Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Open Cloud infection – my recovery


  • This topic is locked This topic is locked
2 replies to this topic

#1 Rich Wagner

Rich Wagner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 October 2011 - 05:46 PM

I got an Open Cloud infection on my Windows XP machine, and it inserted a process with random numbers into the Task List that wouldn't go away. That process caused all AntiVirus and AntiMalware programs to terminate prematurely. The troublesome process has 10 random digits followed by a colon followed by 9 more random digits [ddddddddd:ddddddddd.exe]. It is very hard to remove.

I have noticed many posts on this forum of other people with the same issue, and many of these are not resolved yet.

I discovered a post by another member that helped me solve my problem, so I want to give other people something to consider in trying to solve this difficult problem if they have gotten it. I am NOT a computer professional, nor am I one of the certified BleepingComputer experts, but I did spend more than 40 hours studying this problem, analyzing my machine, and solving the problem over the past 5 days. So while my comments may not solve your problem, they may give you something to try that uses ONLY the standard tools that come with Microsoft Windows XP. There is nothing else to download, and no other programs that you need to trust.

Credit for the resolution of my problem goes to Brett, who posted the thread that suggested the MAGIC step: http://www.bleepingcomputer.com/forums/topic421299.html/

I have amplified his MAGIC step to suit my particular situation, but I suspect it will be similar for many other people who have this issue. The recovery steps that solved my problem are summarized below. They took about two hours to complete, once I figured out what to do.

1. If possible, start the computer in Safe mode

2. Open the TaskManager and see if you have a process dddddddddd:ddddddddd.exe running. If so note the random number prior to the [:]. You will need it in several of the next steps.

3. Delete the file in the C:\WINDOWS folder with the random number noted in step 2, and empty the Recycle bin.

4. Optional step: you may have a svchost.exe file in the Task Manager list of processes that begins to use considerable resident memory. If it increases too much, the computer will hang. Monitor this process and if the memory usage accelerates, end the process tree by right clicking on the offending svchost.exe process.

5. Run ‘cmd’ from the Start menu and execute the command ‘sfc /scannow’. This seems to be the MAGIC step. This will take 15-20 minutes, and it checks all of the windows files to insure their integrity. If it terminates successfully there is no message displayed.

Note1: sfc will hang and not complete if you do not delete the random numbered file in step 3.

Note 2: if you get an error message “RPC server is unavailable”, then go back to the beginning and try to complete the steps in Normal mode, where the RPC server is available.

6. Reboot the machine, again in Safe mode, and if the randomly numbered process is not present, you have nearly won this battle. Use Regedit to remove references to the randomly numbered file. Use Find from the Regedit menu with a search string equal to the random number noted in Step 2. You will probably see registry keys in three places:

HKLM/SYSTEM//ControlSet001

HKLM/SYSTEM/ControlSet003

HKLM/SYSTEM/CurrentControlSet

Those entries most likely have a name consisting of 8 random hexidecimal numbers [hhhhhhhh]. Delete those entries from the registry.

7. Run ‘cmd’ from the Start menu and execute the command 'CHKDSK', but it will be in read-only mode and can not fix any errors. If there are errors, execute 'CHKDSK' again with the /r option so that it will fix the errors the next time the computer is restarted. Restart the computer so that it can check the disk. Repeat this step until you see that the errors are gone.

Note: you may have to defragment the disk before this is effective

8. At this point, you should be able to run your favorite antivirus and antimalware programs. However, if you get an ‘Access denied’ message when you try to start them, uninstall and reinstall them, and they should work fine after that.

BC AdBot (Login to Remove)

 


#2 Rich Wagner

Rich Wagner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 October 2011 - 06:00 PM

PS: If you want to see may original post and plea for help, that gives some detail on how I discovered the problems that Open Cloud produced, go here: http://www.bleepingcomputer.com/forums/topic421998.html/

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:35 AM

Posted 08 October 2011 - 12:06 PM

Note to all readers.

Please note that malware removal is specific to each machine. What will resolve the issues on one machine may not on another, and in some cases may actually damage another machine. Please do not follow malware removal instructions or solutions written for someone else or for a different machine. Similar symptoms does not equal the same cause.

Since this topic does not request assistance, this topic is now closed.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users