Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How can we remove OpenCloud AV?  Seems to have evolved

Posted on 2011-10-05
35
Medium Priority
?
619 Views
Last Modified: 2012-05-12
Got a vista machine infected with OpenCloud AV and trying to follow the instructions on MBAM's site but it seems like it has evolved.  http://forums.malwarebytes.org/index.php?showtopic=94176

Once Windows is booted for a few minutes or so, it goes ahead and completely shuts itself down and restarts Windows.  Never got an opportunity to run anything.

Is there any updated articles on this infection yet?

*** Edit - Just saw an updated guide from Bleeping computer.  Going to look through that now.  Will post back results.  http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security

Thanks
0
Comment
Question by:Jsmply
  • 14
  • 12
  • 6
  • +1
35 Comments
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 36920005
0
 

Author Comment

by:Jsmply
ID: 36920046
Thanks. Is that net studio link a trusted source?
0
 

Author Comment

by:Jsmply
ID: 36920076
Thanks. Is that net studio link a trusted source?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36920298
Yes. It has helped one user so far so I believe it is.

Further we could scan the system with the know well reputed tools later if you are able to resolve this issue with the tool provided.
0
 

Author Comment

by:Jsmply
ID: 36920371
Thx. Just a little skeptical to run a tool that isn't well reviewers yet. Does it do something we know mbam and cf and others can't do?  Seems like its just removing files. May check it out on a test machine first?  

Trying cf in the meantime since it terminates mbam pro after a few seconds of scanning.
0
 
LVL 32

Assisted Solution

by:willcomp
willcomp earned 800 total points
ID: 36920434
There is an identical question here that I responded to. It was a bear and Bleeping Computer instructions did not help.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_27381431.html
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36920457
CF does lot of things and where it is unable to delete the suspicious files we required to analyze the logs which CF has produced and create the script to remove the suspected files/folders and registry entries.

If MBAM is getting terminated then you may need to run Rogue-Killer first and then immediately MBAM.

I would suggest you to go through the following articles which would help you in dealing such infections

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Sudeep
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36920476
In my case, RougeKiller and RKill were not effective. The first order of business was to get rid of ZeroAccess root kit.
0
 

Author Comment

by:Jsmply
ID: 36920529
Willcomp, cf seems to have found zero access as you described. It rebooted windows to normal mode. Cf did post some messages about not being able to run as admin prior to reboot though. Waiting to see if a followup run let's mbam run.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36920567

"Cf did post some messages about not being able to run as admin prior to reboot though"

@Jsmply

which OS are we dealing with?

If this is Windows 7 you may need to run CF by right click and choose "Run As Administrator"
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36920598
Before trying to run MBAM, boot into safe mode and disable all non MS services and Startup items using msconfig. Then reboot into normal mode and try to run MBAM. It may be necessary to install a fresh copy of MBAM. Also check that IE is able to connect to Internet. MBAM uses IE to update definitions. Check that proxy server is not enabled. You can use RogueKiller to remove proxies or do it in Connection tab of Internet Explorer.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36920612
Got same CF message about not able to run as administrator in XP using account with admin privileges.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36920627
Or at least I suppose it was the same message. CF ran though.
0
 

Author Comment

by:Jsmply
ID: 36920769
Ok update: ran cf in safemode as Willcomp said. It seemed to notice zero access and rebooted to normal Windows. Cf did not start again at that point. Manually typed the path to run rkill since desktop and other areas were hidden. That killed a few things. Ran cf from normal mode, it removed several files with the opencloud name. Registering and installing mbam pro now for a full scan in normal mode. So far its 3 mins in and hasn't crashed.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36920779
You may want to post the log of CF for further analyses.
0
 

Author Comment

by:Jsmply
ID: 36920960
Definitely will.  Willcomp - Quick question - You said that CF needs to be run in safe mode to remove zero access.  Would it at least detect it in normal mode?  Do we need to re-run in safe mode just to see if it detects it again?  MBAM still running, found 7 infections so far.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36921029
CF will remove Zero Access in normal mode. I just couldn't get it to start in normal mode and had to run in safe mode. It would start and then shutdown after a few seconds in normal mode.

Appears that MBAM is doing the job. I'd run CF again after MBAM finishes and post that log. MBAM should remove the infection.
0
 

Author Comment

by:Jsmply
ID: 36921054
Thanks.  MBAM still running now, lots of pics and other things on this hard drive that is slowing it down a bit.  Afterwards will run CF and post the log.  Any reason to post the MBAM log?  If so, do we need to re-run it for a clean run?  Thanks
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36921074
MBAM logs are for the experts to know what infected your computer and if there are any further recommendations on the removal of those infections and precautions that one should made.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36921092
I think SSharma meant CF log. You can post MBAM log so we can see what was identified and removed.
0
 

Author Comment

by:Jsmply
ID: 36921169
MBAM finished, it found 9 infections and 6 of them were already in the Qoobox folder (presumably from one of the CF runs).  It removed them plus the other 3.  Going to run CF now and will post log.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36921427
Opencloud hasn't evolved, it's just because of the ZeroAccess rootkit that's the main culprit that stops programs.

Did you try ComboFix in normal mode and it didn't run? It supposed to handle this rootkit but then rootkits these days seem to be always ahead of most tools.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36921442
@rpg - I couldn't get CF to run in normal mode, so suggested starting in safe mode. Looked like he had the same symptoms I encountered.
0
 

Author Comment

by:Jsmply
ID: 36921480
Seems to be running better. A third cf run turned up an opencloud .ico file missed the first two runs. Any concern that means something is left behind recreating it?  Will post the final log after this run. Hopefully its clean.
0
 

Author Comment

by:Jsmply
ID: 36921550
Here is the last CF run.  Anyone see anything alarming?  
Cflog.txt
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36921612
All the folders under c:\users\Owner\AppData\Roaming\ are probably empty folders left by the malware and not removed. I'll defer to rpggamergirl or anyone else that can analyze and/or prepare a CF script for removal.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 800 total points
ID: 36922262
@rpg - I couldn't get CF to run in normal mode, so suggested starting in safe mode.

