In Part 1 I told the (horror) story of my tech woes around Christmas. Now I will talk about President’s day weekend which is turning out to be even more of a mess.
Friday February 18. 2011 I woke up ready to go and plans for things to do that day. Friday was a teacher work day which means no students and usually less interruptions. I was hoping to finish building some new install images based of the freshly released Windows 7 Service Pack 1 and maybe do some upgrades of servers to Windows 2008 R2 Service Pack 1. However that isn’t what happened. At about 7:45 AM I got a call at my desk saying “Did you know all the phones in the Ward House are out?” my response “Um, no?” The ward house is where almost all the employees that aren’t teachers have offices, admissions, business, etc.
I went over to check it out and apparently one of the switches that connects our phones to the main server room and powers them via Power over Ethernet was dead. It appears that the switch really overheated, most likely caused by it being 70 outside (strange for February) and the heat still being on in building. We have two 24 port switches for the phones in the Ward House and I found out we have 32 active phones. Luckily many people were out on Friday so I set to work getting 24 phones working as quickly as possible. The first problem was determining which 24 to fix and where they are plugged in. You might say “don’t you know that already Mr. Network Admin?” and it would be a valid question. My only excuse is there have be a bunch of people who left or moved in last year in the Ward House.
Fast forward 2 hours and I have 24 phones working and everyone is happy. Just for fun I plugged back in the dead switch after having it unplugged and cooling for 2 hours and it came back on. Just in case I only hooked in the 8 non-needed phones for Friday. It seemed to still be working fine when I left Friday evening.
As a result of the 2+ hours lost in the morning I never really got back to doing what I had planned to do. I didn’t really work on the images at all, but I did get to install SP1 on a few 2008R2 servers for testing. Although I had a splitting headache most of the day, I think due to spending hours in a dusty hot wiring closet.
Saturday February 19, 2011 started off ok, after Kelly woke me up with the Cuisinart I got up. After eating breakfast and relaxing a bit I turned on my desktop PC to pay some bills at 9:11 AM. At about 9:14 AM I got a virus / malware infection on my machine. I saw Java load on my machine and I should have know something odd was happening, I thought it was the updater but it was actually running something. Then almost every application on my machine instantly closed and I got a taskbar notification of an infection (from a fake program). Watching this happen in real time right in front of me without any user interaction gives me a much better understanding of what happens to students at my school. I have often said I wonder how they get this stuff on their machines, now I know how. Of course there are many other ways and sometimes they help it, but it obviously can happen without even trying.
My best guess is this particularly nasty little program got on my machine via a Flash exploit via a page I loaded on startup in Opera. The only other thing running on my machine was iTunes (auto started to synch iPod) and Outlook. I didn’t have IE open at all. I know I had a semi out of date Flash version in Opera since it doesn’t seem to prompt to update as much or as well as the ActiveX version in IE. The sites I had open in Opera are ones I open every time I load Opera and visit almost daily. Most likely one of those sites hosted an ad that was fake and exploited a hole in Flash to install a dropper. I immediately tried to start Task Manager and Process Explorer, both of which this fake anti-virus killed. The fake AV pretty much instantly killed anything I tried to load.
I then logged out of my main account and logged in as an alternate admin account. Thankfully the fake AV appeared to be contained to my main profile. When I logged into the alternate account Windows Defender popped up and warned me about finding Rogue:Win32/Winwebsec at 9:21 AM. I imagine it found it actually when I was logged in as main account but was stopped before it could warn me. I told it to remove it. I then loaded Process Explorer to check for anything odd running and didn’t see anything strange. I also ran AutoRuns to look for anything, I didn’t really see much but it doesn’t look at stuff for other profiles very well. After some manual checking I loaded Malwarebytes’ Anti-Malware (my current favorite app for removing fake AV and other spyware) and ran a quick scan. MBAM like Autoruns works much better as the infected user but in this case the infection was preventing it from running so running it as another user was the only choice. It ran and found a handful of items all within my main profile. It found a combination of Spyware.Zbot and Trojan.Hiloti at 9:41 AM. I also installed updated versions of Flash (both ActiveX IE and Opera versions). While trying to clean the machine I installed a real Anti-Virus on my machine for the first time in a REALLY long time (if ever). I installed Microsoft Security Essentials because it works arguably as well as any other and it is free. I started a full machine scan to try and make sure nothing else was hiding on the machine. While the full scan was running our power went out at 10:18 AM. It only went out for a few seconds, just long enough to be annoying.
I turned my machine back on at 10:20 AM. I logged in as my alternate account again. Immediately MSE popped up and warned me it had found Trojan.Podjot.A in my main profile directory (now the fourth different virus). I had it remove that. I then initiated another semi-full scan, I excluded a few directories that literally have millions of files and I am almost 100% sure wouldn’t have the virus in them. It finished at 10:47 AM and found a bunch of Java based pieces of a virus. Here is a screenshot of those:
As a result I went and installed the latest version of Java just in case. I don’t think the virus entered through Java, but rather just used it to run. I then rebooted my machine again after I uninstalled some other unrelated items.
I logged back into my main account at 10:53 AM and was instantly greeted by the fake AV again. I then promptly logged back off again then back in as my alternate account. I ran a quick scan with MBAM and a custom scan with MSE of my main profile directory again and found nothing, which was not good. I had previously used regedit to check the HKLM\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce and also checked with AutoRuns. I now manually loaded the main account ntuser.dat as a hive so I could check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce for it. In the RunOnce I found a key pointing to aOfOjPl08200.exe in C:\Programdata\aOfOjPl08200. I was pretty sure this was my last problem and I verified it by looking at the creation time and seeing it was 9:14 AM. At this point I was very curious as to why this wasn’t caught by MBAM or MSE so I did a Google search for online virus scanners. These are sites that you can upload a file to and have it scanned for viruses. I tried a few and the file kept coming up clean. I then found Virus Total which uses 43 different Anti-Virus engines to scan a file. I uploaded the file there and got the results you can see at this link or in the picture below:
You may notice that only 13 of the 43 anti-virus even picked this up as a virus and notably MSE did not. I apparently was the lucky recipient of a freshly created variant of the Zbot Trojan, yippee! I deleted the registry entry pointing to this file and deleted the file. I then logged out and back in as my main profile which didn’t load properly. I then realized I had forgotten to unload the hive. I logged back in as the alternate account and unloaded the hive and rebooted the machine just in case.
Update: Microsoft now recognizes my file as a a virus as you can see at this link.
I logged in at 11:22 AM and found a clean profile. Success! It only took me 2 hours to clean these 5-6 viruses off my machine. All of them were working together on some level to infect and prevent removal on my machine. Nasty stuff.
Then at 11:24 AM my cell phone rang, read what happened next in Part 3.