How can we remove OpenCloud AV? Seems to have evolved

Got a vista machine infected with OpenCloud AV and trying to follow the instructions on MBAM's site but it seems like it has evolved.  http://forums.malwarebytes.org/index.php?showtopic=94176

Once Windows is booted for a few minutes or so, it goes ahead and completely shuts itself down and restarts Windows.  Never got an opportunity to run anything.

Is there any updated articles on this infection yet?

*** Edit - Just saw an updated guide from Bleeping computer.  Going to look through that now.  Will post back results.  http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security

Thanks
JsmplyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sudeep SharmaTechnical DesignerCommented:
0
JsmplyAuthor Commented:
Thanks. Is that net studio link a trusted source?
0
JsmplyAuthor Commented:
Thanks. Is that net studio link a trusted source?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Sudeep SharmaTechnical DesignerCommented:
Yes. It has helped one user so far so I believe it is.

Further we could scan the system with the know well reputed tools later if you are able to resolve this issue with the tool provided.
0
JsmplyAuthor Commented:
Thx. Just a little skeptical to run a tool that isn't well reviewers yet. Does it do something we know mbam and cf and others can't do?  Seems like its just removing files. May check it out on a test machine first?  

Trying cf in the meantime since it terminates mbam pro after a few seconds of scanning.
0
willcompCommented:
There is an identical question here that I responded to. It was a bear and Bleeping Computer instructions did not help.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_27381431.html
0
Sudeep SharmaTechnical DesignerCommented:
CF does lot of things and where it is unable to delete the suspicious files we required to analyze the logs which CF has produced and create the script to remove the suspected files/folders and registry entries.

If MBAM is getting terminated then you may need to run Rogue-Killer first and then immediately MBAM.

I would suggest you to go through the following articles which would help you in dealing such infections

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Sudeep
0
willcompCommented:
In my case, RougeKiller and RKill were not effective. The first order of business was to get rid of ZeroAccess root kit.
0
JsmplyAuthor Commented:
Willcomp, cf seems to have found zero access as you described. It rebooted windows to normal mode. Cf did post some messages about not being able to run as admin prior to reboot though. Waiting to see if a followup run let's mbam run.
0
Sudeep SharmaTechnical DesignerCommented:

"Cf did post some messages about not being able to run as admin prior to reboot though"

@Jsmply

which OS are we dealing with?

If this is Windows 7 you may need to run CF by right click and choose "Run As Administrator"
0
willcompCommented:
Before trying to run MBAM, boot into safe mode and disable all non MS services and Startup items using msconfig. Then reboot into normal mode and try to run MBAM. It may be necessary to install a fresh copy of MBAM. Also check that IE is able to connect to Internet. MBAM uses IE to update definitions. Check that proxy server is not enabled. You can use RogueKiller to remove proxies or do it in Connection tab of Internet Explorer.
0
willcompCommented:
Got same CF message about not able to run as administrator in XP using account with admin privileges.
0
willcompCommented:
Or at least I suppose it was the same message. CF ran though.
0
JsmplyAuthor Commented:
Ok update: ran cf in safemode as Willcomp said. It seemed to notice zero access and rebooted to normal Windows. Cf did not start again at that point. Manually typed the path to run rkill since desktop and other areas were hidden. That killed a few things. Ran cf from normal mode, it removed several files with the opencloud name. Registering and installing mbam pro now for a full scan in normal mode. So far its 3 mins in and hasn't crashed.
0
Sudeep SharmaTechnical DesignerCommented:
You may want to post the log of CF for further analyses.
0
JsmplyAuthor Commented:
Definitely will.  Willcomp - Quick question - You said that CF needs to be run in safe mode to remove zero access.  Would it at least detect it in normal mode?  Do we need to re-run in safe mode just to see if it detects it again?  MBAM still running, found 7 infections so far.
0
willcompCommented:
CF will remove Zero Access in normal mode. I just couldn't get it to start in normal mode and had to run in safe mode. It would start and then shutdown after a few seconds in normal mode.

Appears that MBAM is doing the job. I'd run CF again after MBAM finishes and post that log. MBAM should remove the infection.
0
JsmplyAuthor Commented:
Thanks.  MBAM still running now, lots of pics and other things on this hard drive that is slowing it down a bit.  Afterwards will run CF and post the log.  Any reason to post the MBAM log?  If so, do we need to re-run it for a clean run?  Thanks
0
Sudeep SharmaTechnical DesignerCommented:
MBAM logs are for the experts to know what infected your computer and if there are any further recommendations on the removal of those infections and precautions that one should made.
0
willcompCommented:
I think SSharma meant CF log. You can post MBAM log so we can see what was identified and removed.
0
JsmplyAuthor Commented:
MBAM finished, it found 9 infections and 6 of them were already in the Qoobox folder (presumably from one of the CF runs).  It removed them plus the other 3.  Going to run CF now and will post log.  
0
rpggamergirlCommented:
Opencloud hasn't evolved, it's just because of the ZeroAccess rootkit that's the main culprit that stops programs.

Did you try ComboFix in normal mode and it didn't run? It supposed to handle this rootkit but then rootkits these days seem to be always ahead of most tools.
0
willcompCommented:
@rpg - I couldn't get CF to run in normal mode, so suggested starting in safe mode. Looked like he had the same symptoms I encountered.
0
JsmplyAuthor Commented:
Seems to be running better. A third cf run turned up an opencloud .ico file missed the first two runs. Any concern that means something is left behind recreating it?  Will post the final log after this run. Hopefully its clean.
0
JsmplyAuthor Commented:
Here is the last CF run.  Anyone see anything alarming?  
Cflog.txt
0
willcompCommented:
All the folders under c:\users\Owner\AppData\Roaming\ are probably empty folders left by the malware and not removed. I'll defer to rpggamergirl or anyone else that can analyze and/or prepare a CF script for removal.
0
rpggamergirlCommented:
@rpg - I couldn't get CF to run in normal mode, so suggested starting in safe mode.

