Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OpenCloud removal issue


  • Please log in to reply
43 replies to this topic

#1 SusanQ

SusanQ

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 09:52 AM

My Windows XP system has been afflicted with the OpenCloud Security virus/trojan/rogue since yesterday morning. I've been trying to follow the "Remove OpenCloud Security (Uninstall Guide)" and get almost to the end but then I can't run Malwarebytes. Here's what happens, in painful detail. Thanks in advance for any help/advice.

Susan

----------

Booted in Safe Mode with Networking
==> Microsoft Windows XP Professional (the only choice)

Clicked on my Admin user, got to my safe mode desktop

Opened Internet Explorer, clicked on Tools ==> Internet Options ==> Connections ==> LAN Settings

Verified that the "Use a Proxy Server for your LAN" box was not checked (it has never been checked, in any of the 20 or so times I've gone through this procedure)
Clicked OK, OK

Ran rkill ("iExplore"), which I downloaded yesterday.
Rkill completed, no processes listed as terminated.

my desktop was completely blank -- no program icons at all -- that's new --
moved my cursor over to "Start" and got an hour glass.
ctrl-alt-del -- after about 5 minutes -- brought up nothing - no tasks

after about 10 minutes, the hour glass disappeared and my desktop icons came back -- whew!

I ran rkill ("iExplore") again for good measure, concerned about what took so long to come back afterwards, last time
This time it said:
Processes terminated by Rkill or while it was running:
xe

Ran rkill once again; this time it didn't find any processes to kill.

Ran Malwarebytes setup, which I downloaded yesterday.
NOTE: I'm a longtime Malwarebytes user, but I set it up anew anyway.

Malwarebytes appeared to install OK. It told me:
The database was successfully updated from 7622 to 7840
So I clicked OK. The scan box came up, and I chose "Perform full scan"
and clicked on "Scan" and left it defaulted to scan all 3 drives: C, D, and E, as I normally do.

The scan ran for about 30 seconds, and then vanished. A full scan normally (prior to this OpenCloud issue) takes about 4 hours.
I was watching very closely, before the Malwarebytes screen disappeared. I saw:
Enumerating registry objects prior to scan
Scanning memory objects for infection...
Currently scanning... it was in C:/Windows when it quit...

I've had this happen consistently at least 15 times now, maybe more -- I've lost count. I cannot run malwarebytes -- I've tried it a bunch of times in safe mode and also tried the whole process in regular (whatever you call non-safe) mode -- same thing.

So then if I click on the malwarebytes icon, to again to running it, it says:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Just for good measure I then again ran Rkill... again it found no processes to kill.

NOTE Rkill seems to be taking a long time (5+ minutes) to start -- much longer than it used to --
And again after it was finished it took a pretty long time (~2 min) for my desktop icons to come back, and then another ~3 minutes after that before the hourglass flipped back to the normal cursor error.

Something's going on... but what???

Oh - I forgot to mention -- after I try to run malwarebytes the second time, and get the "Windows cannot access... " message, the icon changes from the red M logo to an old-fashioned rectangular window with blue stripe at the top -- like Windows no longer knows it's an application or something...

So -- what can I try? I'm stumped. Thanks!!

Edited by hamluis, 01 October 2011 - 10:40 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 10:48 AM

Do you have the windows installation disc in handy?
May thou virus bow at thy mercy when you come to me...

#3 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 01:22 PM

Do you have the windows installation disc in handy?

yes I do

#4 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 01:55 PM

Okay then, insert your Installation disc into the PC > reboot it > When the installer Welcome screen comes up, press "R" > select the windows installation you want to fix > Type "FIXMBR <insert drive letter here>" and press enter and then "FIXBOOT <insert drive letter here>"
May thou virus bow at thy mercy when you come to me...

#5 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 03:52 PM

The label on the disk I have says:

------

Operating Systm Disk
Use this disk to re-install your operating system.

To re-install the operating system:
Insert this disc, close all programs, restart your computer, then follow the on-screen instructions.
WARNING: This process erases all data and files from the hard drive.

------

I don't want to lose all my data and files -- do you think this is the right disk to do what you suggest? Just checkin'....

#6 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 04:40 PM

Did this disc come with your PC or did you buy it individually?
May thou virus bow at thy mercy when you come to me...

#7 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 04:42 PM

it came with the PC. The only time I've ever used it was a couple of years ago, when I really did want to wipe the C drive clean and start over. I can't remember what-all screens or menus came up when I ran it...

#8 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 04:46 PM

Okay then, take the disc out as this is not the right one for this task. Reboot your PC > Do the same process as you would to get into safe mode, but instead of selecting Safe Mode, select "Return to OS choice Menu" > If the option is available, select "Windows Recovery Console" > choose your windows installation which is failing > type "FIXMBR <insert drive letter here>" and press enter and then "FIXBOOT <insert drive letter here>"
May thou virus bow at thy mercy when you come to me...

#9 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 04:56 PM

I rebooted, chose "Return to OS choice menu"

The only operating system choice was "Microsoft Windows XP Professional"

and the only other options were ENTER to choose XP, or down at the bottom it said:

"For troubleshooting and advance startup options for Windows, press F8"

So I pressed F8.

Which took me back to where I'd just been:

Windows Advanced Options Menu
Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows domain controllers only)
Debugging Mode
Disable automatic restart on system failure

Start Windows Normally
Reboot
Return to OS Choices Menu

------------

I don't see any way to get to a Windows Recovery Console....?

#10 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 04:58 PM

If I were to find a Windows Recovery Console, what would I put in the <insert drive letter here> slot? As far as I know, Windows resides on drive C, but that sounds like it's looking for a CD or something... ?

#11 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 05:01 PM

In safe mode, try logging in as "administrator" or another user account which isn't the one you got infected on.
May thou virus bow at thy mercy when you come to me...

#12 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 05:07 PM

well, I normally log in as administrator -- I'll log in as another, non-admin user -- and then do what?

#13 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 05:09 PM

OK - I'm logged in, in Safe Mode with Networking, as a user who is not an administrator. What now?

#14 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 01 October 2011 - 07:46 PM

Try re-running SUPERAntiSpyware (http://www.superantispyware.com/)(UPDATE BEFORE SCANNING!), and MalwareBytes (http://www.malwarebytes.org/)(UPDATE BEFORE SCANNING!)
May thou virus bow at thy mercy when you come to me...

#15 SusanQ

SusanQ
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 October 2011 - 08:38 PM

well, I couldn't even connect to the internet from my non-admin user. So I logged back into Safe Mode as admin, and downloaded SuperAntiSpyware.

Ran RKill on general principles (no processes killed), then downloaded & installed SuperAntiSpyware.

Clicked on the newly installed SuperAntiSpyware icon on my desktop. It does EXACTLY the same thing that MalwareBytes does: starts, runs for a few seconds, then just vanishes. And when I click on the icon to run it again, it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Whatever is going on, it seems to recognize virus scan software, stop it in its tracks, and make it so it can't even try, the next time.

Help! Please! Someone!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users