I am a betting man. I will bet clearing TEMP INTERNET FILES and SYSTEM RESTORE do not work for this. The black-hats that created Open Cloud anticipated much more complicated attempts to clean than this. How do I know? Delete internet files and system restore in safe mode has been effective against less harmful Trojans than Open Cloud. The delete temporary internet files & system restore we did here last Thursday did not fix the problem-after the reboot (and System Resore does require reboot)-the infection was back. Been there-done that-didn't work. Sorry, but that is fact.
If there is a working effective clean procedure for Open Cloud-it would be good to know. When we were hit with this last week the version of Stinger that was available at that time was ineffective-as was every other method of cleaning Open Cloud. (MBAM, STINGER, SPYBOT, RKILL, COMBOFIX, HIJACKTHIS, etc. etc.) After over four hours and a dozen or more attemps at various cleaning methods-we had to reimage the users computer. Since the re-image-the user is back at work the next day with no more Open Cloud. They have been updated to DAT Version 5489 as of yesterday.
Since we were infected last Thursday and we are a business and our users can not afford to be down for days, or even weeks at a time--without accurate detection and/or cleaning tools/methods-the only sure fire fix is reimaging of the computer. Not picking on McAfee-none of the other major antivirus software vendors caught this ahead of time-so they are all in REACT-MODE. So it is nice that we pay them many dollars to protect us from known attacks and there are many thousands-but the ones like Open Cloud really caught them and us with our knickers around our knees.
To those still infected with this Trojan-if you want to continue trying to clean it with conventional means-have at it-I wish you the best of luck-if you find something that actually works-post the step-by-step procedure and you will be a hero. I suspect there isn't enough time in a human life span to clean this thing in SAFE MODE with Stinger and MBAM, and etc.
SIGH!!! You were right. I think I just made it mad! It was worth a try though.
After waiting for the computer to finish the restore for four hours, I finally got the message that System Restore "did not complete successfully. Your computer's system files and settings were not changed". So it won't even let you restore. I rebooted and the first thing I saw was that annoying "Open Cloud" fake scan. I immediately unplugged the modem because I know that thing is broadcasting like a big dog! I will now format.
I guess I won't be a hero today.......still just an accountant.
If anyone else finds a cure, let us know. One of our kids just left home going back to school and I have a feeling he'll be calling!
Just a follow-up - between the Fake Alert Stinger, MalwareBytes and rKill I think I've eliminated the problem. No more pop-ups and I'm able to run and update McAfee again. I'll try updating McAfee and MalwareBytes again tonight and running them again just to be sure.
Edited to add: I'll look again for the files in the manual clean up document posted a few posts back.
This thing can be removed manually, it seems. That does not exclude the possibility that it's associated with a rootkit infection or that it comes as part of a package of malware infections. What does seem clear is that if there are not already several variants of OCS being spread around, there probably soon will be. This has been quite successful in the short time it's been seen in the wild, so the authors will want to keep it going for as long as possible.
Now, details : the document referenced in post #45 is currently unavailable, because it's being updated. The new version may have a removal sequence you can follow.
The Fake Alert Stinger should have been updated today to deal with the known variant(s) but of course new variants might not be caught, so if it doesn't work McAfee labs will need to know and preferably would like specimens of the OCS files to see if the code has changed.
(Edit) Post #1 gave the locations of files placed on your system by OCS, which can be deleted manually. I repeated that list in Post #10. The list was as given in the original BleepingComputer analysis, at
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security. The instructions for removal given there apparently worked for a while but then stopped working, which implies the authors of OCS changed something to prevent its removal.
I also have a removal sequence provided by an expert from another forum which he says works on the current variant. If that is significantly different from what has already been provided here I can post it, if I get the okay to use someone else's content from Another Place. I don't want to be accused of plagiarism :-)
(Edit) He's talking about the same files as in the list in post #1.
Apparently System Restore may work for some users, but he isn't recommending it. He also says that OCS disables files with .exe, .com and .pif extensions and seems to disable most AV and antimalware solutions as a result.
Any files that have disappeared are merely hidden, and it's easy to unhide them. That way too you get to see where OCS has put its own files so you can either delete them yourself or rename the executable and then let your antimalware solution of choice do it for you.
The preferred and simplest solution of course would be simply to run FakeAlert Stinger.
So Rkill will not work on this?You could try one of the other links.There are about 7or 8 differant named versions.I have read that sometimes you may have to run this a few times to get it to work.Then run Stinger or malwarebytes.If you do get Rkill to run it will leave a list of a path.You should be able to open computer and paste it in there to find.You may also have to unhide hidden folders after pasting location to manually remove.Here are other links for Rkill.Good luck