Yesterday, through unwise browsing, my computer (a Dell Inspiron 580 desktop running Windows 7 Pro 64-bit SP1) got infected with a ransomware Trojan demanding, in the name of the FBI, that I send $300, etc., etc. This is the type of malware that completely takes control of your system and shows you this white screen full of scary verbiage. I immediately powered down the machine and rebooted into Safe Mode, which was still possible without problem; a full boot left the ransomware completely in control of the computer. A complete scan in Safe Mode using Avira Free antivirus did not find any malware, but clearly there was something there.
By experimenting in Safe Mode with MSConfig, disabling various startup programs, I discovered an entry that would use Windows to start C:\ProgramData\je6zzdlo.dat. Disabling that startup entry and deleting C:\ProgramData\je6zzdlo.dat prevented the malware from running on a full bootup, though Rundll32 complained about being unable to find je6zzdlo.dat.
According to MSConfig, the registry location for this entry was HKCU\Software\Microsoft\Windows\CurrentVersion\Run; but I could not find an entry for it there. However, I did find an entry in my Startup folder for regmonstd that would call Rundll32 to execute this program. I removed it, and got no more complaints from Rundll32 on startup. (The entry, disabled, remains in the Startup tab of MSConfig, with Startup Item listed as ctfmon32.exe. I believe that is spyware, based on a Google search, but I cannot find it anywhere on my computer.)
A little more investigation found several files in C:\ProgramData\ with filenames that are the reverse of "je6zzdlo": oldzz6ej.bat, oldzz6ej.js, oldzz6ej.pad, and oldzz6ej.reg. There is also a copy of Rundll32.exe in this folder. All these files were created within 6 seconds of each other shortly before the ransomware took over the computer, with the exception of oldzz6ej.pad, which was created much later and is huge, 90.6MB. A Google search for je6zzdlo and oldzz6ej did not find any results.
This is the content of oldzz6ej.reg:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\PROGRA~3\\oldzz6ej.bat"
This is the content of oldzz6ej.bat:
START "ok" rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00 /B
All this is just a little beyond the edge of my understanding of how Windows works, but it seems to me that these files operating together infect the Windows registry on startup and cause it to run je6zzdlo.dat (120KB in size, with the words "This program cannot be run in DOS mode" near the beginning), which I think is the actual ransomware.
Once I was able to start the computer without the malware taking over, I searched the registry using Regedit. The value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" is explorer.exe, so that seems to be OK. There is an entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon32.exe, whose values include:
hkey HKCU
Key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
command C:\PROGRA~3\rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00
I'm not sure whether this actually does anything other than making this entry show up in MSConfig. I think I should delete it from the Registry, but I'm a little hesitant to monkey with that. The registry contains no other references to je6zzdlo or oldzz6ej.
I have isolated all these files in an out-of-the-way folder before I delete them entirely. I have scanned all of them with a currently-updated Avira Free, and no problem is detected.
Of course, I could be completely wrong about this. But removing je6zzdlo.dat did cause the ransomware to quit seizing control of my computer. Does any of this look familiar or plausible to anyone? Are there other steps I need to take?
By experimenting in Safe Mode with MSConfig, disabling various startup programs, I discovered an entry that would use Windows to start C:\ProgramData\je6zzdlo.dat. Disabling that startup entry and deleting C:\ProgramData\je6zzdlo.dat prevented the malware from running on a full bootup, though Rundll32 complained about being unable to find je6zzdlo.dat.
According to MSConfig, the registry location for this entry was HKCU\Software\Microsoft\Windows\CurrentVersion\Run; but I could not find an entry for it there. However, I did find an entry in my Startup folder for regmonstd that would call Rundll32 to execute this program. I removed it, and got no more complaints from Rundll32 on startup. (The entry, disabled, remains in the Startup tab of MSConfig, with Startup Item listed as ctfmon32.exe. I believe that is spyware, based on a Google search, but I cannot find it anywhere on my computer.)
A little more investigation found several files in C:\ProgramData\ with filenames that are the reverse of "je6zzdlo": oldzz6ej.bat, oldzz6ej.js, oldzz6ej.pad, and oldzz6ej.reg. There is also a copy of Rundll32.exe in this folder. All these files were created within 6 seconds of each other shortly before the ransomware took over the computer, with the exception of oldzz6ej.pad, which was created much later and is huge, 90.6MB. A Google search for je6zzdlo and oldzz6ej did not find any results.
This is the content of oldzz6ej.reg:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\PROGRA~3\\oldzz6ej.bat"
This is the content of oldzz6ej.bat:
START "ok" rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00 /B
All this is just a little beyond the edge of my understanding of how Windows works, but it seems to me that these files operating together infect the Windows registry on startup and cause it to run je6zzdlo.dat (120KB in size, with the words "This program cannot be run in DOS mode" near the beginning), which I think is the actual ransomware.
Once I was able to start the computer without the malware taking over, I searched the registry using Regedit. The value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" is explorer.exe, so that seems to be OK. There is an entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon32.exe, whose values include:
hkey HKCU
Key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
command C:\PROGRA~3\rundll32.exe C:\PROGRA~3\je6zzdlo.dat,XFG00
I'm not sure whether this actually does anything other than making this entry show up in MSConfig. I think I should delete it from the Registry, but I'm a little hesitant to monkey with that. The registry contains no other references to je6zzdlo or oldzz6ej.
I have isolated all these files in an out-of-the-way folder before I delete them entirely. I have scanned all of them with a currently-updated Avira Free, and no problem is detected.
Of course, I could be completely wrong about this. But removing je6zzdlo.dat did cause the ransomware to quit seizing control of my computer. Does any of this look familiar or plausible to anyone? Are there other steps I need to take?
My Computer
- OS
- Windows 7 Pro 64-bit SP 1