ComboFix supposedly able to take care of ZeroAccess but so is the antizeroaccess.exe created just for this but don't always work.
If it was a ZeroAccess rootkit's block then dragging combofix.exe into the inherit.exe is supposed to restore the modified permissions and should run...but then Zeroaccess also brings in rogues that also blocks which makes it harder which one is blocking the program. First I would use inherit.exe in normal mode and if that won't work then I'd go safe mode way.

Yes, those random folders inside the roaming folder can go.
You can delete them manually or use combofix to remove them all with the script.


Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
c:\users\Owner\AppData\Roaming\wcS1ibD3oG
c:\users\Owner\AppData\Roaming\UQJ7dEK8gZhXjVl
c:\users\Owner\AppData\Roaming\ID2obF4pm5Q6
c:\users\Owner\AppData\Roaming\RvvSS2obF3pG5Q6
c:\users\Owner\AppData\Roaming\bWKK8fRL9hTXjCe
c:\users\Owner\AppData\Roaming\qobF4pmG5Q6E8R9
c:\users\Owner\AppData\Roaming\gYXwjUVelBzNc1v
c:\users\Owner\AppData\Roaming\L55ssWJJ7dE8gZq
c:\users\Owner\AppData\Roaming\bXXwwkUUVeOBtP0
c:\users\Owner\AppData\Roaming\s0ucS2ibDpGaHsK
c:\users\Owner\AppData\Roaming\IfEL9gTZqYwIrOt
c:\users\Owner\AppData\Roaming\RNtxP0ucSiD
c:\users\Owner\AppData\Roaming\BYCwkUVrlBx0c1v
c:\users\Owner\AppData\Roaming\oAA1uvvD2oF4mGs
c:\users\Owner\AppData\Roaming\mUUVVelIBt
c:\users\Owner\AppData\Roaming\WUVelIBtzNc1v2b
c:\users\Owner\AppData\Roaming\ypmH5sQJ7E8R9Yw
c:\users\Owner\AppData\Roaming\uycS1ivD3n4m5W7
c:\users\Owner\AppData\Roaming\EEL8gRZqhXkVlBx
c:\users\Owner\AppData\Roaming\ZJJJ7ffEL8gT
c:\users\Owner\AppData\Roaming\raammH66s
c:\users\Owner\AppData\Roaming\IxA0ucS2iDpG
c:\users\Owner\AppData\Roaming\daQH6sWK7E9TqYw
c:\users\Owner\AppData\Roaming\WK8fRZ9hTwUeIrP
c:\users\Owner\AppData\Roaming\V2obF4pmGsJd
c:\users\Owner\AppData\Roaming\vvS2ibF3pGaHd
c:\users\Owner\AppData\Roaming\q9hTXqjUCkBzNx0
c:\users\Owner\AppData\Roaming\ebF4pmG5sJdKfZh
c:\users\Owner\AppData\Roaming\vH5sQJ7dE8R9Y
c:\users\Owner\AppData\Local\BIT7C82.tmp
c:\users\Owner\AppData\Local\BITBA79.tmp

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
[IMG]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/IMG]  


0
 
LVL 32

Expert Comment

by:willcomp
ID: 36922318
I wasn't aware of Inherit.exe. Just downloaded from Bleeping Computer and wondered why I haven't seen it mentioned on there before. Another contribution from sUBs. Thanks for the tip rpg.
0
 

Author Comment

by:Jsmply
ID: 36922729
Thanks all.  Re-ran CF with RPGs script and that log is attached with the name ScriptComboFix.  Question - The log file doesn't seem to show it deleted the files you put in the script (although it does mention the script trigger up top).  Should it show them under deletions in anyway?

Then just for good measure ran a follow-up run.  That log is attached also.

Thx
ScriptComboFix.txt
ComboFix.txt
0
 

Author Comment

by:Jsmply
ID: 36922788
Disregard that last question.  Not sure why but CF didn't seem to remove the folders from the script.  Going to try again now.
0
 

Author Comment

by:Jsmply
ID: 36923089
Okay, re-ran it and it removed all except:
c:\users\Owner\AppData\Local\BIT7C82.tmp
c:\users\Owner\AppData\Local\BITBA79.tmp

Cf seemed to ignore those files even with the script?  Regardless, they were removed manually.  Please see the two attached logs and see if everyone agrees it's clean.  Thx

WithDeletionsComboFix.txt
ComboFix.txt
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36924103
You were clean to start with. Those were just empty leftovers to tidy up and were of no concern. They are all gone now and system looks fine.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 36924423
After allowing time for any others to review your CF log, you need to uninstall CF. Type ComboFix /uninstall in the Run box which can be accessed by pressing Win Key + R.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36924619
Yes, log shows clean...
About those 2 files being ignored by combofix, my fault due to my copy/pasting, I accidentally put them in the wrong directive (which instructed CF to look for folders instead of files).
Sorry, :(
0
 

Author Closing Comment

by:Jsmply
ID: 36925320
Hi Everyone,
Thanks for all the help.  Machine is running good now.  

SSharma - Your recommendation very well may have worked, but we were just hesitant to depend on software only verified by one EE user.  Hope you understand there.  Thank you

Willcomp - Thanks for all your help, your answers really got the job done

RPG - Your help, as always, got the job 100% done.  Really appreciate the script.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Spectre and Meltdown, how it affects me and my clients?
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question