Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Open Cloud AV


  • This topic is locked This topic is locked
50 replies to this topic

#1 coldnorth

coldnorth

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 02:14 PM

I contracted Open Cloud AV and followed the removal instruction on this web, located at

http://www.bleepingcomputer.com/virus-removal/remove-opencloud-antivirus

to the letter. Including downloading Rkill and Malwarebytes. It did not remove this bug, but it did manage to remove just about everything else on my computer, including photos, important documents, and software, including some of the Microsoft stuff that came with the computer such as Office. Not only these, but it also seems to have removed Rkill and Malwarebytes after it completed and re-booted. Aside from the recycling bin the only desktop icon I have now is something called “Security Guard 2012”.

Is there anything I can do?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 PM

Posted 04 October 2011 - 02:19 PM

Hello, I've split you to your own topic.
It actuall removed none of those things,this the malware doing it. so run these next.

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the compute


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, [color="#8B0000"]Post new scan log
and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 02:29 PM

Thanks Boopme, I'll give it a try.

#4 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 03:21 PM

My files are once aain visible Boopme. Thanks VERY much.

I downloaded TDSS and ran it. It found no threats but it appears the bug is still on my computer. Will try to run MBAM in normal mode now.

#5 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 04:06 PM

MBAM in normal mode would not even start up. Should I try to run in Safe Mode?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 PM

Posted 04 October 2011 - 07:28 PM

Please do these

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 09:24 PM

Thanks Boopme, I'll give it try.

#8 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 04 October 2011 - 09:58 PM

This is the results from the MiniToolBox


MiniToolBox by Farbar
Ran by Mike and Jean (administrator) on 04-10-2011 at 21:54:13
Windows 7 Home Premium (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Could not flush the DNS Resolver Cache: Function failed during execution.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
Hosts file not detected in the default directory
========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : MikeandJean-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ping request could not find host google.com. Please check the name and try again.
Ping request could not find host yahoo.com. Please check the name and try again.
Unable to contact IP driver. General failure.
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 mswsock.dll [File Not found] ()
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/04/2011 01:26:37 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (10/04/2011 00:54:46 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (10/04/2011 10:57:52 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\System32\svchost.exe -k secsvcs; Description = Windows Defender Checkpoint; Error = 0x8007043c).

Error: (10/04/2011 10:55:50 AM) (Source: Application Error) (User: )
Description: Faulting application name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Faulting module name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Exception code: 0xc0000005
Fault offset: 0x00001149
Faulting process id: 0xd8c
Faulting application start time: 0xjavaw.exe0
Faulting application path: javaw.exe1
Faulting module path: javaw.exe2
Report Id: javaw.exe3

Error: (10/04/2011 10:45:01 AM) (Source: Application Error) (User: )
Description: Faulting application name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Faulting module name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Exception code: 0xc0000005
Fault offset: 0x00001149
Faulting process id: 0xb8c
Faulting application start time: 0xjavaw.exe0
Faulting application path: javaw.exe1
Faulting module path: javaw.exe2
Report Id: javaw.exe3

Error: (10/04/2011 10:36:13 AM) (Source: Application Error) (User: )
Description: Faulting application name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Faulting module name: javaw.exe, version: 1.1.1.1, time stamp: 0x4d776bb8
Exception code: 0xc0000005
Fault offset: 0x00001149
Faulting process id: 0x1c8
Faulting application start time: 0xjavaw.exe0
Faulting application path: javaw.exe1
Faulting module path: javaw.exe2
Report Id: javaw.exe3

Error: (10/03/2011 10:44:14 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 8.0.7600.16839 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d38

Start Time: 01cc81e2faae5301

Termination Time: 31

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: 7ce4d412-edd6-11e0-ae54-7ee40003e03d

Error: (10/03/2011 10:18:47 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 8.0.7600.16839 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 608

Start Time: 01cc81df89055cff

Termination Time: 60

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: f4cc1839-edd2-11e0-ae54-7ee40003e03d

Error: (10/03/2011 09:35:52 AM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7600.16839, time stamp: 0x4e0015ef
Faulting module name: IEShims.dll, version: 8.0.7600.16385, time stamp: 0x4a5bda0e
Exception code: 0xc00000fd
Fault offset: 0x00009f1e
Faulting process id: 0x16b0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/03/2011 09:03:09 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 8.0.7600.16839 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13b4

Start Time: 01cc81d4c4828bfd

Termination Time: 46

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: 6406d139-edc8-11e0-ae54-7ee40003e03d


