in normal mode will remove ZeroAccess. In this case, I couldn't get CF to run in normal mode so had to start it in safe mode and let it reboot into normal mode. I don't think it was ZeroAccess preventing CF from running in normal mode. Had problems running software in normal mode after removing ZeroAccess and after running FixNCR. Maybe I just wasn't holding my mouth right :-)
0
 
Calvin ClosePresidentAuthor Commented:
Further to this question, I should add that after I ran ComboFix and manually restarted the computer, I could run MBAM. It showed 2 infections ZeroAccess and something else (I am not at that computer right now). However, because ComboFix removed the OpenCloud, I was able to run MBAM and it found and fixed the rootkit.
0
 
willcompCommented:
What rootkit -- TDSS? If so, you need to run TDSSKiller because it's still there.
0
 
Calvin ClosePresidentAuthor Commented:
Hi,
I do not want to abandon this question.

I have not been able to get back to this client's office. I am going to be back early next week, so I am going to do a couple more checks as recommended above.

Calvin
0
 
younghvCommented:
Hi Calvin,
As long as you will post an info update for us about once a week, the question will not fall into the 'Abandoned' category.
After 15 days without a comment, it will go in the "Cleanup Queue" and one of the CV's will try to close it for you.

We're still monitoring it, so post back when you have more details.
0
 
Calvin ClosePresidentAuthor Commented:
Once CF removed the OpenCloud, I ran the MBAM.  It showed the following:

c:\documents and settings\administrator\local settings\Temp\0.06921233330356635.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\V4DPDDM8\file[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.

So, it shows that MBAM deleted the Rootkit.

Now, i just ran TDSSKiller and it show that it was infected with 915515cc (Rootkit.Win32.PMax.gen).
0
 
Calvin ClosePresidentAuthor Commented:
Finally cleaned it completely.

Thanks everyone.

Calvin
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now