2011-10-07

Victimized by an Anti-Virus Trojan


A non-techie friend approached me with an laptop issue.  This is your typical common internet surfer problem,”My laptop is just so slow all of a sudden, I think something is wrong with it.  I let my 5 yr old nephew play with it.”

Long story short – it was an Core i3 and processor activity was pegged at 100%, and an annoying “OpenCloud AV” was reporting it found 6 trojans on it!!  Yeah right 6, how about 200 or more.  This OpenCloud AV is the culprit, and this are the steps I took to try and get rid of it.  Mind you, I didn’t really want to spend time doing this, so this is the most minimal steps.  Oh BTW, I didn’t see any legitimate AV running to protect the laptop.  This is probably how it got infected in the first place.

This is a Windows 7 Home Premium Toshiba Laptop.

Here’s the simple game plan:
1.        Google info about the suspected culprit - In this case “OpenCloud AV” – as it turned out, it surely is an open cloud since it sends info to internet. Free info for all!
2.       Boot to Safe Mode – delete, clean-up, kick, shout do whatever you have to catch all the files in there.  They will be hidden or disguised as legitimate files.  Through my search I ended up in a website that offers an automatic tool to remove it! Hahaha! Nice try! I wasn’t born yesterday.  It actually also offered manual removal instructions, but warned extensively of the dangers of doing so. Here’s an excerpt.

“Please, note that manual removal of OpenCloud AV virus is a procedure with high complexity and can not always guarantee a full removal of the virus, due to the fact that some objects can stay hidden or may become reanimated automatically after incomplete removal. What’s more, lack of the required skills and even the slightest deviation from the removal guides may result in irreparable system corruption. That’s the reason it’s strongly advised automatic removal of OpenCloud AV virus, which will save your time and avoid any system corruptions and ensure the desired result.”

BTW, I checked the manual instructions against the infected laptop, none of the instructions applied to the problem.  By default, Windows will hide system files and folders from view.  You have to change your settings to show all that.  Also double check the contents of %AppData%,  %Programs% and %Temp% . Delete any unknown or junk looking files.  If you are not sure, save them somewhere else just in case you need them back. 

3.       Double check your “RUN” registry entry and Startup folder – The registry is a good source to find where those hidden files are on your system drive.   If original RUN hive on the registry clean of any Trojan looking files, fire up “msconfig” and look in there.  Sometimes the Trojan is smart enough to hide somewhere else.  Clean up the registry and startup last, as I mentioned above, they are a very good source of information as were the nasty files are.
4.       Install an Anti-Virus and scan - Twice! A full hard drive scan.  Let it run take all day.  Then defrag the hard drive, delete any system dumps and delete the pagefile.
5.       Windows Update and Patch -  This is very basic folks.  You change oil and check your car every so often right? Pilots run pre-flight checks right? The Internet net is crawling with bad things out to get you than your highways and airways.   There should be a web surfing license just like a driver’s license and a pilot’s license.
6.       Prevention   - turn on your automatic updates for both Windows and Anti-Virus.

I have a laptop I use on the Internet with absolutely no malware protection.  I just keep it fully updated, prevent going anything I did not personally solicit and use a web browser with appropriate add-ons to prevent code running without me knowing about it.  I have not been infected.  The point is, with anything that you decide to do, acquire enough information before doing it.   You don’t have to be an expert race car driver to drive a car, but you just enough skill to keep yourself and others safe.

Additional notes: 
It is possible that Windows 7's Licensing Store may be corrupt or unreadable.  If it is,ou might get a "This copy of Windows is not genuine" message above your system tray, even if you know you have a legit copy.  You will need your Activation Key for the steps below.  They are usually located on the green Microsoft license stickers found on workstations or at the bottom of a laptop.  Try the below steps to recreate the Store.

1) Open an Internet Browser
2) Type: %windir%\system32 into the browser address bar.
3) Find the file CMD.exe
4) Right-Click on CMD.exe and select 'Run as Administrator'
5) Type: net stop sppsvc   (It may ask you if you are sure, select yes)
Note: the Software Protection service may not be running, this is ok.
6) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
7) Type: rename tokens.dat tokens.bar
8) Type: cd %windir%\system32
9) Type: net start sppsvc
10) Type: slui.exe
11) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may
occur automatically.


If you have a product key, then you can reactivate Windows 7.
1. Click the Start button2. Type: slui.exe 3 and hit the Enter key3. Type in the Product key from the sticker on your computer4.  Click the Next button.5. You will be asked if want to Activate, click ok

You can also activate by phone  by following these steps.
1. Click the Start button2. Type: slui.exe 4 and hit the Enter key3. Select your location in the drop down menu and click the Next button4. The next screen provides the number to call to Activate by Phone
How to contact a Microsoft Product Activation Center:
http://support.microsoft.com/default.aspx/kb/950929/en=us