How to remove OpenCloud AV?
What is OpenCloud AV?
OpenCloud AV is a part of OpenCloud Antivirus scam which is dangerous malware program released for numerous reasons. This virus helps for the scammers to steal users’ money, spreads other malware and also tracks users’ keystrokes to get financial or other data from its victims. No matter how trustworthy it looks, Open Cloud Antivirus just like its other version OpenCloud Security uses known security vulnerabilities to infiltrate one’s computer and then takes over it. This intrusion is done with a help of Trojan horses that participate in every step of the malware deployment. So, as soon as you notice any sign of virus, like alerts titled with OpenCloud AV name, remove this threat forever. You can do this using a reputable anti-spyware program, Spyware Doctor or Malwarebytes Anti-Malware for example.
In addition to OpenCloud AV intrusion, it manages to get on the targeted machine, it makes some changes to the Registry and installs some of its essential components which eventually distort the system’s functioning and make it act up. This malware will be executed every time you reboot your PC and will display fabricated warning messages notifying you about harmful items detected, like Trojans, worms, browser hijackers and other. Although these ads look pretty convincing, malware will go even further and start running fabricated scanners as well. Make sure you ignore them – most of those viruses reported by OpenCloud AV are legitimate your system files or harmless files dropped by virus as soon as it gets on the PC.
Warning: Infection is Detected
Windows has found spyware infection on your computer!
Click here to update your Windows antivirus software
Windows Security Alert
To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to keep blocking this program?
Zeus Trojan
Warning! Infection found
Unwanted software (malware) or tracking cookies have been found during last scan. It is highly recommended to remove it from your computer.
Keylogger Zeus was detected and put in quarantine.
Keylogger Zeus is a very dangerous software used by criminals to steal personal data such as credit card information, access to banking accounts, passwords to social networks and e-mails.
All this strategy is used for the only reason – to persuade you that you got many viruses, trojans and computer worms that need fixing, so you should use reputable anti-spyware program as soon as you notice OpenCloud Antivirus on your computer. Leaving this virus on your machine may cause more problems, like redirecting web browser, getting more malware installed. So, never buy the commercial version of this scam program and remove Open Cloud AV without any doubt. Use the following information to make this process easier:
1. Execute OpenCloud AV, enter this activation key: DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B . This should disable majority of popups. Close its window.
2. Disable proxy server in your browser.
3. Download Process explorer (backup location here : http://www.2-viruses.com/wp-content/uploads/PE/eXplorer.exe . Rename it to com instead of exe and let it run. Make sure you see the paths to executables.
4. Now stop processes that are named csrss.exe except the one from C:\Windows…. or one of its subfolders. Note down their paths.
5. Once you stop the right process, OpenCloud AV window will close and the icon will disappear from the taskbar (once you hover over it). Remove OpenCloud AV files and link found.
6. Download and scan your PC with GMER and TDSS Killer. In case you can not kill processes, use alternate OS scanner. Download Avira AntiVir Rescue System, Symantec, AVG boot scanner, burn it on clean machine and use CD to boot the infected system. Scan the system for malware. Note, that Bootable cleaning CDs have a bit higher risk on producing registry problems, so it is advisable to use them as last resort in cleaning Open Cloud AV. After your system boots, scan with Spyware Doctor or mbam for deleting OpenCloud AV leftovers and related trojans. Full versions of these programs or decent internet security suite would have protected from this and similar infections .
NOTE: Open Cloud AV infection are very fresh. I recommend scanning with multiple anti-malware and antivirus programs. Never purchase any legitimate antivirus programs without checking if current version of infection like OpenCloud AV is in current definitions (is detected).
Also, there is legitimate Open Source project with the same name (OpenCloudAV). This project and its developers are not associated with malware version of Open Cloud AV, and can be used safely.
OpenCloud AV is Extremely dangerous
OpenCloud AV is a corrupt Anti-Spyware program OpenCloud AV may spread via Trojans OpenCloud AV may display fake security messages OpenCloud AV may install additional spyware to your computer OpenCloud AV may repair its files, spread or update by itself OpenCloud AV violates your privacy and compromises your security
for OpenCloud AV detection
Note: Spyware Doctor trial provides detection of parasite like OpenCloud AV and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
Manual OpenCloud AV removal
Important Note: Although it is possible to manually remove OpenCloud AV, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyware Doctor or other malware and spyware removal applications found on 2-viruses.com.
