We have a Windows XP Home operating system, and two people use the computer - my wife Martha and I - with separate login accounts.
Martha was browsing with the Firefox broswer and got the Open Cloud infection. She called me immediately and I attempted to remove it, since it was overtaking the machine, showing messages and terminating programs repeatedly.
I will tell you what I have done to remove it, and what the remaining behavior is. This virus is more difficult than I originally imagined, and I will need help to get the machine completely clean.
Initially, before searching for professional advice, I deleted all of the Open Cloud folders and files, and followed this with a registry cleaner (CC Cleaner), that scans the registry and removes remaining references to deleted executables. I did this as triage, because I couldn't manage to do ANYTHING on the machine until I removed the files.
Then I went to another machine and looked up on BleepingComputer what to do. Over the next 48 hours, I tried several things recommended by BleepingComputer professionals, including following all of the three procedures listed in the following URLs, in the order they were suggested:
Unfortunately, none of these methods has completely fixed the machine.
I made numerous analysis of the issues that remain, and they fall into three categories, which I will summarize below.
1. Virus scan and removal programs terminate prematurely
2. A svchost.exe process uses more memory over time, growing so much as to hang the computer if not terminated
3. A scan of the C: drive indicates that there are hard disk errors
I am attaching a .zip file that contains the results of the test I have done, mostly as suggested by BleepingComputer procedures, but some additional ones that I did on my own initiative.
Now for the details of each of these issues.
1. Virus scan and removal programs terminate prematurely
I have tried to execute a BitDefender 2010 scan (my regular anti-virus program) and it terminates after a few seconds into the scan. The same is true for MBAM, SuperAntiVirus, GMER and Panda. After they terminate, any further attempt to execute the program generates an 'access denied . . .' message, and a copy of this message is included in the .zip file. I am only able to execute the program after that by uninstalling and reinstalling the program - only to find that it terminates again after the first try.
I have localized the offending file, that seems to cause termination, to a file '2442256104' located in the C:\WINDOWS folder. I am able to identify this as the offending file in the following way. BitDefender has a manually operated scan program, which can be restarted after it terminates prematurely, and it allows the user to select an individual folder to scan. (None of the other scan programs I tried allows me to select an individual folder in manual mode. The random.com version of SuperAntiVirus can be run multiple times from a flash drive, but it does not allow the user to control which individual folder to scan.) I have scanned each individual folder on my machine, one at a time, using the manual BitDefender scan. Only the C:\WINDOWS folder caused it to terminate prematurely. Then I scanned each folder in the C:\WINDOWS folder one at a time, and only the files directly in the folder caused premature termination. Then I scanned each file directly in the C:\WINDOWS folder one at a time, until I isolated the one that causes premature termination. As I said, it is '2442256104'. As a further verification, I can delete this file to the Recycle bin, and then the C:\WINDOWS folder can be scanned by the virus scan programs. However, scanning the Recycle bin (with only that one file in it) causes premature termination of the scan program. This is the case for BitDefender in manual mode, BMAM and SuperAntiVirus.
This '2442256104' file seems to have executable data associated with it, and a process is launched 2442256104:388066926.exe which is 480 Kbytes long, and this process is very suspicious to me. I have five XP machines (3 at home and 2 at work) and none of those other machines launch this process. The file 'Suspect file text box' in the .zip file gives the dialog box that indicates the associated data for the file.
TDSSKiller did identify this same issue, and I have included several TDSSKiller log files before and after deleting the offending '2442256104' file from the C:\WINDOWS folder. TDSSKiller indicated it would remove the '2442256104' file and associated files at the next restart, but that did not happen.
I learned that when I delete the '244256104' file from the C:\WINDOWS folder, it does not return if I log off and back on, either to another user account, or to my own user account. But after a restart, it does return to the C:\WINDOWS folder.
This file may not be the only thing that causes premature termination, because SuperAntiVirus allows a custom scan of resident memory, the registry, and cookies. Those scans terminate prematurely as well, but I can't isolate the cause.
As you can imagine, this isolation process was tedious, and made even more difficult because many times after the scan program terminates, the PC hangs and has to be restarted. Sometimes this restart is uneventful, but sometimes it causes the black "Sorry to inconvenience you . . " screen and allows you to boot in safe mode. In addition sometimes, I get the blue screen "If this is the first time . . ." and must forcefully terminate the boot process and restart in safe mode. [This is my grumbling, I guess, but may be helpful for you to understand the issues.]
2. A svchost.exe process uses more memory over time
Eventually I discovered the reason that the PC hangs after a program terminates. That is because one of the svchost.exe processes begins to take up memory, growing so large that it prevents any program from executing. I have made a system dump of the machine before and during such growth, and the file during growth is included in the .zip file with the filename 'sysdump (10-4-2011 later)'. This one made during the growth had to be done quickly because once the growth starts it accelerates rapidly. (I have not included the original one made before the growth started because of the size limitation on attached files for this post does not allow that, but I do have the information in case you need it.) By the time I got the second system dump completed, the memory had grown to about 800 MBytes on this process before I could end the process. The process identification number for this instance of the svchost.exe process is 2800 and I have made an Excel file to sort and display which underlying services are using the memory. That Excel file is also included in the .zip file.
I am not sure how this memory issue is related to the premature termination issue, if at all.
3. A scan of the C: drive indicates that there are hard disk errors.
I became suspicious that the C: drive might be compromised, and even though it was not suggested by BleepingComputer professionals to check, I did a chkdsk scan on the C: drive, and discovered it had corrupt attribute records. I followed this by a chkntfs scan on the C: drive, and set the dirty bit 'on' hoping that the next restart of the computer would run a chkdsk and correct the corrupt attribute records on the C: drive, but I could not get that to happen. So there are still corrupt attribute records on the C: drive, and it is still flagged as dirty.
I am not sure how this hard disk issue is related to the premature termination and svchost memory issues, if at all.
I expect that there are other issues on the machine as well, which I have only partially documented.
For example, one of the recommended procedures was to open IE and turn any proxy settings off. I did that, and also did the same in Firefox, which is our primary browser. When I opened Firefox it automatically opened a 'non-closable' page, but I ignored that and turned the proxy settings off, then forcefully shutdown (because I could not terminate Firefox). I have not opened Firefox or IE since then, because my BitDefender antivirus program terminates and therefore does not protect me from opening such pages. I did use CC Cleaner to delete all cookies and temporary files on both my login account and Martha's login account, hoping that will help solve the browser problem when it come time to address that. I did not document this issue.
In the process of doing the manual BitDefender scans of my PC, I identified that there are multiple archived e-mail messages with Trojan vulnerabilities in them. While I understand this is an issue, I have not opened the Outlook client since this problem occurred, so I am not addressing those vulnerabilities right now. I have included the list of e-mail vulnerabilities in the .zip file, in case that has any value in assessing the situation.
There is a peculiarity of my PC that I should point out: all of my programs and program folder are located on the C:\ drive and all of my data and data folders are located on the G:\ drive, including the E-mail folders and the User folders. I set the machine up this way when I got it, to make it easier for me to backup my data files. Once I got this infection, I disconnected my iOmega USB backup drive from the PC and haven't reconnected it.
I hope all of this information will help you to diagnose and suggest a method to clean the machine and return it to service.