Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Ransomware infection using Windows 7 Rundll32?

31 May 2013   #1
DaveR

Windows 7 Pro 64-bit SP 1
 
 
Ransomware infection using Windows 7 Rundll32?

Yesterday, through unwise browsing, my computer (a Dell Inspiron 580 desktop running Windows 7 Pro 64-bit SP1) got infected with a ransomware Trojan demanding, in the name of the FBI, that I send $300, etc., etc. This is the type of malware that completely takes control of your system and shows you this white screen full of scary verbiage. I immediately powered down the machine and rebooted into Safe Mode, which was still possible without problem; a full boot left the ransomware completely in control of the computer. A complete scan in Safe Mode using Avira Free antivirus did not find any malware, but clearly there was something there.

By experimenting in Safe Mode with MSConfig, disabling various startup programs, I discovered an entry that would use Windows to start C:\ProgramData\je6zzdlo.dat. Disabling that startup entry and deleting C:\ProgramData\je6zzdlo.dat prevented the malware from running on a full bootup, though Rundll32 complained about being unable to find je6zzdlo.dat.

According to MSConfig, the registry location for this entry was HKCU\Software\Microsoft\Windows\CurrentVersion\Run; but I could not find an entry for it there. However, I did find an entry in my Startup folder for regmonstd that would call Rundll32 to execute this program. I removed it, and got no more complaints from Rundll32 on startup. (The entry, disabled, remains in the Startup tab of MSConfig, with Startup Item listed as ctfmon32.exe. I believe that is spyware, based on a Google search, but I cannot find it anywhere on my computer.)

A little more investigation found several files in C:\ProgramData\ with filenames that are the reverse of "je6zzdlo": oldzz6ej.bat, oldzz6ej.js, oldzz6ej.pad, and oldzz6ej.reg. There is also a copy of Rundll32.exe in this folder. All these files were created within 6 seconds of each other shortly before the ransomware took over the computer, with the exception of oldzz6ej.pad, which was created much later and is huge, 90.6MB. A Google search for je6zzdlo and oldzz6ej did not find any results.

This is the content of oldzz6ej.reg:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\PROGRA~3\\oldzz6ej.bat"

This is the content of oldzz6ej.bat:
START "ok" rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00 /B

All this is just a little beyond the edge of my understanding of how Windows works, but it seems to me that these files operating together infect the Windows registry on startup and cause it to run je6zzdlo.dat (120KB in size, with the words "This program cannot be run in DOS mode" near the beginning), which I think is the actual ransomware.

Once I was able to start the computer without the malware taking over, I searched the registry using Regedit. The value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" is explorer.exe, so that seems to be OK. There is an entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon32.exe, whose values include:
hkey HKCU
Key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
command C:\PROGRA~3\rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00
I'm not sure whether this actually does anything other than making this entry show up in MSConfig. I think I should delete it from the Registry, but I'm a little hesitant to monkey with that. The registry contains no other references to je6zzdlo or oldzz6ej.

I have isolated all these files in an out-of-the-way folder before I delete them entirely. I have scanned all of them with a currently-updated Avira Free, and no problem is detected.

Of course, I could be completely wrong about this. But removing je6zzdlo.dat did cause the ransomware to quit seizing control of my computer. Does any of this look familiar or plausible to anyone? Are there other steps I need to take?


My System SpecsSystem Spec
.
31 May 2013   #2
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Hi DaveR

Scan your PC with HitmanPro

Download HitManPro on a clean PC

32-Bit Version OS download

64-Bit Version OS download

Save to a USB Flash Drive then plug the USB Flash Drive to the issue PC and drag the file from the USB Flash Drive to the Desktop

Right click on HitmanPro.exe and choose Run as administrator

When HitmanPro opens up click on the Next button

Click on No, I only want to perform a one-time scan to check this computer on the Setup page . Click Next once done .

Let it scan the PC once its done Click Next

Click Activate free license to start the free 30 days trial and remove all the malicious files from your computer then click Next

Once that is complete .