Stop these OpenCloud AV processes:
Remove these OpenCloud AV Registry Entries:
Remove these OpenCloud AV files:
It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other OpenCloud AV infected files and get help in OpenCloud AV removal by using free Spyware Doctor scanner. It comes with free real-time protection module that helps preventing OpenCloud AV and similar threats.
OpenCloud AV is classified as Rogue Anti-Spyware. After infecting a user’s system, it proceeds to scare its victim into buying the “product” by displaying fake security messages, stating that your computer is infected with spyware and only OpenCloud AV can help you to remove it after you download the trial version. As soon as the victim downloads OpenCloud AV trial version, it pretends to scan your computer and shows a grossly exaggerated amount of non-existent errors. Then, OpenCloud AV offers to buy the full version to fix these false errors. If the user agrees, OpenCloud AV does not only fix the errors, but it also takes the user’s money and may even install additional spyware into the victim’s computer.
Some Rogue Anti-Spyware, such as OpenCloud AV, may offer users to buy it after the victim clicks on a banner or a pop-up while surfing the internet. Usually, a Trojan is installed to a victim’s computer after clicking on the advertisement. It then proceeds to download or even install OpenCloud AV, which is another way for Rogue Anti-Spyware to spread itself.
Most of rogue Anti-Spyware, such as OpenCloud AV, is nearly impossible to remove manually.
Open Cloud seems to have done a number of my machine. I use Avast anti-virus and it is always kept up to date, but this virus managed to infect my machine. I downloaded the aVira antivirus rescue CD and cleaned my machine using that. Now, I don’t get the popup asking me to purchase OpenCloud AV. But, I am unable to run any other antivirus. Avast can not be started. MS Security Essentials can not be started. MalwareBytes AntiMalware starts scanning and then quits with no warning. No error messages at all. And there are constant popups from Internet Explorer, so I am sure some remnant of this virus is still on my system, but I am at my wit’s end as to how to get rid of this remnant. And this remnant, in addition to not letting my antivirus software run, also causes instability of the machine, causing my desktop to freeze up at random intervals so that I have to shut down forcibly and restart the computer to continue working. This is terrible, and I have not found good instructions (that actually work) to get rid of this virus on any site so far.
Balaji: Run TDSS killer after Avira rescue CD. I would also recommend Kaspersky trial in your case. You got a rootkit or unknown trojan that kills regular anti-malware programs.
Well, I think TDSS Killer did more harm than good. It identified 3 threats. One of them was NetBT.sys which it claimed was forged. I gave it permission to delete it, and now I don’t have internet access from that computer. I think I am looking at a rebuild from scratch at this point.
Balaji: you got TDSS rootkit or ZeroAccess. They accompany Open Cloud AV and other rogues. They replace some driver (not always the same) with malicious one. That is done to prevent antivirus programs from loading. You should get windows CD and do repair install. After system repair the internet should be restored
I too got Open Cloud AV yesterday, I believe from the Daily Tech web site. Similar problem of antivirus not allowed to run. See process with long number for name. Used taskkill /F /PID #### it says successful, but process stills shows running. How do you REALLY kill a process?
Well, I copied over the NetBT.sys from a different working computer, but I am still having trouble with internet access. The problem is that I am completely missing the registry entry for HKLM\system\currentcontrolset\services\NetBT. I assume this entry went away when TDSS Killer removed NetBT from my system. So, now, I have netBT.sys, but no registry entries corresponding to it.
In the Device Manager, I am also missing the TCP/IP over NetBIOS device driver. I read on some other forum that that service should be running for internet access. When I do ipconfig /all from a command window, I get on the last line: “NetBios over TCPIP: Disabled”.
Will a repair install take care of all these problems correctly? Or should I format my hard drive and install everything from scratch?
Repair install should take care of this. You could try doing system restore first though (5 days ago or so).
Thank you, Admin. Ultimately, I did not do the repair install. I managed to copy the relevant registry entries from another computer on to this one. I was able to connect to the internet after a couple of reboots. Ran a full scan with MBAM, found nothing, then downloaded and installed MS Security Essentials, and gave the boot to Avast. I have used Avast for the past several years, but they have really gone down in quality it looks like.
