This thing can be removed manually, it seems. That does not exclude the possibility that it's associated with a rootkit infection or that it comes as part of a package of malware infections. What does seem clear is that if there are not already several variants of OCS being spread around, there probably soon will be. This has been quite successful in the short time it's been seen in the wild, so the authors will want to keep it going for as long as possible.
Now, details : the document referenced in post #45 is currently unavailable, because it's being updated. The new version may have a removal sequence you can follow.
The Fake Alert Stinger should have been updated today to deal with the known variant(s) but of course new variants might not be caught, so if it doesn't work McAfee labs will need to know and preferably would like specimens of the OCS files to see if the code has changed.
(Edit) Post #1 gave the locations of files placed on your system by OCS, which can be deleted manually. I repeated that list in Post #10. The list was as given in the original BleepingComputer analysis, at
http://www.bleepingcomputer.com/virus-removal/remove-opencloud-security. The instructions for removal given there apparently worked for a while but then stopped working, which implies the authors of OCS changed something to prevent its removal.
I also have a removal sequence provided by an expert from another forum which he says works on the current variant. If that is significantly different from what has already been provided here I can post it, if I get the okay to use someone else's content from Another Place. I don't want to be accused of plagiarism 🙂
(Edit) He's talking about the same files as in the list in post #1.
Apparently System Restore may work for some users, but he isn't recommending it. He also says that OCS disables files with .exe, .com and .pif extensions and seems to disable most AV and antimalware solutions as a result.
Any files that have disappeared are merely hidden, and it's easy to unhide them. That way too you get to see where OCS has put its own files so you can either delete them yourself or rename the executable and then let your antimalware solution of choice do it for you.
The preferred and simplest solution of course would be simply to run FakeAlert Stinger.Message was edited by: Hayton on 06/10/11 03:06:36 IST
I ran the new Fake Alert Stinger late this afternoon. Yesterday I also ran the one that was up yesterday twice. It took over two hours each time and said it cleaned some files. But as soon as I rebooted the machine, that virus junked popped RIGHT UP AGAIN. So it didn't clean it off. I bought Malwarebytes yesterday also and it didn't help either (so I'm going to ask for a refund)!!! In my opinion, McAfee is the best product on the market and if it isn't working, the other products aren't going to work either.
This one really bothers me because we're really careful about where we browse on the internet. We don't download suspicious attachments and the worst thing I do online is shop and occasionally the grendkids watch cartoons on our system - under close supervision. So, I can't believe that we have something like this. Because if we can get it, anyone can.
Our ISP shut down our service Monday because apparently thousands of spam were being sent. Since I work at home, I need my access. So with that said, I'm getting ready to format and just pray the format works. After that, I'll just reload and reinstall McAfee. I just have to figure out the best way to go about the format now since I'm an accountant and not an IT professional. ....and hope like heck I don't screw it up even worse. But if I can get McAfee to load when I'm done, I'll know whether it worked or not.
This virus has taken up enough of my time!!!Message was edited by: madblakely on 10/4/11 6:57:51 PM CDT
That was a great suggestion!! I decided to go with what you said before I formatted. When I went into the temporary folders, I found at LEAST four different viruses!!! Could have even been more but some were CLEARLY virus files. I was looking the files up on another computer as I was shredding them with McAfee. What I'm beginning to think is that although Open Cloud is the most annoying, it's just one of many that come in some kind of delivery "package" (for lack of a better word). The reason I say that is because they all had the exact same system date and time. So that's why this stuff isn't cleaning off. It's a LOT of different viruses all running in a pack.
For all having a problem with this, check your temporary folders while you're in safe mode. I'll bet you'll see something similar.
The reason I did that was mainly because Open Cloud didn't seem like something that was capable of hijacking our ISP and sending out thousands of spam (causing our provider to shut down our account).
After I shredded those files, I did the system restore as you suggested. As soon as my system finishes the restore process, I'll check again to see if they're there and get a list together and see if I can figure out how to package and send them to McAfee. Will update as I know more.
Remember, I'm an accountant and not an IT professional. So bear with me.
on 10/5/11 8:51:19 AM CDTMessage was edited by: madblakely on 10/5/11 9:51:32 AM CDT
I am a betting man. I will bet clearing TEMP INTERNET FILES and SYSTEM RESTORE do not work for this. The black-hats that created Open Cloud anticipated much more complicated attempts to clean than this. How do I know? Delete internet files and system restore in safe mode has been effective against less harmful Trojans than Open Cloud. The delete temporary internet files & system restore we did here last Thursday did not fix the problem-after the reboot (and System Resore does require reboot)-the infection was back. Been there-done that-didn't work. Sorry, but that is fact.
If there is a working effective clean procedure for Open Cloud-it would be good to know. When we were hit with this last week the version of Stinger that was available at that time was ineffective-as was every other method of cleaning Open Cloud. (MBAM, STINGER, SPYBOT, RKILL, COMBOFIX, HIJACKTHIS, etc. etc.) After over four hours and a dozen or more attemps at various cleaning methods-we had to reimage the users computer. Since the re-image-the user is back at work the next day with no more Open Cloud. They have been updated to DAT Version 5489 as of yesterday.
Since we were infected last Thursday and we are a business and our users can not afford to be down for days, or even weeks at a time--without accurate detection and/or cleaning tools/methods-the only sure fire fix is reimaging of the computer. Not picking on McAfee-none of the other major antivirus software vendors caught this ahead of time-so they are all in REACT-MODE. So it is nice that we pay them many dollars to protect us from known attacks and there are many thousands-but the ones like Open Cloud really caught them and us with our knickers around our knees.
To those still infected with this Trojan-if you want to continue trying to clean it with conventional means-have at it-I wish you the best of luck-if you find something that actually works-post the step-by-step procedure and you will be a hero. I suspect there isn't enough time in a human life span to clean this thing in SAFE MODE with Stinger and MBAM, and etc.
SIGH!!! You were right. I think I just made it mad! It was worth a try though.
After waiting for the computer to finish the restore for four hours, I finally got the message that System Restore "did not complete successfully. Your computer's system files and settings were not changed". So it won't even let you restore. I rebooted and the first thing I saw was that annoying "Open Cloud" fake scan. I immediately unplugged the modem because I know that thing is broadcasting like a big dog! I will now format.
I guess I won't be a hero today.......still just an accountant.
If anyone else finds a cure, let us know. One of our kids just left home going back to school and I have a feeling he'll be calling!on 10/5/11 11:08:04 AM CDT
So Rkill will not work on this?You could try one of the other links.There are about 7or 8 differant named versions.I have read that sometimes you may have to run this a few times to get it to work.Then run Stinger or malwarebytes.If you do get Rkill to run it will leave a list of a path.You should be able to open computer and paste it in there to find.You may also have to unhide hidden folders after pasting location to manually remove.Here are other links for Rkill.Good luck
The detection list in Stinger #1 (not the Fake AV Stinger) does list a large number of Fake AV items that it detects. There is considerable room for confusion here. Perhaps Stinger #2 should be given a new name to differentiate it from Stinger #1, and the Fake AV detections should be removed from the list of Stinger #1 or somehow hidden?