Run Malwarebytes

Download Link MALWAREBYTES

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )



Update the definitions and do a full scan
My System SpecsSystem Spec
31 May 2013   #3
keebsuk

Windows 7 Home Premium 64bit
 
 

Sorry to hear of your problem Dave.

Could you let me know where you got this virus from so I know to avoid that particular website?

Andy
My System SpecsSystem Spec
.

31 May 2013   #4
DaveR

Windows 7 Pro 64-bit SP 1
 
 

Regrettably, I don't even know the name of the Website. I had barely clicked on it when the malware took over, and I lost track of what it was in the aftermath.
My System SpecsSystem Spec
31 May 2013   #5
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Dave

Have you ran a scan with HITMAN pro and malwarebytes ?
My System SpecsSystem Spec
31 May 2013   #6
cottonball

Windows 7 Home Premium
 
 

DaveR,

You need to use HitmanPro.KickStart, which is an excellent solution against police ransomware and other persistent malware that takes your computer hostage.

Follow the instructions here (Post #4): Sacreware? (It should be spelled Scareware, or, better yet, Ransomware)

Results (Post #13): Sacreware?
My System SpecsSystem Spec
01 Jun 2013   #7
DaveR

Windows 7 Pro 64-bit SP 1
 
 

Thanks for the pointers, VistaKing and cottonball. At this point, I'm confident that I've removed the infection and the emergency is over, but it can't hurt to run the further scans with Hitman and Malwarebytes when I can. Probably run CCleaner on the registry too.

Does the manner of infection that I described in my original post sound familiar? Have you heard of using register keys, rundll32, and a .dat file to install ransomware?
My System SpecsSystem Spec
01 Jun 2013   #8
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Yes do you still see the .dat file ?
My System SpecsSystem Spec
01 Jun 2013   #9
DaveR

Windows 7 Pro 64-bit SP 1
 
 

I moved the .dat and related files out of C:\ProgramData to a different folder, then put them into a .zip file and deleted them to the Recycle bin. The only reason I haven't deleted them altogether is in case someone might want to look at them for reference. In a few days, I'm going to use a wipe program on them.

So, yes, I can still find the .dat file, but no, it's not readily visible on my system.
My System SpecsSystem Spec
01 Jun 2013   #10
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Did you run a scan with HitmanPro and MalwareBytes ?
My System SpecsSystem Spec
Reply

 Ransomware infection using Windows 7 Rundll32?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
windows host process rundll32 has stopped working?
I keep on getting this error every once a while..I noticed it keeps un poping when I close apps like for ex. hypercam and some other apps.I did screenshot about the error and screenshot in event viewer: What could cause this and how to fix it?
General Discussion
Windows 7- rundll32.exe 50% CPU load
Hi there. I got a problem, i got two rundll32.exe processes, but one when i'm start games, and other, goes crazy and using 50% of my CPU. I got windows 7 two days! And why this proces is not automaticialy killed when i shutdown game? After shutting down game, process stay and use 50% of my CPU!...
Performance & Maintenance
How to tell if Windows host process (Rundll32) is malware or not?
Greetings, I am in need of some assistance about the Windows host process (Rundll32). Just today as I was looking through my icons in my taskbar on my standard account, I noticed that there was a process labeled "Windows host process (Rundll32)" and I don't remember ever seeing it before (if not...
System Security
How to get rid of MoneyPak ransomware infection
My husband's user account has been taken over by the FBI-MoneyPak virus and is currently unusable. The other two accounts on the computer are password-protected (his isn't) and seem OK for now. I ran Windows Security Essentials and Malwarebytes scans from my account and they detected nothing. How...
System Security
Windows 7 x86 (Question about Rundll32 Command Line)
Hello, Today when I started my PC, as usual I always check Task Manager (processes). I saw a Rundll32.exe whitch is regular Windows process file (c:/windows/system32), then I checked Command Line of process and it says this: C:\Windows\System32\rundll32.exe...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:22.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App