ComboFix supposedly able to take care of ZeroAccess but so is the antizeroaccess.exe created just for this but don't always work.
If it was a ZeroAccess rootkit's block then dragging combofix.exe into the inherit.exe is supposed to restore the modified permissions and should run...but then Zeroaccess also brings in rogues that also blocks which makes it harder which one is blocking the program. First I would use inherit.exe in normal mode and if that won't work then I'd go safe mode way.

Yes, those random folders inside the roaming folder can go.
You can delete them manually or use combofix to remove them all with the script.


Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
c:\users\Owner\AppData\Roaming\wcS1ibD3oG
c:\users\Owner\AppData\Roaming\UQJ7dEK8gZhXjVl
c:\users\Owner\AppData\Roaming\ID2obF4pm5Q6
c:\users\Owner\AppData\Roaming\RvvSS2obF3pG5Q6
c:\users\Owner\AppData\Roaming\bWKK8fRL9hTXjCe
c:\users\Owner\AppData\Roaming\qobF4pmG5Q6E8R9
c:\users\Owner\AppData\Roaming\gYXwjUVelBzNc1v
c:\users\Owner\AppData\Roaming\L55ssWJJ7dE8gZq
c:\users\Owner\AppData\Roaming\bXXwwkUUVeOBtP0
c:\users\Owner\AppData\Roaming\s0ucS2ibDpGaHsK
c:\users\Owner\AppData\Roaming\IfEL9gTZqYwIrOt
c:\users\Owner\AppData\Roaming\RNtxP0ucSiD
c:\users\Owner\AppData\Roaming\BYCwkUVrlBx0c1v
c:\users\Owner\AppData\Roaming\oAA1uvvD2oF4mGs
c:\users\Owner\AppData\Roaming\mUUVVelIBt
c:\users\Owner\AppData\Roaming\WUVelIBtzNc1v2b
c:\users\Owner\AppData\Roaming\ypmH5sQJ7E8R9Yw
c:\users\Owner\AppData\Roaming\uycS1ivD3n4m5W7
c:\users\Owner\AppData\Roaming\EEL8gRZqhXkVlBx
c:\users\Owner\AppData\Roaming\ZJJJ7ffEL8gT
c:\users\Owner\AppData\Roaming\raammH66s
c:\users\Owner\AppData\Roaming\IxA0ucS2iDpG
c:\users\Owner\AppData\Roaming\daQH6sWK7E9TqYw
c:\users\Owner\AppData\Roaming\WK8fRZ9hTwUeIrP
c:\users\Owner\AppData\Roaming\V2obF4pmGsJd
c:\users\Owner\AppData\Roaming\vvS2ibF3pGaHd
c:\users\Owner\AppData\Roaming\q9hTXqjUCkBzNx0
c:\users\Owner\AppData\Roaming\ebF4pmG5sJdKfZh
c:\users\Owner\AppData\Roaming\vH5sQJ7dE8R9Y
c:\users\Owner\AppData\Local\BIT7C82.tmp
c:\users\Owner\AppData\Local\BITBA79.tmp

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
[IMG]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/IMG]  


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
willcompCommented:
I wasn't aware of Inherit.exe. Just downloaded from Bleeping Computer and wondered why I haven't seen it mentioned on there before. Another contribution from sUBs. Thanks for the tip rpg.
0
JsmplyAuthor Commented:
Thanks all.  Re-ran CF with RPGs script and that log is attached with the name ScriptComboFix.  Question - The log file doesn't seem to show it deleted the files you put in the script (although it does mention the script trigger up top).  Should it show them under deletions in anyway?

Then just for good measure ran a follow-up run.  That log is attached also.

Thx
ScriptComboFix.txt
ComboFix.txt
0
JsmplyAuthor Commented:
Disregard that last question.  Not sure why but CF didn't seem to remove the folders from the script.  Going to try again now.
0
JsmplyAuthor Commented:
Okay, re-ran it and it removed all except:
c:\users\Owner\AppData\Local\BIT7C82.tmp
c:\users\Owner\AppData\Local\BITBA79.tmp

Cf seemed to ignore those files even with the script?  Regardless, they were removed manually.  Please see the two attached logs and see if everyone agrees it's clean.  Thx

WithDeletionsComboFix.txt
ComboFix.txt
0
willcompCommented:
You were clean to start with. Those were just empty leftovers to tidy up and were of no concern. They are all gone now and system looks fine.
0
willcompCommented:
After allowing time for any others to review your CF log, you need to uninstall CF. Type ComboFix /uninstall in the Run box which can be accessed by pressing Win Key + R.
0
rpggamergirlCommented:
Yes, log shows clean...
About those 2 files being ignored by combofix, my fault due to my copy/pasting, I accidentally put them in the wrong directive (which instructed CF to look for folders instead of files).
Sorry, :(
0
JsmplyAuthor Commented:
Hi Everyone,
Thanks for all the help.  Machine is running good now.  

SSharma - Your recommendation very well may have worked, but we were just hesitant to depend on software only verified by one EE user.  Hope you understand there.  Thank you

Willcomp - Thanks for all your help, your answers really got the job done

RPG - Your help, as always, got the job 100% done.  Really appreciate the script.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.