System errors:
=============
Error: (10/04/2011 09:52:10 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2011 09:52:09 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2011 09:52:09 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2011 09:52:08 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/04/2011 04:03:00 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Acrobat.com (Version: 1.6.65)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Reader 9.4.1 (Version: 9.4.1)
Adobe Shockwave Player (Version: 11.0)
AMD USB Filter Driver (Version: 1.0.10.84)
Atheros Driver Installation Program (Version: 9.0)
ATI Catalyst Install Manager (Version: 3.0.732.0)
AutoCAD 2012 - English (Version: 18.2.51.0)
AutoCAD 2012 Language Pack - English (Version: 18.2.51.0)
Autodesk Content Service (Version: 2.0.90)
Autodesk Inventor Fusion 2012 (Version: 1.0.0.79)
Autodesk Inventor Fusion 2012 Language Pack (Version: 1.0.0.79)
Autodesk Inventor Fusion plug-in for AutoCAD 2012 (Version: 0.0.1.138)
Autodesk Inventor Fusion plug-in language pack for AutoCAD 2012 (Version: 0.0.1.138)
Autodesk Material Library 2012 (Version: 2.5.0.8)
Autodesk Material Library Base Resolution Image Library 2012 (Version: 2.5.0.8)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0804.2223.38385)
Catalyst Control Center Graphics Full Existing (Version: 2009.0804.2223.38385)
Catalyst Control Center Graphics Full New (Version: 2009.0804.2223.38385)
Catalyst Control Center Graphics Light (Version: 2009.0804.2223.38385)
Catalyst Control Center Graphics Previews Common (Version: 2009.0804.2223.38385)
Catalyst Control Center Graphics Previews Vista (Version: 2009.0804.2223.38385)
Catalyst Control Center InstallProxy (Version: 2009.0804.2223.38385)
Catalyst Control Center Localization All (Version: 2009.0804.2223.38385)
ccc-core-static (Version: 2009.0804.2223.38385)
ccc-utility64 (Version: 2009.0804.2223.38385)
CCC Help Chinese Standard (Version: 2009.0804.2222.38385)
CCC Help Chinese Traditional (Version: 2009.0804.2222.38385)
CCC Help Czech (Version: 2009.0804.2222.38385)
CCC Help Danish (Version: 2009.0804.2222.38385)
CCC Help Dutch (Version: 2009.0804.2222.38385)
CCC Help English (Version: 2009.0804.2222.38385)
CCC Help Finnish (Version: 2009.0804.2222.38385)
CCC Help French (Version: 2009.0804.2222.38385)
CCC Help German (Version: 2009.0804.2222.38385)
CCC Help Greek (Version: 2009.0804.2222.38385)
CCC Help Hungarian (Version: 2009.0804.2222.38385)
CCC Help Italian (Version: 2009.0804.2222.38385)
CCC Help Japanese (Version: 2009.0804.2222.38385)
CCC Help Korean (Version: 2009.0804.2222.38385)
CCC Help Norwegian (Version: 2009.0804.2222.38385)
CCC Help Polish (Version: 2009.0804.2222.38385)
CCC Help Portuguese (Version: 2009.0804.2222.38385)
CCC Help Russian (Version: 2009.0804.2222.38385)
CCC Help Spanish (Version: 2009.0804.2222.38385)
CCC Help Swedish (Version: 2009.0804.2222.38385)
CCC Help Thai (Version: 2009.0804.2222.38385)
CCC Help Turkish (Version: 2009.0804.2222.38385)
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
CyberLink DVD Suite (Version: 7.0.2111)
CyberLink MediaShow (Version: 4.1.3325)
CyberLink PowerDVD 8 (Version: 8.0.1.1005)
D3DX10 (Version: 15.4.2368.0902)
FaceSmooch Smileys
FARO LS 1.1.406.58 (Version: 4.6.58.2)
FinePixViewer Ver.5.4 (Version: 5.4)
HP Advisor (Version: 3.3.9512.3162)
HP Customer Experience Enhancements (Version: 6.0.1.3)
HP Games (Version: 1.0.0.71)
HP Quick Launch Buttons (Version: 6.50.16.1)
HP Setup (Version: 1.2.3560.3170)
HP Smart Web Printing (Version: 131.1.35898)
HP Support Assistant (Version: 4.4.6.3)
HP Update (Version: 5.001.000.014)
HP User Guides 0148 (Version: 1.01.0005)
HP Wireless Assistant (Version: 3.50.11.2)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
IDT Audio (Version: 1.0.6225.0)
ieSpell (Version: 2.6.4 (build 573))
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 15 (64-bit) (Version: 6.0.150)
Java™ 6 Update 23 (Version: 6.0.230)
Java™ SE Development Kit 6 Update 15 (64-bit) (Version: 1.6.0.150)
Junk Mail filter update (Version: 15.4.3502.0922)
LabelPrint (Version: 2.5.2111)
Lexmark X1100 Series
LightScribe System Software (Version: 1.18.13.1)
LSI HDA Modem (Version: 2.1.94)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Live Search Toolbar (Version: 3.0.566.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0)
muvee Reveal (Version: 7.0.43.12698)
Norton Online Backup (Version: 1.2.20.0)
PictureMover (Version: 3.3.1.18)
Power2Go (Version: 6.0.3311)
PowerDirector (Version: 7.0.3311)
PriceGong 2.5.0 (Version: 2.5.0)
QLBCASL (Version: 6.40.17.2)
Realtek 8136 8168 8169 Ethernet Driver (Version: 1.00.0007)
Realtek USB 2.0 Card Reader (Version: 6.1.7100.30094)
Recovery Manager (Version: 5.5.2202)
Slingbox - Watch Your TV Anywhere (Version: 1.0.0)
SlingPlayer (Version: 1.04.0206)
Spybot - Search & Destroy (Version: 1.6.2)
Synaptics Pointing Device Driver (Version: 13.2.4.12)
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Webroot Software (Version: 7.0.11.21)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinRAR archiver