Anyways, everything is back to normal for now, until the next time. At that point, I will probably just burn myself a knoppix linux live CD and forget about repairing the windows install on that computer altogether.
balaji: go with Kaspersky or eset internet security versions, if you can spare some buck. They are relatively good, and I personally use Eset on my PC. Well, MSE is ok too for a free one. All other free ones are only giving you so much you will want to purchase full version.
I got this trojan yesterday on my machine and after 4 passes with malwarebytes and 3 reboots in safe mode, followed by a system restore to a prior date was finally able to purge it from my system. Not easy to do but it can be done.
I’m having similar issues with internet connection. I’ve noticed that my “local area connection #” increases in number (only one in my network connections) every time I restart in safe mode.
The “local area connection #” indicates ‘enabled’ and I am unable to ‘disable’ it.
In the command prompt, ipconfig gives this response: ‘ipconfig’ is not recognized as an internal or external command, operable program or batch file.
I’ve attempted uninstalling my network card and reinstalling it.
I’ve installed malwarebytes, spybot, MSE, CCleaner. None are able to update with current databases because they can not connect to the internet.
I’ve been able to keep open cloud from starting at windows startup via clicking on the system icon within the open cloud AV window. I’ve deleted several .exe files that all were related to the virus. Further scans with the software listed above yields no new findings.
Not sure what else to do here, but will keep trying. Any thoughts would be great.
Rigel: if you use mbam, try this update link : http://data.mbamupdates.com/tools/mbam-rules.exe . Download it on another PC or smartphone.
Also, try running GMER ( http://www.gmer.net/ ) to detect and disable rootkit that blocks internet.
Additionally, disable proxy server in your browser
Here’s the “Open Cloud AV” removal method that worked for me:
0. You need two computers – the infected one and a clean one. Be careful not to infect the clean computer. One method is to run a Windows VM on top of Linux OS, and take a snapshot before you begin using the clean windows system.
1. Note that the first safe mode process killer for Open Cloud that I downloaded did NOT work. So instead I scanned the infected disk on a second machine.
2. Remove the disk, and attach it on another machine as drive E, etc.
3. Run Malwarebytes full scan. This gets rid of a portion of the desktop hijack, so you can run a program. But it does not remove the rootkit. Your normal antivirus will not run at this point.
4. Install the disk in original machine. Disconnect network cable etc. Boot safe mode with command prompt.
5. Run TDSSkiller.exe (from USB stick) as described on a Kaspersky site.
6. Make a note of the drivers that tdsskiller.exe removes. You will have to replace the driver. In my case, it was i8042prt.sys and and a randomly named service; so later the keyboard didn’t work; but I could use a USB keyboard.
7. After a reboot, Install malwarebytes.exe while still in single user and run a full scan. You are not on the network, so use a USB thumb drive to copy in files. You may need to copy back one or two infected drivers before you can reboot. Windows is likely to have a cached copy of them.
8. Use your file manager (windows explorer) to find a windows “Driver Cache” copy of whatever infected driver was removed. Search for files by name on C:
9. Copy the most recent version of that file to the correct location, such as c:\windows\system32\drivers\i8042prt.sys
10. Search for files named “Open Cloud” and delete them.
Hi guys. I have an open source project called OpenCloudAV hosted on http://www.opencloudav.com. OpenCloudAV is a multi-engine based malware analysis service from the network cloud. The GPL code is free hosted on SourceForge (http://sourceforge.net/projects/opencloudav/) and only runs on Linux machines. *There isn’t any relationship at all between OpenCloudAV.com and the virus/scam that you described*. Please help me to clarify the difference as we have received some emails with complaints by victims of this virus. Thank you.
adverick: That is not the first time malware and legitimate project names are the same.
Hey, awesome tip on the TDSSKiller.exe …
It worked like a champ!
Humans, use jrandoms information and be done with this.
This was tricky malware to remove from my laptop. Thanks for the instructions, jrandoms.
I have one other question though that I could use help on. Since I removed the malware, the files it was saying were infected during its “scan” (i.e. a0Sb3ona6JEgqCU) are still showing up on the C drive. Each folder is showing 0 bytes of data, so I’m assuming that the .exe files were removed when the scan was complete. However, the main files (Program Files x86, Users, etc) are missing from C drive. Are these filles hidden or have they been moved to somewhere different?
Thanks for the help!
Sherman: these files are hidden. run CMD, then
CD C:\
atrib -h *.*