Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help on Open Cloud security removal


  • Please log in to reply
1 reply to this topic

#1 Ronarch

Ronarch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 25 September 2011 - 07:24 AM

Hi everyone on this helpful website
First i must apologize for my language since I am not a native english speaker and I just try my best to write gramatically correct english hoping you guys can understand me and may give me a helping hand.

Back to the theme:

I've read the guide teaching how to remove OpenCloud Security on this site.
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security

I have followed every step however I have not succeeded
The problem shows at step 14 while running Malwarebyes' Anti-malware

I did run RKill, but Malwarebyes' Anti-malware just still cannot run the scan.
Everytime I start scanning , it is shut down very soon, maybe a few secs after starting.
I guess it's probably interrupted and terminated by Open Cloud Security.

So I wonder if RKill did not succesfully do its job?
After the black window closed, notepad pops out with only the below


"This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/2011 Sunday at 20:03:51.
Operating System: Windows 7 Ultimate

Processes terminated by Rkill or while it was running:

Rkill completed on 09/2011 Sunday at 20:03:53. "



Other than Malwarebyes' Anti-malware, I tried Spy Doctor, Trojan Killer, HijackThis.
And they result in the same, being shut down very shortly after starting scanning.
The softwares are unable to be opened again after they are shut down. (deleted by Open Cloud probably)

I have no idea if I missed something, since I just follow the steps.
Please help me.

BTW my internet connect was not interfered, the "Proxy server shifting" matter did not happen to my pc. Therefore I didn't do step 4-7 since the box "use a proxy server for your Lan....." has never been checked.

Please help me again.
Thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385
Run by Ronni at 20:36:03 on 2011-09-25
Microsoft Windows 7 旗艦版 6.1.7600.0.950.852.3076.18.3582.2682 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Windows\4241468026:2236952579.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ADC PlugIn: {19090308-636d-4e9b-a1ce-a647b6f794bf} - c:\users\ronni\appdata\roaming\m1uvvs22ob3pm5a\sysl32.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [Salmosa] c:\program files\razer\salmosa\razerhid.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [OpenCloud Security] c:\users\ronni\appdata\roaming\fooonff4am5sw7d\EL888gRZqhYXw.exe
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &使用BitComet下載 - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &使用BitComet下載全部連結 - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4000CA1E-89DF-4078-839F-CEE3B8ACC62D} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-9-25 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-9-25 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-9-25 656320]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-9-25 371472]
R3 RTL8167;Realtek 8167 NT 驅動程式;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
R3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2009-11-19 9344]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-25 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-14 320856]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-9-25 233976]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-14 20568]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-14 54616]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-9-25 44768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-9-25 1117144]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\bitcomet\tools\bitcometservice.exe -service --> c:\program files\bitcomet\tools\BitCometService.exe -service [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-11-14 79360]
S3 WatAdminSvc;Windows 啟用技術服務;c:\windows\system32\wat\WatAdminSvc.exe [2011-7-24 1343400]
.
=============== Created Last 30 ================
.
2011-09-25 11:38:04 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-09-25 11:14:19 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{eb45f3cc-ae8d-4b67-895d-8977dbbc5d2b}\offreg.dll
2011-09-25 10:20:05 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-09-25 10:20:05 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-09-25 10:20:05 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-09-25 10:20:05 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-09-25 10:20:04 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-09-25 10:20:04 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-09-25 10:20:03 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-09-25 10:20:02 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-09-25 10:19:58 -------- d-----w- c:\programdata\PC Tools
2011-09-25 10:19:58 -------- d-----w- c:\program files\PC Tools Security
2011-09-25 10:19:58 -------- d-----w- c:\program files\common files\PC Tools
2011-09-25 10:03:49 -------- d-----w- c:\users\ronni\appdata\roaming\OiiibFF3pnG5QHd
2011-09-25 10:02:15 -------- d-----w- c:\users\ronni\appdata\roaming\vDDD3ppnG4aH6
2011-09-25 09:59:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 09:53:18 -------- d-----w- c:\users\ronni\appdata\roaming\Malwarebytes
2011-09-25 09:52:59 -------- d-----w- c:\programdata\Malwarebytes
2011-09-25 09:52:56 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-25 09:52:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-25 09:12:24 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-25 09:09:54 -------- d-----w- c:\users\ronni\appdata\roaming\OpenCloud Security
2011-09-25 09:09:08 -------- d-----w- c:\users\ronni\appdata\roaming\LjjUUVellBtzPy
2011-09-25 09:06:09 -------- d-----w- c:\users\ronni\appdata\roaming\m1uvvS22ob3pm5a
2011-09-25 09:06:02 -------- d-----w- c:\users\ronni\appdata\roaming\fooonFF4am5sW7d
2011-09-23 10:53:02 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{eb45f3cc-ae8d-4b67-895d-8977dbbc5d2b}\mpengine.dll
2011-09-19 13:24:57 -------- d-----w- c:\program files\Activision
2011-09-10 18:17:16 -------- d-----w- c:\program files\Veetle
.
==================== Find3M ====================
.
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 04:30:52 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 20:36:33.01 ===============

Merged posts. ~ OB

Edited by Orange Blossom, 25 September 2011 - 03:14 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:47 AM

Posted 28 September 2011 - 08:58 PM

Ronarch,

The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\Windows\4241468026:2236952579.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
Right-click and select: Extract all
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click DummyCreator/DummyMaker to run the tool.

Now, copy/paste the following into the blank area:

C:\Windows\4241468026

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users