========================= Memory info: ===================================

Percentage of memory in use: 25%
Total physical RAM: 1788.2 MB
Available physical RAM: 1334.47 MB
Total Pagefile: 3576.4 MB
Available Pagefile: 2948.46 MB
Total Virtual: 4095.88 MB
Available Virtual: 3999.59 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:218.37 GB) (Free:139.73 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.22 GB) (Free:2.35 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive g: (TRAVELDRIVE) (Removable) (Total:3.72 GB) (Free:3.71 GB) FAT32

========================= Users: ========================================

User accounts for \\

Administrator Guest Mike and Jean

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 PM

Posted 04 October 2011 - 10:12 PM

Will MBAM run now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 05 October 2011 - 08:04 AM

Will MBAM run now?


Apparently not. It has disappeared from the programs list. I still have the set-up file on my desktop but have been unable to re-install as the Open Cloud just overwhelms everything. Any thoughts or suggestions?

#11 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 05 October 2011 - 08:58 AM

Should I go ahead and run it in safe mode?

#12 L0rdG1gabyt3

L0rdG1gabyt3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 05 October 2011 - 09:28 AM

I would like to offer a bit of help if allowed.

You can access the task manager with this virus if you log off, then log back in. While the machine is logging back in repeatedly press Ctrl+Shift+Esc.
You can then access the running processes and kill the OpenCloud process before it has a chance to start and cause trouble. The OpenCloud process is normally a jumble of letters and numbers.

From my experience, I believe this virus exploits someting in Java. I have had good results with keeping this one away by uninstalling Java until the cleanup process is complete, then reinstalling. Most of the infected machines that have come through my shop have had a very old version of Java installed, along with the newer updates.

This virus includes the ZeroAcess rootkit as well. That must be removed, and Comboix will handle that.

Please though, dont run Combofix until an experience board member tells you to do so.

I hope this short post will be a help to anyone who reads it.

Thanks.

#13 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 05 October 2011 - 10:01 AM

I would like to offer a bit of help if allowed.

You can access the task manager with this virus if you log off, then log back in. While the machine is logging back in repeatedly press Ctrl+Shift+Esc.
You can then access the running processes and kill the OpenCloud process before it has a chance to start and cause trouble. The OpenCloud process is normally a jumble of letters and numbers.

From my experience, I believe this virus exploits someting in Java. I have had good results with keeping this one away by uninstalling Java until the cleanup process is complete, then reinstalling. Most of the infected machines that have come through my shop have had a very old version of Java installed, along with the newer updates.

This virus includes the ZeroAcess rootkit as well. That must be removed, and Comboix will handle that.

Please though, dont run Combofix until an experience board member tells you to do so.

I hope this short post will be a help to anyone who reads it.

Thanks.



Thanks

#14 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 05 October 2011 - 10:41 AM

I'm unable to keep it from starting up it with the task manager. Not only that, it has dozens of processes running and you just can't shut them all down. I’m getting a little desperate about this.

#15 coldnorth

coldnorth
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Illinois
  • Local time:05:17 PM

Posted 05 October 2011 - 10:50 AM

Has anyone know anything about this "trusted OpenCloud AV virus Automatic Removal Utility". While looking for info about this bug I found this at http://removevirushelp.com/how-to-get-rid-of-opencloud-av-virus.html#more-629 but to be honest I’m a bit leery about it and hesitant to use.

Also, I have not downloaded this so do so at your own risk.

Edited by coldnorth, 05 October 2011 - 10:56 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users