How to disable OpenCloud Security Malware/Spyware

My aunt’s PC got infected with a trojan virus. She called me and ask if she should use some kind of antivirus to clean her PC. I remember installing Microsoft Security Essentials and as she is describing the interface it didn’t sound familiar. I told her that the so called antivirus itself could be the problem. I came over to check it out and I was right. Somehow she clicked on something (very common) thinking it was something legit and installed it. I couldn’t get a screenshot right off her laptop coz it the trojan cranked up the resources to a point where it was nearly usable so I searched for a screenshot and here’s a sample.

opencloud

opencloud

I’m mostly on a Mac and when I’m behind my PC at home I usually am protected so I don’t know how to fix these things as well as I used to when I used only PCs. So I Googled and came up found what I thought to be solutions. The websites that came up gave solutions that involved downloading and installing proprietary tools. They also scare you into believing that you must manually edit your registry and if you screw up, you will mess up Windows… which is true, so you have to use their software to automatically remove it. It just didn’t look right.

So I kept researching about OpenCloud. It turns out it’s a malware/spyware. I figured I can use any free spyware software to try and remove it. The 2 that I remember using awhile back are Adaware and Spybot – Search and Destroy. In order to even do anything, you must boot into safe mode with networking by continuing to press the F8 button after your PC has been turned on. Unfortunately, Adaware will not install in safe mode, at least when I tried to it told me that I needed to boot up in normal mode which is not an option because it will execute the trojan. Spybot on the other hand will install in safe mode.

First thing you need to do after install Spybot is to update it just in case there are newer definitions available. Then back up your registry. Afterwards, you can scan for the malware and it should detect it. Once the scanning is complete, have it fix the problems. I would recommend scanning again. In my aunt’s case, the scanning took 19 minutes. It will vary from system to system.

Check the C:Users[username]AppDataRoaming folder. You will folders that were created by OpenCloud Security that should be deleted. You can tell by the weird names and the date modified. Also, you may not see the AppData folder because it’s hidden. You will have to go in your Folder Options and show the hidden files and folders.

Then run “msconfig” and go to the Startup tab. Search for anything suspicious. I disabled “Spyware Doctor” which runs an executable on the desktop. You may also find a bunch of weird named items similar to the folder names in AppData. I disabled them too. It’s probably better to disable all and go through the ones that look familiar and enable them.

You should be able to reboot to normal mode. There may be some shortcuts left behind that you can delete. Now this method only disables the trojan. I don’t believe it’s completely removed. I have yet to find out how to remove it.

As always, make sure you have a back up of your important files regardless of whether you have a problem with your PC or not. Not all solutions will work and can sometimes make things worse. So proceed with caution and the usual I will not be held responsible for any screw ups.

For those who keep getting viruses, malware/spyware, etc. please consider a different operating system like Linux or switch to a Mac. Unless you like having a broken PC or enjoy paying services like the Geek Squadhundreds of dollars.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s